I figured out my problem. The client connecting to libvirtd requires cyrus-sasl-gssapi to be installed or it will fail with the "No worthy mechs found" error. I feel a bit silly right now... -Hal On Sat, Oct 25, 2014 at 7:15 PM, Hal Martin <hal.martin@gmail.com> wrote:

Hi all,

I'm trying to use SASL to authenticate against my KDC. I'd like to have libvirt users use their kerberos credentials to login, but right now it's not working. Kerberos authentication in general works. The computer has a keytab installed and I can successfully obtain a ticket through kinit, libvirt has a principle configured for the host.

libvirt error: authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found)

/etc/sasl2/libvirt.conf: mech_list: gssapi keytab: /etc/libvirt/krb5.tab

/etc/conf.d/saslauthd: SASLAUTHD_OPTS="-a kerberos5 ldap pam"

lsmod | grep gss: rpcsec_gss_krb5 30147 0 auth_rpcgss 54612 1 rpcsec_gss_krb5 oid_registry 12419 1 auth_rpcgss sunrpc 249148 6 nfs,rpcsec_gss_krb5,auth_rpcgss,lockd

packages: extra/cyrus-sasl 2.1.26-7 [installed] extra/cyrus-sasl-gssapi 2.1.26-7 [installed] extra/cyrus-sasl-ldap 2.1.26-7 [installed]

Following the instructions here I tried to use SASL to search LDAP: http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml

I end up with the same error they got (they didn't have cyrus-sasl-gssapi installed, I do): ~$ ldapsearch -H ldap://freeipa -LLL -b 'dc=watchmysys,dc=com' '(givenname=hal)' cn SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:

Any suggestions would be greatly appreciated.

Thanks, Hal