[arch-general] [Solved] SASL kerberos authentication problem
Hal Martin
hal.martin at gmail.com
Sat Oct 25 17:55:42 UTC 2014
I figured out my problem. The client connecting to libvirtd requires
cyrus-sasl-gssapi to be installed or it will fail with the "No worthy
mechs found" error.
I feel a bit silly right now...
-Hal
On Sat, Oct 25, 2014 at 7:15 PM, Hal Martin <hal.martin at gmail.com> wrote:
> Hi all,
>
> I'm trying to use SASL to authenticate against my KDC. I'd like to
> have libvirt users use their kerberos credentials to login, but right
> now it's not working. Kerberos authentication in general works. The
> computer has a keytab installed and I can successfully obtain a ticket
> through kinit, libvirt has a principle configured for the host.
>
> libvirt error:
> authentication failed: Failed to start SASL negotiation: -4 (SASL(-4):
> no mechanism available: No worthy mechs found)
>
> /etc/sasl2/libvirt.conf:
> mech_list: gssapi
> keytab: /etc/libvirt/krb5.tab
>
> /etc/conf.d/saslauthd:
> SASLAUTHD_OPTS="-a kerberos5 ldap pam"
>
> lsmod | grep gss:
> rpcsec_gss_krb5 30147 0
> auth_rpcgss 54612 1 rpcsec_gss_krb5
> oid_registry 12419 1 auth_rpcgss
> sunrpc 249148 6 nfs,rpcsec_gss_krb5,auth_rpcgss,lockd
>
> packages:
> extra/cyrus-sasl 2.1.26-7 [installed]
> extra/cyrus-sasl-gssapi 2.1.26-7 [installed]
> extra/cyrus-sasl-ldap 2.1.26-7 [installed]
>
> Following the instructions here I tried to use SASL to search LDAP:
> http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml
>
> I end up with the same error they got (they didn't have
> cyrus-sasl-gssapi installed, I do):
> ~$ ldapsearch -H ldap://freeipa -LLL -b 'dc=watchmysys,dc=com'
> '(givenname=hal)' cn
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
>
> Any suggestions would be greatly appreciated.
>
> Thanks,
> Hal
More information about the arch-general
mailing list