[arch-general] [Solved] SASL kerberos authentication problem

[Hal Martin]

I figured out my problem. The client connecting to libvirtd requires
cyrus-sasl-gssapi to be installed or it will fail with the "No worthy
mechs found" error.

I feel a bit silly right now...

-Hal

On Sat, Oct 25, 2014 at 7:15 PM, Hal Martin <hal.martin at gmail.com> wrote:
> Hi all,
>
> I'm trying to use SASL to authenticate against my KDC. I'd like to
> have libvirt users use their kerberos credentials to login, but right
> now it's not working. Kerberos authentication in general works. The
> computer has a keytab installed and I can successfully obtain a ticket
> through kinit, libvirt has a principle configured for the host.
>
> libvirt error:
> authentication failed: Failed to start SASL negotiation: -4 (SASL(-4):
> no mechanism available: No worthy mechs found)
>
> /etc/sasl2/libvirt.conf:
> mech_list: gssapi
> keytab: /etc/libvirt/krb5.tab
>
> /etc/conf.d/saslauthd:
> SASLAUTHD_OPTS="-a kerberos5 ldap pam"
>
> lsmod | grep gss:
> rpcsec_gss_krb5        30147  0
> auth_rpcgss            54612  1 rpcsec_gss_krb5
> oid_registry           12419  1 auth_rpcgss
> sunrpc                249148  6 nfs,rpcsec_gss_krb5,auth_rpcgss,lockd
>
> packages:
> extra/cyrus-sasl 2.1.26-7 [installed]
> extra/cyrus-sasl-gssapi 2.1.26-7 [installed]
> extra/cyrus-sasl-ldap 2.1.26-7 [installed]
>
> Following the instructions here I tried to use SASL to search LDAP:
> http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml
>
> I end up with the same error they got (they didn't have
> cyrus-sasl-gssapi installed, I do):
> ~$ ldapsearch -H ldap://freeipa -LLL -b 'dc=watchmysys,dc=com'
> '(givenname=hal)' cn
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>         additional info: SASL(-4): no mechanism available:
>
> Any suggestions would be greatly appreciated.
>
> Thanks,
> Hal