My server and client are running Ubuntu Lucid, libvirt-bin 0.7.5-5ubuntu27, qemu-kvm-0.12.3+noroms-0ubuntu9 and I'm using virt-viewer-0.0.3-6ubuntu7.xul19 or virt-manager-0.8.2-2ubuntu8 to connect. I configured SASL2 to use GSSAPI for libvirt following the instructions in the libvirt docs, created a keytab with libvirt/my.fully.qualified.domain@xxxxxxxxxxxx (has a dash fwiw) and pointed SASL2 and libvirt at /etc/krb5.keytab (changing the location of that doesn't seem to work for my version, but that's no biggie). So I sit on my client and run this: virsh -c qemu+tcp://my.fully.qualified.domain/system And I get this message on the client: error: authentication failed error: failed to connect to the hypervisor And this on the server logs: 16:37:35.278: error : remoteDispatchAuthSaslStart:3135 : sasl start failed -1 (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)) For fun, I ran kdestroy and tried again and got this: error: Failed to start SASL negotiation: -1 (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_1000' not found)) error: failed to connect to the hypervisor So at least the client seems to be presenting my ticket properly, but the server is either looking for the wrong keytab entry or I can't read very well. -adam
