Hello,
Does anyone have spice server for KVM Linux guests working with GSSAPI authentication? I've been trying for a while and I simply can't get it to work. I don't know what I'm doing wrong. I wouldn't be surprised if I've misunderstood something.
I followed this guide:
https://www.freeipa.org/page/Libvirt_with_VNC_Consoles
Yes, the above is for VNC consoles. I just adapted that write up for spice. When I try to connect to a console from either virt-manager or with virt-viewer, I'm prompted to enter a password (though I shouldn't be). When I type in my freeipa domain password, it gets rejected.
libvirtd with Kerberos and GSSAPI is working perfectly. I can use virt-manager from my Fedora 26 desktop with the below URI:
qemu+tcp://ranbir@kvmhost01/system
virt-manager connects, I get a list of all the running KVMs and I can work with them like I would if I was running virt-manager over ssh with X forwarding. The only that doesn't work is viewing the consoles.
Details:
- my host is a fully updated CentOS 7 system - libvirtd is set to listen for tcp connections - I added the service spice/kvmhost01.theinside.rnr - I created a keytab for the above and put it on kvmhost01 in /etc/qemu-kvm/krb5.tab - the above file has owner:group set to qemu:root with perms 600 - I have the following in /etc/sasl2/qemu-kvm.conf
mech_list: gssapi keytab: /etc/qemu-kvm/krb5.tab
- I have the following in /etc/libvirt/qemu.conf
spice_listen = "0.0.0.0" spice_tls = 0 spice_sasl = 1 spice_sasl_dir = "/etc/sasl2/"
- the first time I try to view a console, I get the kerberos tickets I expect to:
Ticket cache: KEYRING:persistent:625400004:krb_ccache_7rtJmh8 Default principal: ranbir@THEINSIDE.RNR
Valid starting Expires Service principal 2017-12-29 18:37:45 2017-12-30 18:01:40 spice/kvmhost01.theinside.rnr@THEINSIDE.RNR 2017-12-29 18:37:40 2017-12-30 18:01:40 libvirt/kvmhost01.theinside.rnr@THEINSIDE.RNR 2017-12-29 18:01:40 2017-12-30 18:01:40 krbtgt/THEINSIDE.RNR@THEINSIDE.RNR
I'm surprised there isn't more info available about this online. That's why I'm now here asking for assistance.
Does anyone have any suggestions/advice?
Thanks in advance!
On Fri, 2017-12-29 at 19:43 -0500, Ranbir wrote:
Hello,
Does anyone have spice server for KVM Linux guests working with GSSAPI authentication? I've been trying for a while and I simply can't get it to work. I don't know what I'm doing wrong. I wouldn't be surprised if I've misunderstood something.
Damn it, I "figured" it out. I fixed my issues by removing the video and graphics hardware from the KVMs and adding them back in with the exact same settings. I can now view the consoles!
I don't know what removing/adding those two bits of hardware did to fix the issue. I had even dumped the XML configs of the running KVMs before and after doing the hardware changes and upon review, they're exactly the same.
:: shrug ::
I just have to say FreeIPA + Kerberos + GSSAPI for libvirtd and spice server is fantastic.
-
Ranbir