Re: [libvirt-users] [Freeipa-users] libvirt with vnc freeipa

On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote: > On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange(a)redhat.com&gt; wrote: >> On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: >>> hi, >>> >>> sasl_allowed_username_list = [&quot;admin(a)IPA.EXAMPLE.COM&quot; ] >>> >>> if I leave this field commented out (default setting), everybody can >>> manage the kvm host. >> Oh it isn't very obvious, but in this log message: >> >>>>>> 2012-11-30 12:00:53.403+0000: 7786: error : >>>>>> virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in >> 'admin' is the identity being matched against. >> >> We ought to quote that string int he log message to make it more >> obvious. >> >> So I guess SASL/GSSAPI is not giving us back the REALM, just >> the username >> >> So you need to change your whitelist to leave out the realm. > Bingo! > > Thanks. If I may just hijack this thread: is it possible to whitelist > groups instead of individual users to use virsh/virtual manager? > > I know sasl only deals with the authentication stuff, buy here you are > also authorizing in the whitelist. If this authorization could go > further to allow ipa groups, that would be ideal from an admin point > of view ;-) It is desirable, but we don't have any way to find out information about groups. The authorization problem is something we've yet to really get a good pluggable solution for, though perhaps policykit would help here. Daniel