[arch-general] SASL kerberos authentication problem
Hal Martin
hal.martin at gmail.com
Sat Oct 25 17:15:00 UTC 2014
Hi all,
I'm trying to use SASL to authenticate against my KDC. I'd like to
have libvirt users use their kerberos credentials to login, but right
now it's not working. Kerberos authentication in general works. The
computer has a keytab installed and I can successfully obtain a ticket
through kinit, libvirt has a principle configured for the host.
libvirt error:
authentication failed: Failed to start SASL negotiation: -4 (SASL(-4):
no mechanism available: No worthy mechs found)
/etc/sasl2/libvirt.conf:
mech_list: gssapi
keytab: /etc/libvirt/krb5.tab
/etc/conf.d/saslauthd:
SASLAUTHD_OPTS="-a kerberos5 ldap pam"
lsmod | grep gss:
rpcsec_gss_krb5 30147 0
auth_rpcgss 54612 1 rpcsec_gss_krb5
oid_registry 12419 1 auth_rpcgss
sunrpc 249148 6 nfs,rpcsec_gss_krb5,auth_rpcgss,lockd
packages:
extra/cyrus-sasl 2.1.26-7 [installed]
extra/cyrus-sasl-gssapi 2.1.26-7 [installed]
extra/cyrus-sasl-ldap 2.1.26-7 [installed]
Following the instructions here I tried to use SASL to search LDAP:
http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml
I end up with the same error they got (they didn't have
cyrus-sasl-gssapi installed, I do):
~$ ldapsearch -H ldap://freeipa -LLL -b 'dc=watchmysys,dc=com'
'(givenname=hal)' cn
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
Any suggestions would be greatly appreciated.
Thanks,
Hal
More information about the arch-general
mailing list