My server and client are running Ubuntu Lucid, libvirt-bin
0.7.5-5ubuntu27, qemu-kvm-0.12.3+noroms-0ubuntu9 and I'm using
virt-viewer-0.0.3-6ubuntu7.xul19 or virt-manager-0.8.2-2ubuntu8 to
connect. I configured SASL2 to use GSSAPI for libvirt following the
instructions in the libvirt docs, created a keytab with
libvirt/my.fully.qualified.domain(a)MY-REALM.COM (has a dash fwiw) and
pointed SASL2 and libvirt at /etc/krb5.keytab (changing the location
of that doesn't seem to work for my version, but that's no biggie).
So I sit on my client and run this:
virsh -c qemu+tcp://my.fully.qualified.domain/system
And I get this message on the client:
error: authentication failed
error: failed to connect to the hypervisor
And this on the server logs:
16:37:35.278: error : remoteDispatchAuthSaslStart:3135 : sasl start
failed -1 (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Key table entry not
found))
For fun, I ran kdestroy and tried again and got this:
error: Failed to start SASL negotiation: -1 (SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Credentials cache file '/tmp/krb5cc_1000'
not found))
error: failed to connect to the hypervisor
So at least the client seems to be presenting my ticket properly, but
the server is either looking for the wrong keytab entry or I can't
read very well.
-adam