[33150] in Kerberos
Two host, virt-manager, kerberos
daemon@ATHENA.MIT.EDU (Thomas Schweikle)
Wed Jan 26 22:36:03 2011
From: Thomas Schweikle <tps@vr-web.de>
Date: Wed, 26 Jan 2011 23:09:58 +0100
Message-ID: <8qbkdnFie6U1@mid.individual.net>
Mime-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi!
Some mysterious problem:
Some mysterious problem:
Host1 /etc/sasl2/libvirt.conf
listen_tls = 0
listen_tcp = 1
mdns_adv = 0
auth_unix_ro = "none"
auth_unix_rw = "none"
auth_tcp = "sasl"
Host2 /etc/sasl2/libvirt.conf
listen_tls = 0
listen_tcp = 1
mdns_adv = 0
auth_unix_ro = "none"
auth_unix_rw = "none"
auth_tcp = "sasl"
Host1 /etc/sasl2/libvirt.conf
mech_list: gssapi
keytab: /etc/libvirt/krb5.kqemu
sasldb_path: /etc/libvirt/passwd.db
Host2 /etc/sasl2/libvirt.conf
mech_list: gssapi
keytab: /etc/libvirt/krb5.kqemu
sasldb_path: /etc/libvirt/passwd.db
Since libvirtd ignores the keytab-setting in
/etc/sasl2/libvirtd.conf there is an environment variable set:
KRB5_KTNAME=/etc/libvirt/krb5.kqemu
This again on both hosts. libvirtd must be started with "--listen"
to make ist respect the settings in /etc/libvirt/libvirt.conf. This
is done on both hosts too.
Both hosts are in known in dns and names resolve to given addresses
as addresses resolv to given hostnames. Now I get a ticket for my
user (kinit username) and start virt-manager. All OK
Hosts are defined within virt-manager config with
qemu+tcp://srv1.example.com
qemu+tcp://srv2.example.com
for both of them exists a principal:
libvirt/srv1.example.com@EXAMPLE.COM
libvirt/srv2.example.com@EXAMPLE.COM
OK. Let's connect to host 1:
Asks for password!!
Now to host 2:
all OK logged in without any further question.
Any idea, why this works on one host, but not on the other? I can,
on both hosts, log in with "ssh -K -X -l username srv?.example.com"
no problem at all. Only libvirtd allows it on one host, on the other
it does not.
--
Thomas
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
