hi, sasl_allowed_username_list = ["admin@xxxxxxxxxxxxxxx" ] if I leave this field commented out (default setting), everybody can manage the kvm host. -- Groeten, natxo On Fri, Nov 30, 2012 at 3:42 PM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote: > On Fri, Nov 30, 2012 at 09:25:34AM -0500, Simo Sorce wrote: >> Hi Natxo, >> >> On Fri, 2012-11-30 at 13:06 +0100, Natxo Asenjo wrote: >> > hi, >> > >> > I'm following the howto on >> > http://freeipa.org/page/Libvirt_with_VNC_Consoles to authenticate >> > users voor virsh with ipa. >> > >> > I have it mostly working :-) except for the fact that libvirtd is not >> > respecting the sasl_allowed_username_list parameter. >> > >> > If I do not set it, and I have a realm ticket, then I may login virsh >> > or virtual manager and I get tickets for libvirt/vnc services. >> > >> > If I do set it, then it tells me the client is not in the whitelist, >> > so I cannot log in :-) > > That indicates the client identity is not matching against the whitelist. > What are you setting it to ? > >> > 2012-11-30 12:00:53.403+0000: 7786: error : >> > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in >> > whitelist >> > 2012-11-30 12:00:53.403+0000: 7786: error : >> > virNetSASLContextCheckIdentity:150 : Client's username is not on the >> > list of allowed clients >> > 2012-11-30 12:00:53.403+0000: 7786: error : >> > remoteDispatchAuthSaslStep:2447 : authentication failed: >> > authentication failed >> > 2012-11-30 12:00:53.415+0000: 7781: error : virNetSocketReadWire:999 : >> > End of file while reading data: Input/output error >> > >> > Is this a question for the libvirt folks or is it ok to post it here? >> >> Seem more like a libvirt or maybe even a cyrus-sasl question but I would >> be interested in knowing what is going on. >> >> Have you used a full principal name including the realm in the list, or >> just the bare user names ? > > Daniel > -- > |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| > |: http://libvirt.org -o- http://virt-manager.org :| > |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
