On Fri, 2012-11-30 at 16:16 +0100, Natxo Asenjo wrote: > On Fri, Nov 30, 2012 at 4:04 PM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote: > > On Fri, Nov 30, 2012 at 03:56:14PM +0100, Natxo Asenjo wrote: > >> hi, > >> > >> sasl_allowed_username_list = ["admin@xxxxxxxxxxxxxxx" ] > >> > >> if I leave this field commented out (default setting), everybody can > >> manage the kvm host. > > > > Oh it isn't very obvious, but in this log message: > > > >> >> > 2012-11-30 12:00:53.403+0000: 7786: error : > >> >> > virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in > > > > 'admin' is the identity being matched against. > > > > We ought to quote that string int he log message to make it more > > obvious. > > > > So I guess SASL/GSSAPI is not giving us back the REALM, just > > the username > > > > So you need to change your whitelist to leave out the realm. > > Bingo! > > Thanks. If I may just hijack this thread: is it possible to whitelist > groups instead of individual users to use virsh/virtual manager? > > I know sasl only deals with the authentication stuff, buy here you are > also authorizing in the whitelist. If this authorization could go > further to allow ipa groups, that would be ideal from an admin point > of view ;-) Natxo it sounds odd that you are getting back a non fully qualified principal name, are you sure your configuration is using SASL/GSSAPI ? What other directives have you configured ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
