[arch-general] [Solved] SASL kerberos authentication problem
hal.martin at gmail.com
Sat Oct 25 17:55:42 UTC 2014
I figured out my problem. The client connecting to libvirtd requires
cyrus-sasl-gssapi to be installed or it will fail with the "No worthy
mechs found" error.
I feel a bit silly right now...
On Sat, Oct 25, 2014 at 7:15 PM, Hal Martin <hal.martin at gmail.com> wrote:
> Hi all,
> I'm trying to use SASL to authenticate against my KDC. I'd like to
> have libvirt users use their kerberos credentials to login, but right
> now it's not working. Kerberos authentication in general works. The
> computer has a keytab installed and I can successfully obtain a ticket
> through kinit, libvirt has a principle configured for the host.
> libvirt error:
> authentication failed: Failed to start SASL negotiation: -4 (SASL(-4):
> no mechanism available: No worthy mechs found)
> mech_list: gssapi
> keytab: /etc/libvirt/krb5.tab
> SASLAUTHD_OPTS="-a kerberos5 ldap pam"
> lsmod | grep gss:
> rpcsec_gss_krb5 30147 0
> auth_rpcgss 54612 1 rpcsec_gss_krb5
> oid_registry 12419 1 auth_rpcgss
> sunrpc 249148 6 nfs,rpcsec_gss_krb5,auth_rpcgss,lockd
> extra/cyrus-sasl 2.1.26-7 [installed]
> extra/cyrus-sasl-gssapi 2.1.26-7 [installed]
> extra/cyrus-sasl-ldap 2.1.26-7 [installed]
> Following the instructions here I tried to use SASL to search LDAP:
> I end up with the same error they got (they didn't have
> cyrus-sasl-gssapi installed, I do):
> ~$ ldapsearch -H ldap://freeipa -LLL -b 'dc=watchmysys,dc=com'
> '(givenname=hal)' cn
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
> Any suggestions would be greatly appreciated.
More information about the arch-general