Two host, virt-manager, kerberos
Thomas Schweikle
tps at vr-web.de
Wed Jan 26 17:09:58 EST 2011
Hi!
Some mysterious problem:
Some mysterious problem:
Host1 /etc/sasl2/libvirt.conf
listen_tls = 0
listen_tcp = 1
mdns_adv = 0
auth_unix_ro = "none"
auth_unix_rw = "none"
auth_tcp = "sasl"
Host2 /etc/sasl2/libvirt.conf
listen_tls = 0
listen_tcp = 1
mdns_adv = 0
auth_unix_ro = "none"
auth_unix_rw = "none"
auth_tcp = "sasl"
Host1 /etc/sasl2/libvirt.conf
mech_list: gssapi
keytab: /etc/libvirt/krb5.kqemu
sasldb_path: /etc/libvirt/passwd.db
Host2 /etc/sasl2/libvirt.conf
mech_list: gssapi
keytab: /etc/libvirt/krb5.kqemu
sasldb_path: /etc/libvirt/passwd.db
Since libvirtd ignores the keytab-setting in
/etc/sasl2/libvirtd.conf there is an environment variable set:
KRB5_KTNAME=/etc/libvirt/krb5.kqemu
This again on both hosts. libvirtd must be started with "--listen"
to make ist respect the settings in /etc/libvirt/libvirt.conf. This
is done on both hosts too.
Both hosts are in known in dns and names resolve to given addresses
as addresses resolv to given hostnames. Now I get a ticket for my
user (kinit username) and start virt-manager. All OK
Hosts are defined within virt-manager config with
qemu+tcp://srv1.example.com
qemu+tcp://srv2.example.com
for both of them exists a principal:
libvirt/srv1.example.com at EXAMPLE.COM
libvirt/srv2.example.com at EXAMPLE.COM
OK. Let's connect to host 1:
Asks for password!!
Now to host 2:
all OK logged in without any further question.
Any idea, why this works on one host, but not on the other? I can,
on both hosts, log in with "ssh -K -X -l username srv?.example.com"
no problem at all. Only libvirtd allows it on one host, on the other
it does not.
--
Thomas
More information about the Kerberos
mailing list