Re: [libvirt-users] [Freeipa-users] libvirt with vnc freeipa

Hi Natxo, On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote:
hi,
I'm following the howto on http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate users voor virsh with ipa.
I have it mostly working :-) except for the fact that libvirtd is not respecting the sasl_allowed_username_list parameter.
If I do not set it, and I have a realm ticket, then I may login virsh or virtual manager and I get tickets for libvirt/vnc services.
If I do set it, then it tells me the client is not in the whitelist, so I cannot log in :-)
2012-11-30 12:00:53.403+0000: 7786: error : virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in whitelist 2012-11-30 12:00:53.403+0000: 7786: error : virNetSASLContextCheckIdentity:150 : Client's username is not on the list of allowed clients 2012-11-30 12:00:53.403+0000: 7786: error : remoteDispatchAuthSaslStep:2447 : authentication failed: authentication failed 2012-11-30 12:00:53.415+0000: 7781: error : virNetSocketReadWire:999 : End of file while reading data: Input/output error
Is this a question for the libvirt folks or is it ok to post it here?
Seem more like a libvirt or maybe even a cyrus-sasl question but I would be interested in knowing what is going on. Have you used a full principal name including the realm in the list, or just the bare user names ? CCing libvirt-users. Simo. -- Simo Sorce * Red Hat, Inc * New York

On Fri, Nov 30, 2012 at 09:25:34AM -0500, Simo Sorce wrote:
Hi Natxo,
On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote:
hi,
I'm following the howto on http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate users voor virsh with ipa.
I have it mostly working :-) except for the fact that libvirtd is not respecting the sasl_allowed_username_list parameter.
If I do not set it, and I have a realm ticket, then I may login virsh or virtual manager and I get tickets for libvirt/vnc services.
If I do set it, then it tells me the client is not in the whitelist, so I cannot log in :-)
That indicates the client identity is not matching against the whitelist. What are you setting it to ?
2012-11-30 12:00:53.403+0000: 7786: error : virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in whitelist 2012-11-30 12:00:53.403+0000: 7786: error : virNetSASLContextCheckIdentity:150 : Client's username is not on the list of allowed clients 2012-11-30 12:00:53.403+0000: 7786: error : remoteDispatchAuthSaslStep:2447 : authentication failed: authentication failed 2012-11-30 12:00:53.415+0000: 7781: error : virNetSocketReadWire:999 : End of file while reading data: Input/output error
Is this a question for the libvirt folks or is it ok to post it here?
Seem more like a libvirt or maybe even a cyrus-sasl question but I would be interested in knowing what is going on.
Have you used a full principal name including the realm in the list, or just the bare user names ?
Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

hi, sasl_allowed_username_list = ["admin@IPA.EXAMPLE.COM" ] if I leave this field commented out (default setting), everybody can manage the kvm host. -- Groeten, natxo On Fri, Nov 30, 2012 at 3:42 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Fri, Nov 30, 2012 at 09:25:34AM -0500, Simo Sorce wrote:
Hi Natxo,
On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote:
hi,
I'm following the howto on http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate users voor virsh with ipa.
I have it mostly working :-) except for the fact that libvirtd is not respecting the sasl_allowed_username_list parameter.
If I do not set it, and I have a realm ticket, then I may login virsh or virtual manager and I get tickets for libvirt/vnc services.
If I do set it, then it tells me the client is not in the whitelist, so I cannot log in :-)
That indicates the client identity is not matching against the whitelist. What are you setting it to ?
2012-11-30 12:00:53.403+0000: 7786: error : virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in whitelist 2012-11-30 12:00:53.403+0000: 7786: error : virNetSASLContextCheckIdentity:150 : Client's username is not on the list of allowed clients 2012-11-30 12:00:53.403+0000: 7786: error : remoteDispatchAuthSaslStep:2447 : authentication failed: authentication failed 2012-11-30 12:00:53.415+0000: 7781: error : virNetSocketReadWire:999 : End of file while reading data: Input/output error
Is this a question for the libvirt folks or is it ok to post it here?
Seem more like a libvirt or maybe even a cyrus-sasl question but I would be interested in knowing what is going on.
Have you used a full principal name including the realm in the list, or just the bare user names ?
Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = ["admin@IPA.EXAMPLE.COM" ]
if I leave this field commented out (default setting), everybody can manage the kvm host.
Oh it isn't very obvious, but in this log message:
2012-11-30 12:00:53.403+0000: 7786: error : virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in
'admin' is the identity being matched against. We ought to quote that string int he log message to make it more obvious. So I guess SASL/GSSAPI is not giving us back the REALM, just the username So you need to change your whitelist to leave out the realm. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = ["admin@IPA.EXAMPLE.COM" ]
if I leave this field commented out (default setting), everybody can manage the kvm host.
Oh it isn't very obvious, but in this log message:
2012-11-30 12:00:53.403+0000: 7786: error : virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in
'admin' is the identity being matched against.
We ought to quote that string int he log message to make it more obvious.
So I guess SASL/GSSAPI is not giving us back the REALM, just the username
So you need to change your whitelist to leave out the realm.
Bingo! Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager? I know sasl only deals with the authentication stuff, buy here you are also authorizing in the whitelist. If this authorization could go further to allow ipa groups, that would be ideal from an admin point of view ;-) -- groet, natxo

