Bug 1663395

Summary:	when libvirtd use listen_tls and auth_tls="sasl", libvirtd report error: authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user not found: unable to canonify user and get auxprops
Product:	Red Hat Enterprise Linux 7	Reporter:	wangyuehui <345036846>
Component:	libvirt	Assignee:	Ján Tomko <jtomko>
Status:	CLOSED NOTABUG	QA Contact:	Lili Zhu <lizhu>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	7.0	CC:	345036846, yalzhang
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-04-17 13:24:26 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description wangyuehui 2019-01-04 07:58:40 UTC

Description of problem:
when libvirtd use listen_tls and auth_tls="sasl", and use "saslpasswd2 -a libvirtd -f passwd.db admin" to add the user, and use "virsh -c qemu+tls://ip/system" to connect to remote kvm host, libvirtd report error: authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user not found: unable to canonify user and get auxprops

Version-Release number of selected component (if applicable):
# libvirtd -V
libvirtd (libvirt) 4.5.0

How reproducible:


Steps to Reproduce:
1.
# grep ^[^#] libvirtd.conf 
listen_tls = 1
listen_addr = "0.0.0.0"
auth_tls = "sasl"
2.
# grep ^[^#] /etc/sasl2/libvirt.conf 
mech_list: scram-sha-1
sasldb_path: /etc/libvirt/passwd.db
3.
grep ^[^#] /etc/sysconfig/libvirtd 
LIBVIRTD_ARGS="--listen"
4.# grep ^[^#] /etc/libvirt/qemu.conf 
vnc_listen = "0.0.0.0"
5. # saslpasswd2 -a libvirt admin
Password: 
Again (for verification): 
# sasldblistusers2 -f /etc/libvirt/passwd.db 
admin@c2-app-kvm1: userPassword
root@c2-app-kvm1: userPassword
6.#   virsh -c qemu+tls://10.134.64.21/system                                                  
Please enter your authentication name: admin
Please enter your password: 
error: failed to connect to the hypervisor
error: authentication failed: authentication failed

Actual results:
client:
error: failed to connect to the hypervisor
error: authentication failed: authentication failed
libvirtd server:
libvirtd[286000]: 2019-01-04 07:29:57.607+0000: 286004: error : virNetSASLSessionServerStart:544 : authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user ...d get auxprops)
libvirtd[286000]: 2019-01-04 07:29:57.607+0000: 286004: error : remoteDispatchAuthSaslStart:3596 : authentication failed: authentication failed

Expected results:
login successfully

Additional info:

Comment 2 wangyuehui 2019-01-04 08:10:11 UTC

libvirtd log:
libvirtd: 2019-01-04 07:26:51.224+0000: 286002: error : virNetSASLSessionServerStart:544 : authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user not found: unable to canonify user and get auxprops)
libvirtd: 2019-01-04 07:26:51.224+0000: 286002: error : remoteDispatchAuthSaslStart:3596 : authentication failed: authentication failed
libvirtd: 2019-01-04 07:26:51.225+0000: 286000: error : virNetSocketReadWire:1791 : Cannot recv data: Input/output error

if I comment the auth_tls = "sasl" line in libvirtd.conf, then "virsh -c qemu+tls://ip/system"  will login successfully.
I am confused by the libvirtd error log "user not found" because I have already add this user and have no idear when google it. 
When I use libvirt 3.9.0 on other kvm host, it works for me.

Comment 3 Ján Tomko 2019-04-17 13:24:26 UTC

Does this also happen if you connect via a hostname matching the output of sasldblistusers2?
Alternatively, supply the full username (admin@c2-app-kvm1) to the "authentication name:" prompt.

Either way, this does not seem like a libvirt bug.

Comment 4 wangyuehui 2019-10-22 02:58:39 UTC

two resolvtions:
1.  when use sasldb to create user, need to give "-f /etc/libvirt/passwd.db", if no "-f" options, in some version of OS, it is not store in " /etc/libvirt/passwd.db"
2.  in some version of libvirtd, use full username and hostname as admin@c2-app-kvm1 to login to libvirtd