I'm using libvirt in desktop environment. Single host machine, pair of users, a few guest machines. The first thought was that unix socket restricted to specific group is just enough for authentication. But virsh has the power like sudo: you could define pool on real device and write anything on it. So I decided to authenticate with password for each virsh use. I'm using SASL + saslauthd + PAM for that case. /etc/sasl2/libvirt.conf: mech_list: PLAIN pwcheck_method: saslauthd /etc/sasl2/qemu.conf: mech_list: PLAIN pwcheck_method: saslauthd /etc/pam.d/libvirt: auth requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group auth required pam_tally2.so onerr=succeed auth required pam_nologin.so auth required pam_unix.so try_first_pass likeauth nullok account requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group account required pam_nologin.so account required pam_unix.so /etc/pam.d/qemu: auth requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group auth required pam_tally2.so onerr=succeed auth required pam_nologin.so auth required pam_unix.so try_first_pass likeauth nullok account requisite pam_listfile.so item=group sense=allow file=/etc/libvirt/allow_group account required pam_nologin.so account required pam_unix.so They are two identical configs for libvirt and for qemu. The first works flawlessly. virsh prompts for user and password and then login me to the shell. But spicy fails. It prompts only for the password and fails after receiving it leaving error message in syslog: Oct 13 23:24:21 paladin spicy[9001]: GSSAPI client step 1 What are the supposed actions I should perform to get further debug informations?