Two host, virt-manager, kerberos

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Two host, virt-manager, kerberos

tps (Bugzilla)
Hi!

Some mysterious problem:




Some mysterious problem:

Host1 /etc/sasl2/libvirt.conf
listen_tls = 0
listen_tcp = 1
mdns_adv = 0
auth_unix_ro = "none"
auth_unix_rw = "none"
auth_tcp = "sasl"

Host2 /etc/sasl2/libvirt.conf
listen_tls = 0
listen_tcp = 1
mdns_adv = 0
auth_unix_ro = "none"
auth_unix_rw = "none"
auth_tcp = "sasl"

Host1 /etc/sasl2/libvirt.conf
mech_list: gssapi
keytab: /etc/libvirt/krb5.kqemu
sasldb_path: /etc/libvirt/passwd.db

Host2 /etc/sasl2/libvirt.conf
mech_list: gssapi
keytab: /etc/libvirt/krb5.kqemu
sasldb_path: /etc/libvirt/passwd.db

Since libvirtd ignores the keytab-setting in
/etc/sasl2/libvirtd.conf there is an environment variable set:
KRB5_KTNAME=/etc/libvirt/krb5.kqemu
This again on both hosts. libvirtd must be started with "--listen"
to make ist respect the settings in /etc/libvirt/libvirt.conf. This
is done on both hosts too.

Both hosts are in known in dns and names resolve to given addresses
as addresses resolv to given hostnames. Now I get a ticket for my
user (kinit username) and start virt-manager. All OK

Hosts are defined within virt-manager config with
qemu+tcp://srv1.example.com
qemu+tcp://srv2.example.com

for both of them exists a principal:
libvirt/[hidden email]
libvirt/[hidden email]

OK. Let's connect to host 1:
Asks for password!!

Now to host 2:
all OK logged in without any further question.

Any idea, why this works on one host, but not on the other? I can,
on both hosts, log in with "ssh -K -X -l username srv?.example.com"
no problem at all. Only libvirtd allows it on one host, on the other
it does not.


--
Thomas
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos