[libvirt-users] libvirt with sasl shadow backend
Hi list, i have a problem with virt-manager authentication over tcp. I tried it with virt-manager over non-TLS "TCP (SASL/Kerberos)" auth. and the sasl mechanism "shadow". The user (tested with unprivileged user and root) is allready in the group libvirt(d) and the process is running as root. The result on host: Jan 18 21:05:31 host libvirtd: 21:05:31.620: error : remoteDispatchAuthSaslStep:3691 : sasl step failed -20 (SASL(-13): user not found: no secret in database) on client (virt-manager gui): ... ('virtConnectOpenAuth() faild') .. I have tested it with tool "testsaslauthd" and their result: e.g.: # testsaslauthd -u root -p root 0: OK "Success." When i set it manually with saslpasswd: # saslpasswd2 -a libvirt root -p it works. Although I use, in the configuration of sasl, shadow, libvirt does not use it (i think so). Host: debian6.0.3 (squeez) libvirt 0.8.3 (deb) sasl2.1.23 (deb) :-) Best regards, Robyn
Hi list, I've been thinking and I think the right question is: - about which is libvirt access to sasl, socket? - which is transmitted? and - what is expected libvirt? (e.g. shadow have no service/application assignment) :) regards Robyn 2012/1/18 Robyn Bachofer <r.bachofer@googlemail.com>
Hi list,
i have a problem with virt-manager authentication over tcp.
I tried it with virt-manager over non-TLS "TCP (SASL/Kerberos)" auth. and the sasl mechanism "shadow". The user (tested with unprivileged user and root) is allready in the group libvirt(d) and the process is running as root.
The result on host: Jan 18 21:05:31 host libvirtd: 21:05:31.620: error : remoteDispatchAuthSaslStep:3691 : sasl step failed -20 (SASL(-13): user not found: no secret in database)
on client (virt-manager gui): ... ('virtConnectOpenAuth() faild') ..
I have tested it with tool "testsaslauthd" and their result: e.g.: # testsaslauthd -u root -p root 0: OK "Success."
When i set it manually with saslpasswd: # saslpasswd2 -a libvirt root -p it works.
Although I use, in the configuration of sasl, shadow, libvirt does not use it (i think so).
Host: debian6.0.3 (squeez) libvirt 0.8.3 (deb) sasl2.1.23 (deb)
:-)
Best regards, Robyn
On Fri, Jan 20, 2012 at 12:55:09AM +0100, Robyn Bachofer wrote:
Hi list,
I've been thinking and I think the right question is: - about which is libvirt access to sasl, socket? - which is transmitted? and - what is expected libvirt?
(e.g. shadow have no service/application assignment)
I'm not sure I understand your question, can you explain? Dave
:) regards
Robyn
2012/1/18 Robyn Bachofer <r.bachofer@googlemail.com>
Hi list,
i have a problem with virt-manager authentication over tcp.
I tried it with virt-manager over non-TLS "TCP (SASL/Kerberos)" auth. and the sasl mechanism "shadow". The user (tested with unprivileged user and root) is allready in the group libvirt(d) and the process is running as root.
The result on host: Jan 18 21:05:31 host libvirtd: 21:05:31.620: error : remoteDispatchAuthSaslStep:3691 : sasl step failed -20 (SASL(-13): user not found: no secret in database)
on client (virt-manager gui): ... ('virtConnectOpenAuth() faild') ..
I have tested it with tool "testsaslauthd" and their result: e.g.: # testsaslauthd -u root -p root 0: OK "Success."
When i set it manually with saslpasswd: # saslpasswd2 -a libvirt root -p it works.
Although I use, in the configuration of sasl, shadow, libvirt does not use it (i think so).
Host: debian6.0.3 (squeez) libvirt 0.8.3 (deb) sasl2.1.23 (deb)
:-)
Best regards, Robyn
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
The tool for testing SASL-Authentication "testsaslauthd" uses sockets: strace: socket(PF_FILE, SOCK_STREAM, 0) = 3 connect(3, {sa_family=AF_FILE, path="/var/run/saslauthd/mux"}, 110) = 0 writev(3, [{"\0\4root\0\4root\0\4imap\0\0", 20}], 1) = 20 read(3, "\0\2", 2) = 2 read(3, "OK", 2) and it is successfully (whatever service is set [-s servicename] or without -s). But how it makes libvirt? I can't trace it and i don't see it in source-code of remote.c/h understandable? 2012/1/20 Dave Allan <dallan@redhat.com>
On Fri, Jan 20, 2012 at 12:55:09AM +0100, Robyn Bachofer wrote:
Hi list,
I've been thinking and I think the right question is: - about which is libvirt access to sasl, socket? - which is transmitted? and - what is expected libvirt?
(e.g. shadow have no service/application assignment)
I'm not sure I understand your question, can you explain?
Dave
:) regards
Robyn
2012/1/18 Robyn Bachofer <r.bachofer@googlemail.com>
Hi list,
i have a problem with virt-manager authentication over tcp.
I tried it with virt-manager over non-TLS "TCP (SASL/Kerberos)" auth. and the sasl mechanism "shadow". The user (tested with unprivileged user and root) is allready in the group libvirt(d) and the process is running as root.
The result on host: Jan 18 21:05:31 host libvirtd: 21:05:31.620: error : remoteDispatchAuthSaslStep:3691 : sasl step failed -20 (SASL(-13): user not found: no secret in database)
on client (virt-manager gui): ... ('virtConnectOpenAuth() faild') ..
I have tested it with tool "testsaslauthd" and their result: e.g.: # testsaslauthd -u root -p root 0: OK "Success."
When i set it manually with saslpasswd: # saslpasswd2 -a libvirt root -p it works.
Although I use, in the configuration of sasl, shadow, libvirt does not use it (i think so).
Host: debian6.0.3 (squeez) libvirt 0.8.3 (deb) sasl2.1.23 (deb)
:-)
Best regards, Robyn
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
participants (2)
-
Dave Allan -
Robyn Bachofer