On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = ["admin@IPA.EXAMPLE.COM" ]
if I leave this field commented out (default setting), everybody can manage the kvm host.
Oh it isn't very obvious, but in this log message:
2012-11-30 12:00:53.403+0000: 7786: error : virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in
'admin' is the identity being matched against.
We ought to quote that string int he log message to make it more obvious.
So I guess SASL/GSSAPI is not giving us back the REALM, just the username
So you need to change your whitelist to leave out the realm.
Bingo!
Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager?
I know sasl only deals with the authentication stuff, buy here you are also authorizing in the whitelist. If this authorization could go further to allow ipa groups, that would be ideal from an admin point of view ;-)
It is desirable, but we don't have any way to find out information about groups. The authorization problem is something we've yet to really get a good pluggable solution for, though perhaps policykit would help here. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = ["admin@IPA.EXAMPLE.COM" ]
if I leave this field commented out (default setting), everybody can manage the kvm host. Oh it isn't very obvious, but in this log message:
> 2012-11-30 12:00:53.403+0000: 7786: error : > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in 'admin' is the identity being matched against.
We ought to quote that string int he log message to make it more obvious.
So I guess SASL/GSSAPI is not giving us back the REALM, just the username
So you need to change your whitelist to leave out the realm. Bingo!
Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager?
I know sasl only deals with the authentication stuff, buy here you are also authorizing in the whitelist. If this authorization could go further to allow ipa groups, that would be ideal from an admin point of view ;-) It is desirable, but we don't have any way to find out information about groups. The authorization problem is something we've yet to really get a good pluggable solution for, though perhaps policykit would help here.
Daniel Policy kit is local escalation to admin privileges. The policy kit
On 11/30/2012 10:20 AM, Daniel P. Berrange wrote: policies are not centrally managed, they are preinstalled. Are you sure it is the right mechanism? Should there be some more centrally managed mechanism for access control rules like HBAC or SUDO? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/

