Hello, Does anyone have spice server for KVM Linux guests working with GSSAPI authentication? I've been trying for a while and I simply can't get it to work. I don't know what I'm doing wrong. I wouldn't be surprised if I've misunderstood something. I followed this guide: https://www.freeipa.org/page/Libvirt_with_VNC_Consoles Yes, the above is for VNC consoles. I just adapted that write up for spice. When I try to connect to a console from either virt-manager or with virt-viewer, I'm prompted to enter a password (though I shouldn't be). When I type in my freeipa domain password, it gets rejected. libvirtd with Kerberos and GSSAPI is working perfectly. I can use virt-manager from my Fedora 26 desktop with the below URI: qemu+tcp://ranbir@kvmhost01/system virt-manager connects, I get a list of all the running KVMs and I can work with them like I would if I was running virt-manager over ssh with X forwarding. The only that doesn't work is viewing the consoles. Details: - my host is a fully updated CentOS 7 system - libvirtd is set to listen for tcp connections - I added the service spice/kvmhost01.theinside.rnr - I created a keytab for the above and put it on kvmhost01 in /etc/qemu-kvm/krb5.tab - the above file has owner:group set to qemu:root with perms 600 - I have the following in /etc/sasl2/qemu-kvm.conf mech_list: gssapi keytab: /etc/qemu-kvm/krb5.tab - I have the following in /etc/libvirt/qemu.conf spice_listen = "0.0.0.0" spice_tls = 0 spice_sasl = 1 spice_sasl_dir = "/etc/sasl2/" - the first time I try to view a console, I get the kerberos tickets I expect to: Ticket cache: KEYRING:persistent:625400004:krb_ccache_7rtJmh8 Default principal: ranbir@xxxxxxxxxxxxx Valid starting Expires Service principal 2017-12-29 18:37:45 2017-12-30 18:01:40 spice/kvmhost01.theinside.rnr@xxxxxxxxxxxxx 2017-12-29 18:37:40 2017-12-30 18:01:40 libvirt/kvmhost01.theinside.rnr@xxxxxxxxxxxxx 2017-12-29 18:01:40 2017-12-30 18:01:40 krbtgt/THEINSIDE.RNR@xxxxxxxxxxxxx I'm surprised there isn't more info available about this online. That's why I'm now here asking for assistance. Does anyone have any suggestions/advice? Thanks in advance! -- Ranbir _______________________________________________ CentOS-virt mailing list CentOS-virt@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos-virt