Bug 745203

Summary: Warning about missing keytab causing confusion
Product: [Fedora] Fedora Reporter: Mark McLoughlin <markmc>
Component: libvirtAssignee: Peter Krempa <pkrempa>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: berrange, clalancette, crobinso, dallan, dougsland, itamar, jforbes, jyang, laine, libvirt-maint, plautrba, rvokal, tburke, tmraz, vanmeeuwen+fedora, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-14 21:45:00 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Mark McLoughlin 2011-10-11 12:08:10 EDT
libvirtd wasn't starting for me and I found this in the logs:

  libvirtd: Could not find keytab file: /etc/libvirt/krb5.tab: No such file or directory

after ages tracking down the *real* problem, I realized that the keytab message is a harmless warning

i.e. everything works fine without the keytab, because libvirt isn't even configured to use gssapi ... so we really don't need this unconditional warning
Comment 1 Dave Allan 2011-10-11 12:15:56 EDT
*** Bug 577964 has been marked as a duplicate of this bug. ***
Comment 2 Dave Allan 2011-10-11 12:18:17 EDT
What was the real problem?
Comment 3 Mark McLoughlin 2011-10-11 12:21:00 EDT
(In reply to comment #2)
> What was the real problem?

I had an out-of-date glibc

But that's besides the point - this bug is about the harmless condition being reported as an error in syslog and confusing the hell out of people :)
Comment 5 Fedora Admin XMLRPC Client 2012-01-09 21:15:40 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 Petr Lautrbach 2012-06-20 09:46:44 EDT
libvirt itself sets filename for keytab to /etc/libvirt/krb5.tab via KRB5_KTNAME variable in initscript/job  or /etc/libvirt/libvirt.conf but it doesn't create this file before. cyrus-sasl just warns that this file doesn't exist.
Comment 7 Daniel Berrange 2012-06-20 10:11:06 EDT
We had never actually attempted to /use/ the Kerberos auth at this point though.

Cyrus-sasl should not spew warning messages to the logs until the point where this non-existant file is actually used, because it misleads the user into thinking there is a problem here.
Comment 8 Dave Allan 2012-06-20 11:13:28 EDT
(In reply to comment #6)
> libvirt itself sets filename for keytab to /etc/libvirt/krb5.tab via
> KRB5_KTNAME variable in initscript/job  or /etc/libvirt/libvirt.conf but it
> doesn't create this file before. cyrus-sasl just warns that this file
> doesn't exist.

Would touching that file resolve the problem?
Comment 9 Petr Lautrbach 2012-06-20 12:02:44 EDT
I am able to generate this warning only with gssapi included in mech_list in libvirt.conf.

/etc/init.d/libvirtd contains these lines:
43 KRB5_KTNAME=/etc/libvirt/krb5.tab
...
62     KRB5_KTNAME=$KRB5_KTNAME daemon --pidfile $PIDFILE --check $SERVICE $PR    OCESS --daemon $LIBVIRTD_CONFIG_ARGS $LIBVIRTD_ARGS

Either check if $KRB5_KTNAME exists or touch $KRB5_KTNAME should work.
Comment 10 Daniel Berrange 2012-06-20 12:24:15 EDT
> I am able to generate this warning only with gssapi included in mech_list in libvirt.conf.

Hmm, perhaps this can be made NOTABUG/WORKSFORME then. IIUC, the original reporter was apparently seeing this even when 'mech_list=digest-md5'  ie no gssapi, which is what was confusing
Comment 11 Dave Allan 2012-06-20 12:59:25 EDT
I get it with the default F17 config which is mech_list: digest-md5

Could we just touch that file and silence the message?  Mark can't be the only one confused by it.
Comment 12 Daniel Berrange 2012-06-20 13:40:29 EDT
No, I don't think we should be touching files for this. If you haven't configured 'gssapi', then the code has no business complaining in the logs.
Comment 13 Dave Allan 2012-06-20 15:28:43 EDT
How do we make the warning go away then?  I hope I'm not putting words in Peter's mouth, but it sounds like he doesn't think it should be removed, and we're the ones taking the BZs.
Comment 14 Daniel Berrange 2012-06-21 04:57:02 EDT
This fundamentally isn't a libvirt problem - the same issue can occur with any app using cryus-sasl, so that's the only place where a fix makes sense. If cyrus-sasl doesn't want to fix it, then users will just have to live with the bogus warning message.
Comment 15 Dave Allan 2012-06-21 09:32:12 EDT
Peter (not Petr), I think we're speculating about when this message appears and where it should be fixed.  Dan says this must be fixed in cyrus-sasl; Petr appears to be saying it should be fixed in libvirt.  Absent better data about the exact behavior, I can take no position on which is correct.  Can you look into this and see if you can produce a minimal application that clarifies the behavior?  Thanks, Dave
Comment 16 Cole Robinson 2012-10-20 14:52:58 EDT
I've sent a patch to libvirt with an easy workaround:

https://www.redhat.com/archives/libvir-list/2012-October/msg01097.html
Comment 17 Fedora Update System 2012-10-27 18:15:11 EDT
libvirt-0.9.11.7-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/libvirt-0.9.11.7-1.fc17
Comment 18 Fedora Update System 2012-10-29 23:50:48 EDT
Package libvirt-0.9.11.7-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libvirt-0.9.11.7-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17206/libvirt-0.9.11.7-1.fc17
then log in and leave karma (feedback).
Comment 19 Fedora Update System 2012-11-14 21:45:03 EST
libvirt-0.9.11.7-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.