[CentOS-virt] spice server and GSSAPI

Sat Dec 30 00:43:51 UTC 2017
Ranbir <m3freak at thesandhufamily.ca>

Hello,

Does anyone have spice server for KVM Linux guests working with GSSAPI
authentication? I've been trying for a while and I simply can't get it
to work. I don't know what I'm doing wrong. I wouldn't be surprised if
I've misunderstood something.

I followed this guide:

https://www.freeipa.org/page/Libvirt_with_VNC_Consoles

Yes, the above is for VNC consoles. I just adapted that write up for
spice. When I try to connect to a console from either virt-manager or
with virt-viewer, I'm prompted to enter a password (though I shouldn't
be). When I type in my freeipa domain password, it gets rejected. 

libvirtd with Kerberos and GSSAPI is working perfectly.  I can use
virt-manager from my Fedora 26 desktop with the below URI:

qemu+tcp://ranbir@kvmhost01/system

virt-manager connects, I get a list of all the running KVMs and I can
work with them like I would if I was running virt-manager over ssh with
X forwarding. The only that doesn't work is viewing the consoles.

Details:

- my host is a fully updated CentOS 7 system
- libvirtd is set to listen for tcp connections
- I added the service spice/kvmhost01.theinside.rnr
- I created a keytab for the above and put it on kvmhost01 in  
  /etc/qemu-kvm/krb5.tab
- the above file has owner:group set to qemu:root with perms 600
- I have the following in /etc/sasl2/qemu-kvm.conf

  mech_list: gssapi
  keytab: /etc/qemu-kvm/krb5.tab

- I have the following in /etc/libvirt/qemu.conf

  spice_listen = "0.0.0.0"
  spice_tls = 0
  spice_sasl = 1
  spice_sasl_dir = "/etc/sasl2/"

- the first time I try to view a console, I get the
  kerberos tickets I expect to:

  Ticket cache: KEYRING:persistent:625400004:krb_ccache_7rtJmh8
  Default principal: ranbir at THEINSIDE.RNR

  Valid starting       Expires              Service principal
  2017-12-29 18:37:45  2017-12-30 18:01:40  spice/kvmhost01.theinside.rnr at THEINSIDE.RNR
  2017-12-29 18:37:40  2017-12-30 18:01:40  libvirt/kvmhost01.theinside.rnr at THEINSIDE.RNR
  2017-12-29 18:01:40  2017-12-30 18:01:40  krbtgt/THEINSIDE.RNR at THEINSIDE.RNR

I'm surprised there isn't more info available about this online. That's
  why I'm now here asking for assistance.

Does anyone have any suggestions/advice?

Thanks in advance!

-- 
Ranbir