On Wed, Nov 17, 2010 at 10:53:56PM -0700, Jim Fehlig wrote: > I'm trying to debug a PolicyKit auth issue in libvirt and looking for > some suggestions. > > Server has the following policy for user ski52 in > /etc/PolicyKit/PolicyKit.conf : > > <match action="org.libvirt.unix.manage"> > <match user="ski52"> > <return result="auth_self_keep_always"/> > </match> > </match> > > I can authenticate via polkit when logged directly into server via ssh > as ski52 > > ski52@vhost52:~> virsh -c qemu:///system list > Attempting to obtain authorization for org.libvirt.unix.manage. > Authentication is required. > Password: > Successfully obtained the authorization for org.libvirt.unix.manage. > Id Name State > ---------------------------------- > 33 vm1 running > > But when using qemu+ssh remotely > > ski53@vhost53:~> virsh -c qemu+ssh://ski52@vhost52/system list > Attempting to obtain authorization for org.libvirt.unix.manage. > Authentication as an administrative user is required. > Password: > polkit-grant-helper-pam: pam_authenticated failed: Authentication failure > Failed to obtain authorization for org.libvirt.unix.manage. > error: authentication failed > error: failed to connect to the hypervisor > > AFAICT by tracing with gdb, the client calls polkit-auth *locally* when > authentication is needed, instead of invoking polkit-auth on the > server. This backtrace from gdb on the client machine shows > 'polkit-auth --obtain' being called locally from virConnectAuthGainPolkit() > > #0 virConnectAuthGainPolkit (privilege=0x7ffff7b8b3ba > "org.libvirt.unix.manage") at libvirt.c:111 > #1 0x00007ffff7a912a3 in virConnectAuthCallbackDefault > (cred=0x7fffffffdd20, ncred=1, cbdata=0x0) > at libvirt.c:149 > #2 0x00007ffff7ac367f in remoteAuthPolkit (conn=0x63ec10, > priv=0x7ffff7e25010, in_open=1, > auth=0x7ffff7dc9bc0) at remote/remote_driver.c:7431 > #3 0x00007ffff7ac1d8d in remoteAuthenticate (conn=0x63ec10, > priv=0x7ffff7e25010, in_open=1, > auth=0x7ffff7dc9bc0, authtype=0x0) at remote/remote_driver.c:6864 > #4 0x00007ffff7ab5936 in doRemoteOpen (conn=0x63ec10, > priv=0x7ffff7e25010, auth=0x7ffff7dc9bc0, flags=0) > at remote/remote_driver.c:854 > .. > > Has anyone else observed such behavior? Any hints on how to forward the > polkit-auth call to the server? Both client and server are libvirt > 0.8.5 btw. You basically can't use policy kit remotely. Its architecture only allows for local authentication. Since you're seeing 'polkit-auth' being run by libvirt.so, you must be using the first version of policykit. In the second version, libvirt doesn't even get to run 'polkit-auth' itself. The policykit daemon triggers the authentication client via a side-channel, typically DBus. This just can't work remotely. We do short-circuit this when logging in as root, so that root is always allowed, so eg qemu+ssh://root@hostname/system should avoid policykit auth Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list