I figured out my problem. The client connecting to libvirtd requires cyrus-sasl-gssapi to be installed or it will fail with the "No worthy mechs found" error. I feel a bit silly right now... -Hal On Sat, Oct 25, 2014 at 7:15 PM, Hal Martin <hal.martin@xxxxxxxxx> wrote: > Hi all, > > I'm trying to use SASL to authenticate against my KDC. I'd like to > have libvirt users use their kerberos credentials to login, but right > now it's not working. Kerberos authentication in general works. The > computer has a keytab installed and I can successfully obtain a ticket > through kinit, libvirt has a principle configured for the host. > > libvirt error: > authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): > no mechanism available: No worthy mechs found) > > /etc/sasl2/libvirt.conf: > mech_list: gssapi > keytab: /etc/libvirt/krb5.tab > > /etc/conf.d/saslauthd: > SASLAUTHD_OPTS="-a kerberos5 ldap pam" > > lsmod | grep gss: > rpcsec_gss_krb5 30147 0 > auth_rpcgss 54612 1 rpcsec_gss_krb5 > oid_registry 12419 1 auth_rpcgss > sunrpc 249148 6 nfs,rpcsec_gss_krb5,auth_rpcgss,lockd > > packages: > extra/cyrus-sasl 2.1.26-7 [installed] > extra/cyrus-sasl-gssapi 2.1.26-7 [installed] > extra/cyrus-sasl-ldap 2.1.26-7 [installed] > > Following the instructions here I tried to use SASL to search LDAP: > http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml > > I end up with the same error they got (they didn't have > cyrus-sasl-gssapi installed, I do): > ~$ ldapsearch -H ldap://freeipa -LLL -b 'dc=watchmysys,dc=com' > '(givenname=hal)' cn > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > > Any suggestions would be greatly appreciated. > > Thanks, > Hal
