Bug 1018434

# /usr/libexec/qemu-kvm &
[1] 8558
# VNC server running on `::1:5900'

# /usr/libexec/qemu-kvm &
[2] 8561
# VNC server running on `::1:5901'

# /usr/libexec/qemu-kvm &
[3] 8564
# VNC server running on `::1:5902'

# tailf /var/log/messages
Oct 12 09:54:27 dell-per820-02 qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory
Oct 12 09:54:32 dell-per820-02 qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory
Oct 12 09:54:33 dell-per820-02 qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

This warning is issued by the cyrus-sasl library ("cyrus-sasl-lib" package). Function gssapiv2_server_plug_init(), file "plugins/gssapi.c" (ie. kerberos backend).

Qemu can use SASL for spice and vnc authentication, and is linked against cyrus-sasl (libsasl2.so).

The "/etc/sasl2/qemu-kvm.conf" file is part of the qemu-kvm package, and it has an entry like this:

> # Some older builds of MIT kerberos on Linux ignore this option &
> # instead need KRB5_KTNAME env var.
> # For modern Linux, and other OS, this should be sufficient
> keytab: /etc/qemu/krb5.tab

The keytab file is to be configured by the user.

The interesting thing is of course that the cyrus-sasl library complains even if the user does *not* select SASL auth for either spice or vnc. The library still parses the "/etc/sasl2/qemu-kvm.conf" file during initialization, and tries to load the referenced "/etc/qemu/krb5.tab" file. Which then elicits the warning.

This issue has been seen in libvirtd as well, and worked around:

> 2012-10-21  Cole Robinson  <crobinso>
> 
> daemon: Avoid 'Could not find keytab file' in syslog
> On F17 at least, every time libvirtd starts we get this in syslog:
> 
> libvirtd: Could not find keytab file: /etc/libvirt/krb5.tab:
> No such file or directory
> 
> This comes from cyrus-sasl, and happens regardless of whether the
> gssapi plugin is requested, which is what actually uses
> /etc/libvirt/krb5.tab.
> 
> While cyrus-sasl shouldn't complain, we can easily make it shut up by
> commenting out the keytab value by default.

Note the following comment in the libsasl2 source ("plugins/gssapi.c"), near the warning:

    /* FIXME: This code is broken */
    
    utils->getopt(utils->getopt_context, "GSSAPI", "keytab", &keytab, &rl);
    if (keytab != NULL) {
        if (access(keytab, R_OK) != 0) {
            utils->log(NULL, SASL_LOG_ERR,
                       "Could not find keytab file: %s: %m",
                       keytab, errno);
            return SASL_FAIL;
        }

Since this problem can (and based on libvirt's example, does) affect several clients of the libsasl2 library, I'm moving this BZ to the libsasl2 library. If it would be too problematic to fix in libsasl2, we can move the BZ back, and work around the issue the same way as libvirtd has (ie. commenting out the keytab entry in "etc/sasl2/qemu-kvm.conf").

This seems to be duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1024488 
I'll to provide provide a test build soon.

  (In reply to Petr Lautrbach from comment #11)
> This seems to be duplicate of
> https://bugzilla.redhat.com/show_bug.cgi?id=1024488 
> I'll to provide provide a test build soon.

I've taken it wrong, this comment is not valid, sorry.

Simple workaround is to un-install cyrus-sasl-gssapi package so that gssapi plugin won't do initialization.

I personally would prefer to not ship a configuration file pointing to non-existing file.  It would mean to comment out the keytab line as mentioned in #c9. 

Although I think that it's the correct to log message about wrong configuration or non-existing file, I'm still looking into it if it's reasonably possible for gssapi plugin to not check keytab file when it's mechanism is not enabled.

(In reply to Petr Lautrbach from comment #13)
> Simple workaround is to un-install cyrus-sasl-gssapi package so that gssapi
> plugin won't do initialization.
> 
> I personally would prefer to not ship a configuration file pointing to
> non-existing file.  It would mean to comment out the keytab line as
> mentioned in #c9. 
> 
> Although I think that it's the correct to log message about wrong
> configuration or non-existing file, I'm still looking into it if it's
> reasonably possible for gssapi plugin to not check keytab file when it's
> mechanism is not enabled.

Thanks! Let me know if/when your final verdict is that we should comment out the keytab line, and then I'll take the BZ back and do that.

Please comment out the line with keytab. Thanks.

Posted upstream patch:
http://thread.gmane.org/gmane.comp.emulators.qemu/261914

commit dfb3804d478bce02350bdf87534dc7dd3d1ded51
Author: Laszlo Ersek <lersek>
Date:   Fri Mar 14 15:39:36 2014 +0100

    sasl: Avoid 'Could not find keytab file' in syslog

Also, we'll need a RHEL7 clone.

Fix included in qemu-kvm-0.12.1.2-2.423.el6

Verified on qemu-kvm-0.12.1.2-2.428.el6.x86_64:

after qemu running, no dmesg output.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1490.html