[arch-general] SASL kerberos authentication problem
Hi all, I'm trying to use SASL to authenticate against my KDC. I'd like to have libvirt users use their kerberos credentials to login, but right now it's not working. Kerberos authentication in general works. The computer has a keytab installed and I can successfully obtain a ticket through kinit, libvirt has a principle configured for the host. libvirt error: authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) /etc/sasl2/libvirt.conf: mech_list: gssapi keytab: /etc/libvirt/krb5.tab /etc/conf.d/saslauthd: SASLAUTHD_OPTS="-a kerberos5 ldap pam" lsmod | grep gss: rpcsec_gss_krb5 30147 0 auth_rpcgss 54612 1 rpcsec_gss_krb5 oid_registry 12419 1 auth_rpcgss sunrpc 249148 6 nfs,rpcsec_gss_krb5,auth_rpcgss,lockd packages: extra/cyrus-sasl 2.1.26-7 [installed] extra/cyrus-sasl-gssapi 2.1.26-7 [installed] extra/cyrus-sasl-ldap 2.1.26-7 [installed] Following the instructions here I tried to use SASL to search LDAP: http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml I end up with the same error they got (they didn't have cyrus-sasl-gssapi installed, I do): ~$ ldapsearch -H ldap://freeipa -LLL -b 'dc=watchmysys,dc=com' '(givenname=hal)' cn SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Any suggestions would be greatly appreciated. Thanks, Hal
participants (1)
-
Hal Martin