On Fri, Jan 28, 2011 at 12:59:28AM +0100, Thomas Schweikle wrote: > Hi! > > Having two hosts installed with libvirtd, kvm, qemu on (Ubuntu > 10.10). Now I have one big problem and one less: > > I have set up kerberos for both hosts. Created the principal > "libvirt/srv1.example.org@xxxxxxxxxxx" and > "libvirt/srv2.example.org@xxxxxxxxxxx", Exported the krb5.keytab, > Installed it and tested the servers: > > srv1.example.org: I can connect using kerberos after acquiring a > ticket with kinit. > > srv2.example.org: I am asked for user and password. Setup seems to > be identical. Is there a way to debug, what is going on on this > server? I'd like to have both respect kerberos and allow logging in > with no password it already authenticated! > > Here is what I've set up: > /etc/sasl2/libvirt.conf > listen_tls = 0 > listen_tcp = 1 > mdns_adv = 0 > auth_unix_ro = "none" > auth_unix_rw = "none" > auth_tcp = "sasl" > > /etc/sasl2/libvirt.conf > mech_list: gssapi > keytab: /etc/libvirt/krb5.kqemu > sasldb_path: /etc/libvirt/passwd.db > > I start libvirtd with: > KRB5_KTNAME=/etc/libvirt/krb5.kqemu > /usr/sbin/libvirtd -d --listen > > In virt-manager I've set both hosts: > qemu+tcp://srv1.example.org > qemu+tcp://srv2.example.org > > Since both configs are identical (I've ran diff on them) I am a bit > lost at the moment. I do not have any idea why it works for one > host, but not the other. Any ideas? Also check file permissions and make sure you've restarted libvirtd. Also make sure /etc/hosts is accurate and that the name reported by 'hostname' command resolves to a real IP address (ie not 127.0.0.1), and that the IP address resolves back to the original hostname. You can set LIBVIRT_DEBUG=1 for virsh, and similar for libvirtd in /etc/libvirt/libvirtd.conf to see verbose debugging. Also 'klist' on the client will show whether the client ever even started kerberos for the host in question - you should see the host's ticket present Daniel
