On Wed, Jun 30, 2010 at 10:13, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote:
>
> If changing the location in /etc/sasl2/libvirt.conf doesn't
> work then you likely have a broken kerberos/sasl library.
> This works in latest versions, but for broken systems you
> can workaround it by setting KRB5_KTNAME=/etc/libvirt/krb5.tab
> as an env variable when starting libvirtd.
Looks like upstart doesn't work quite like I thought. Running this
from the command line shows it changed the file path:
KRB5_KTNAME=/etc/libvirt/krb5.keytab strace -f -ff -eopen libvirtd
--listen 2>&1 |grep keytab
[pid 2412] open("/etc/libvirt/krb5.keytab", O_RDONLY) = 39
>
> Do you have your server hostname configured to exactly match
> my.fully.qualified.domain (as per hostname -f command), and
> is that hostname present in the DNS records, both forward and
> reverse lookups. Using /etc/hosts is not sufficient for kerberos
> to work IIRC.
Yeah, I ran into that one way too many times to forget :(
hostname -f gives fqdn, dig on that fqdn gives the right IP, dig -x on
that IP gives a PTR to the same fqdn.
>
> That just says the client doesn't have a ticket so not
> really of interest since you just kdestroy'd the ticket :-)