On Fri, Nov 30, 2012 at 11:33:30AM -0500, Dmitri Pal wrote:
On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = ["admin@IPA.EXAMPLE.COM" ]
if I leave this field commented out (default setting), everybody can manage the kvm host. Oh it isn't very obvious, but in this log message:
>> 2012-11-30 12:00:53.403+0000: 7786: error : >> virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in 'admin' is the identity being matched against.
We ought to quote that string int he log message to make it more obvious.
So I guess SASL/GSSAPI is not giving us back the REALM, just the username
So you need to change your whitelist to leave out the realm. Bingo!
Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager?
I know sasl only deals with the authentication stuff, buy here you are also authorizing in the whitelist. If this authorization could go further to allow ipa groups, that would be ideal from an admin point of view ;-) It is desirable, but we don't have any way to find out information about groups. The authorization problem is something we've yet to really get a good pluggable solution for, though perhaps policykit would help here.
Daniel Policy kit is local escalation to admin privileges. The policy kit
On 11/30/2012 10:20 AM, Daniel P. Berrange wrote: policies are not centrally managed, they are preinstalled. Are you sure it is the right mechanism? Should there be some more centrally managed mechanism for access control rules like HBAC or SUDO?
You're referring to the traditional policykit backed based on a local policy file database. More generally policykit is pluggable, so you could reference an off-node policy store. In theory the new javascript engine for policykit could be used to do a check against ldap or IPA, but I've no idea if that'd work out in reality, without more investigation. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager?
I know sasl only deals with the authentication stuff, buy here you are also authorizing in the whitelist. If this authorization could go further to allow ipa groups, that would be ideal from an admin point of view ;-)
It is desirable, but we don't have any way to find out information about groups. The authorization problem is something we've yet to really get a good pluggable solution for, though perhaps policykit would help here.
well, if I create a policykit policy like this: /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla [libvirt Management Access] Identity=unix-group:libvirt Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes and I create an ipa group, I can achieve in fact what I want. Members of the group may use virsh and if you have a kerberos ticket it is truly sso (I get a ticket from ssh, libvirt and vnc) with the original configuration (so no sasl, just using ssh). -- groet, natxo

On Fri, Nov 30, 2012 at 06:56:28PM +0100, Natxo Asenjo wrote:
On Fri, Nov 30, 2012 at 4:20 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Fri, Nov 30, 2012 at 04:16:56PM +0100, Natxo Asenjo wrote:
Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager?
I know sasl only deals with the authentication stuff, buy here you are also authorizing in the whitelist. If this authorization could go further to allow ipa groups, that would be ideal from an admin point of view ;-)
It is desirable, but we don't have any way to find out information about groups. The authorization problem is something we've yet to really get a good pluggable solution for, though perhaps policykit would help here.
well, if I create a policykit policy like this:
/etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla
[libvirt Management Access] Identity=unix-group:libvirt Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes
and I create an ipa group, I can achieve in fact what I want. Members of the group may use virsh and if you have a kerberos ticket it is truly sso (I get a ticket from ssh, libvirt and vnc) with the original configuration (so no sasl, just using ssh).
Yep, as you say, this only works for real UNIX users. We basically want to make it posible todo the same, but using the SASL / GSSAPI users instead. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On Fri, 2012-11-30 at 16:16 +0100, Natxo Asenjo wrote:
On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote:
hi,
sasl_allowed_username_list = ["admin@IPA.EXAMPLE.COM" ]
if I leave this field commented out (default setting), everybody can manage the kvm host.
Oh it isn't very obvious, but in this log message:
2012-11-30 12:00:53.403+0000: 7786: error : virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in
'admin' is the identity being matched against.
We ought to quote that string int he log message to make it more obvious.
So I guess SASL/GSSAPI is not giving us back the REALM, just the username
So you need to change your whitelist to leave out the realm.
Bingo!
Thanks. If I may just hijack this thread: is it possible to whitelist groups instead of individual users to use virsh/virtual manager?
I know sasl only deals with the authentication stuff, buy here you are also authorizing in the whitelist. If this authorization could go further to allow ipa groups, that would be ideal from an admin point of view ;-)
Natxo it sounds odd that you are getting back a non fully qualified principal name, are you sure your configuration is using SASL/GSSAPI ? What other directives have you configured ? Simo. -- Simo Sorce * Red Hat, Inc * New York

On Fri, Nov 30, 2012 at 4:52 PM, Simo Sorce <simo@redhat.com> wrote:
Natxo it sounds odd that you are getting back a non fully qualified principal name, are you sure your configuration is using SASL/GSSAPI ?
What other directives have you configured ?
I have followed the howto in the freeipa.org wiki. I was getting kerberos principasl (libvirt/vnc) as expected even when I could not use virsh, so it looked like it was using GSSAPI. -- groet, natxo
participants (4)
-
Daniel P. Berrange
-
Dmitri Pal
-
Natxo Asenjo
-
Simo Sorce