Re: [libvirt-users] [Freeipa-users] libvirt with vnc freeipa
On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = ["admin(a)IPA.EXAMPLE.COM" ]
if I leave this field commented out (default setting), everybody can
manage the kvm host.
Oh it isn't very obvious, but in this log message:
>> > 2012-11-30 12:00:53.403+0000: 7786: error :
>> > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in
'admin' is the identity being matched against.
We ought to quote that string int he log message to make it more
obvious.
So I guess SASL/GSSAPI is not giving us back the REALM, just
the username
So you need to change your whitelist to leave out the realm.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|