[libvirt] polkit auth issue

Wed, 17 Nov 2010 22:02:08 -0800 

I'm trying to debug a PolicyKit auth issue in libvirt and looking for
some suggestions.

Server has the following policy for user ski52 in
/etc/PolicyKit/PolicyKit.conf :

<match action="org.libvirt.unix.manage">
<match user="ski52">
<return result="auth_self_keep_always"/>
</match>
</match>

I can authenticate via polkit  when logged directly into server via ssh
as ski52

sk...@vhost52:~> virsh -c qemu:///system list
Attempting to obtain authorization for org.libvirt.unix.manage.
Authentication is required.
Password:
Successfully obtained the authorization for org.libvirt.unix.manage.
 Id Name                 State
----------------------------------
 33 vm1                   running

But when using qemu+ssh remotely

sk...@vhost53:~> virsh -c qemu+ssh://sk...@vhost52/system list
Attempting to obtain authorization for org.libvirt.unix.manage.
Authentication as an administrative user is required.
Password:
polkit-grant-helper-pam: pam_authenticated failed: Authentication failure
Failed to obtain authorization for org.libvirt.unix.manage.
error: authentication failed
error: failed to connect to the hypervisor

AFAICT by tracing with gdb, the client calls polkit-auth *locally* when
authentication is needed, instead of invoking polkit-auth on the
server.  This backtrace from gdb on the client machine shows
'polkit-auth --obtain' being called locally from virConnectAuthGainPolkit()

#0  virConnectAuthGainPolkit (privilege=0x7ffff7b8b3ba
"org.libvirt.unix.manage") at libvirt.c:111
#1  0x00007ffff7a912a3 in virConnectAuthCallbackDefault
(cred=0x7fffffffdd20, ncred=1, cbdata=0x0)
    at libvirt.c:149
#2  0x00007ffff7ac367f in remoteAuthPolkit (conn=0x63ec10,
priv=0x7ffff7e25010, in_open=1,
    auth=0x7ffff7dc9bc0) at remote/remote_driver.c:7431
#3  0x00007ffff7ac1d8d in remoteAuthenticate (conn=0x63ec10,
priv=0x7ffff7e25010, in_open=1,
    auth=0x7ffff7dc9bc0, authtype=0x0) at remote/remote_driver.c:6864
#4  0x00007ffff7ab5936 in doRemoteOpen (conn=0x63ec10,
priv=0x7ffff7e25010, auth=0x7ffff7dc9bc0, flags=0)
    at remote/remote_driver.c:854
..

Has anyone else observed such behavior?  Any hints on how to forward the
polkit-auth call to the server?  Both client and server are libvirt
0.8.5 btw.

Regards,
Jim

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to