On Sat, 2015-09-05 at 14:34 +0200, Marin Bernard wrote: > Hi again, > > I finally got it working. It appears VNC looks for a file named > 'spice.conf' in '/etc/sasl2'. On CentOS 7.2, symlinking > '/etc/sasl2/spice.conf' to '/etc/sasl2/qemu-kvm.conf' is enough: > > $ ls -l /etc/sasl2 > total 12 > -rw-r--r--. 1 root root 1278 30 août 15:50 libvirt.conf > -rw-r--r--. 1 root root 1291 5 sept. 14:12 qemu-kvm.conf > -rw-r--r--. 1 root root 49 10 juin 2014 smtpd.conf > lrwxrwxrwx. 1 root root 13 5 sept. 14:15 spice.conf -> qemu-kvm.conf > > Of course, a 'vnc.conf' symlink won't work. It has to be named > 'spice.conf' even if you don't use Spice. > > I think this should be documented somewhere. The freeipa.org VNC howto > seems like a good place to mention it.
It would be nice if you could log into the wiki and add a note. If you have issues with that just send me a pvt email with the text you'd add and I'll make the change. Thanks, Simo. > Thanks to Brendan and Rich for helping me to find this out. > > Marin. > > Le samedi 05 septembre 2015 à 11:47 +0200, Marin Bernard a écrit : > > Hi, > > > > Thanks a lot for answering me. > > > > Le mardi 01 septembre 2015 à 09:30 -0400, Brendan Kearney a écrit : > > > On 08/30/2015 12:49 PM, Marin Bernard wrote: > > > > Hi, > > > > > > > > I followed the instructions from freeipa.org ( > > > > https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make > > > > libvirt > > > > and VNC use GSSAPI authentication with FreeIPA. The libvirt part > > > > works > > > > fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm > > > > unable to get a VNC connection to any guest: both virt-manager > > > > and > > > > virt > > > > -viewer fail. The former speaks about a "closed or refused > > > > connection", > > > > and the latter just closes. > > > > > > > > > > > > On the KVM host, each VNC login attempt adds the following record > > > > to > > > > the systemd journal: > > > > > > > > qemu-kvm[3202]: GSSAPI server step 1 > > > > > > > > > > > > On the host, libvirt starts qemu-kvm with a SASL VNC, which seems > > > > correct to me: > > > > > > > > # ps -aux | grep qemu-kvm > > > > > > > > <snip> -vnc 0.0.0.0:0,sasl <snip> > > > > > > > > > > > > QEMU may read the VNC keytab > > > > > > > > $ ls -l /etc/qemu/ > > > > total 4 > > > > -rw-------. 1 qemu root 458 30 août 15:48 krb5.tab > > > > > > > > > > > > Contents of /etc/sasl2/qemu-kvm.conf (comments removed) > > > > > > > > mech_list: gssapi > > > > keytab: /etc/qemu/krb5.tab > > > > > > > > > > > > The client seems to grab correct tickets: > > > > > > > > $ klist > > > > Ticket cache: KEYRING:persistent:1215400001:krb_ccache_jjD9A46 > > > > Default principal: ma...@cloud.olivarim.com > > > > > > > > Valid starting Expires Service principal > > > > 30/08/2015 16:11:22 31/08/2015 15:34:53 vnc/nice-hkvm-ctrl-01 > > > > .core.nice.cloud.olivarim....@cloud.olivarim.com > > > > 30/08/2015 16:08:12 31/08/2015 15:34:53 libvirt/nice-hkvm-ctr > > > > l-01.core.nice.cloud.olivarim....@cloud.olivarim.com > > > > > > > > KVM Host is Centos 7.2, up to date. > > > > > > > > FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev. > > > > 18.el7.centos.4 > > > > > > > > Client is Fedora 22, up to date. > > > > > > > > I tried to disable both the firewall and SELinux but it did not > > > > change > > > > anything. > > > > > > > > Do you have any clues ? > > > > > > > > Thanks! > > > > > > > > Marin. > > > > > > > my /etc/sasl2/qemu.conf (note the different file name, may be > > > relevant*): > > > > I had already tried to rename the file to 'qemu.conf', but it didn't > > make any difference. Note that on CentOS 7.2, the file is named > > 'qemu > > -kvm.conf' by default. > > > > > > > > mech_list: gssapi > > > keytab: /etc/qemu/qemu.keytab > > > sasldb_path: /etc/qemu/passwd.db > > > auxprop_plugin: sasldb > > > > > > > My '/etc/sasl2/qemu.conf' file has the same content as yours, except > > my > > keytab is named 'krb5.conf'. > > > > > my /etc/sasl2/libvirt.conf: > > > > > > mech_list: gssapi > > > keytab: /etc/libvirt/libvirt.keytab > > > > > > > Libvirt GSSAPI works fine for me. My '/etc/sasl2/libvirt.conf' has > > the > > same config as yours, except for the keytab name. > > > > > my /etc/qemu/qemu.keytab file has the principal used/needed for VNC > > > (vnc/host.domain.tld@REALM). you can check yours with "klist -Kket > > > /path/to/qemu.keytab" > > > > > > > Done. Keytab is valid: > > > > $ sudo klist -Kket qemu/krb5.tab > > Keytab name: FILE:qemu.keytab > > KVNO Timestamp Principal > > ---- ------------------- -------------------------------------------- > > -- > > -------- > > 3 30/08/2015 18:12:20 > > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim....@cloud.olivarim.com > > ( > > aes256-cts-hmac-sha1-96) > > 3 30/08/2015 18:12:20 > > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim....@cloud.olivarim.com > > ( > > aes128-cts-hmac-sha1-96) > > 3 30/08/2015 18:12:20 > > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim....@cloud.olivarim.com > > ( > > des3-cbc-sha1) > > 3 30/08/2015 18:12:20 > > vnc/nice-hkvm-ctrl-01.core.nice.cloud.olivarim....@cloud.olivarim.com > > ( > > arcfour-hmac) > > > > > my /etc/libvirt/libvirt.keytab file has the principal used/needed > > > for > > > virt-manager or virsh console (libvirt/host.domain.tld@REALM). you > > > can > > > check your with "klist -Kket /path/to/libvirt.keytab" > > > > Done too. The keytab is valid and GSSAPI works fine with it: > > > > $ sudo klist -Kket libvirt/krb5.tab > > Keytab name: FILE:libvirt/krb5.tab > > KVNO Timestamp Principal > > ---- ------------------- -------------------------------------------- > > -- > > -------- > > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > > -01.core.nice.cloud.oliv > > arim....@cloud.olivarim.com (aes256-cts-hmac-sha1-96) > > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > > -01.core.nice.cloud.oliv > > arim....@cloud.olivarim.com (aes128-cts-hmac-sha1-96) > > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > > -01.core.nice.cloud.oliv > > arim....@cloud.olivarim.com (des3-cbc-sha1) > > 3 30/08/2015 15:50:36 libvirt/nice-hkvm-ctrl > > -01.core.nice.cloud.oliv > > arim....@cloud.olivarim.com (arcfour-hmac) > > > > > * the name of the file in /etc/sasl2/ is tied to the name of the > > > application. find the sysadmin.html page for Cyrus-SASL-libs, > > > which > > > states: > > > > > > By default, the Cyrus SASL library reads it's options from > > > /usr/lib/sasl2/App.conf (where "App" is the application defined > > > name > > > of > > > the application). For instance, Sendmail reads it's configuration > > > from > > > "/usr/lib/sasl2/Sendmail.conf" and the sample server application > > > included with the library looks in "/usr/lib/sasl2/sample.conf". > > > > > > > Here is the contents of my '/etc/sasl2/' directory after I ran > > 'restorecon': > > > > [marin@nice-hkvm-ctrl-01 sasl2]$ ls -lZ > > -rw-r--r--. root root system_u:object_r:etc_t:s0 libvirt.conf > > -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 qemu.conf > > -rw-r--r--. root root system_u:object_r:etc_t:s0 qemu-kvm.conf > > -rw-r--r--. root root system_u:object_r:etc_t:s0 smtpd.conf > > > > 'qemu.conf' and 'qemu-kvm.conf' are identical copies. SELinux seems > > to > > stick to the default file name ('qemu-kvm.conf') and have no > > knowledge > > of 'qemu.conf'. Anyway, as SELinux is disabled, this should not be a > > problem. > > > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project