[arch-general] SASL kerberos authentication problem

Hal Martin hal.martin at gmail.com
Sat Oct 25 17:15:00 UTC 2014

Hi all,

I'm trying to use SASL to authenticate against my KDC. I'd like to
have libvirt users use their kerberos credentials to login, but right
now it's not working. Kerberos authentication in general works. The
computer has a keytab installed and I can successfully obtain a ticket
through kinit, libvirt has a principle configured for the host.

libvirt error:
authentication failed: Failed to start SASL negotiation: -4 (SASL(-4):
no mechanism available: No worthy mechs found)

mech_list: gssapi
keytab: /etc/libvirt/krb5.tab

SASLAUTHD_OPTS="-a kerberos5 ldap pam"

lsmod | grep gss:
rpcsec_gss_krb5        30147  0
auth_rpcgss            54612  1 rpcsec_gss_krb5
oid_registry           12419  1 auth_rpcgss
sunrpc                249148  6 nfs,rpcsec_gss_krb5,auth_rpcgss,lockd

extra/cyrus-sasl 2.1.26-7 [installed]
extra/cyrus-sasl-gssapi 2.1.26-7 [installed]
extra/cyrus-sasl-ldap 2.1.26-7 [installed]

Following the instructions here I tried to use SASL to search LDAP:

I end up with the same error they got (they didn't have
cyrus-sasl-gssapi installed, I do):
~$ ldapsearch -H ldap://freeipa -LLL -b 'dc=watchmysys,dc=com'
'(givenname=hal)' cn
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available:

Any suggestions would be greatly appreciated.


More information about the arch-general mailing list