Bug 1018434 - qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory
qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or dir...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm (Show other bugs)
6.5
Unspecified Unspecified
medium Severity low
: rc
: ---
Assigned To: Laszlo Ersek
Virtualization Bugs
:
Depends On:
Blocks: 994246 1056252 1070830
  Show dependency treegraph
 
Reported: 2013-10-11 22:11 EDT by Sibiao Luo
Modified: 2015-03-18 10:30 EDT (History)
17 users (show)

See Also:
Fixed In Version: qemu-kvm-0.12.1.2-2.423.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 02:53:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sibiao Luo 2013-10-11 22:11:01 EDT
Description of problem:
when boot guest with qemu-kvm, there will display a message "qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory" in /var/log/message.
BTW, rhel7.0 host did not hit such issue.

Version-Release number of selected component (if applicable):
host info:
# uname -r && rpm -q qemu-kvm-rhev
2.6.32-422.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.412.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1.monitor the /var/log/message
# tailf /var/log/message
2.start qemu-kvm process.
e.g: # /usr/libexec/qemu-kvm &

Actual results:
after step 2, there will display a message "qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory" in /var/log/message after you start a qemu-kvm process. if start two qemu-kvm, there will output two message by analogy.

Expected results:
there should no "qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory" in /var/log/message after you start a qemu-kvm process.

Additional info:
Comment 1 Sibiao Luo 2013-10-11 22:12:21 EDT
# /usr/libexec/qemu-kvm &
[1] 8558
# VNC server running on `::1:5900'

# /usr/libexec/qemu-kvm &
[2] 8561
# VNC server running on `::1:5901'

# /usr/libexec/qemu-kvm &
[3] 8564
# VNC server running on `::1:5902'

# tailf /var/log/messages
Oct 12 09:54:27 dell-per820-02 qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory
Oct 12 09:54:32 dell-per820-02 qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory
Oct 12 09:54:33 dell-per820-02 qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory
Comment 3 RHEL Product and Program Management 2013-10-14 23:45:22 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 9 Laszlo Ersek 2014-03-03 10:47:07 EST
This warning is issued by the cyrus-sasl library ("cyrus-sasl-lib" package). Function gssapiv2_server_plug_init(), file "plugins/gssapi.c" (ie. kerberos backend).

Qemu can use SASL for spice and vnc authentication, and is linked against cyrus-sasl (libsasl2.so).

The "/etc/sasl2/qemu-kvm.conf" file is part of the qemu-kvm package, and it has an entry like this:

> # Some older builds of MIT kerberos on Linux ignore this option &
> # instead need KRB5_KTNAME env var.
> # For modern Linux, and other OS, this should be sufficient
> keytab: /etc/qemu/krb5.tab

The keytab file is to be configured by the user.

The interesting thing is of course that the cyrus-sasl library complains even if the user does *not* select SASL auth for either spice or vnc. The library still parses the "/etc/sasl2/qemu-kvm.conf" file during initialization, and tries to load the referenced "/etc/qemu/krb5.tab" file. Which then elicits the warning.

This issue has been seen in libvirtd as well, and worked around:

> 2012-10-21  Cole Robinson  <crobinso@redhat.com>
> 
> daemon: Avoid 'Could not find keytab file' in syslog
> On F17 at least, every time libvirtd starts we get this in syslog:
> 
> libvirtd: Could not find keytab file: /etc/libvirt/krb5.tab:
> No such file or directory
> 
> This comes from cyrus-sasl, and happens regardless of whether the
> gssapi plugin is requested, which is what actually uses
> /etc/libvirt/krb5.tab.
> 
> While cyrus-sasl shouldn't complain, we can easily make it shut up by
> commenting out the keytab value by default.

Note the following comment in the libsasl2 source ("plugins/gssapi.c"), near the warning:

    /* FIXME: This code is broken */
    
    utils->getopt(utils->getopt_context, "GSSAPI", "keytab", &keytab, &rl);
    if (keytab != NULL) {
        if (access(keytab, R_OK) != 0) {
            utils->log(NULL, SASL_LOG_ERR,
                       "Could not find keytab file: %s: %m",
                       keytab, errno);
            return SASL_FAIL;
        }

Since this problem can (and based on libvirt's example, does) affect several clients of the libsasl2 library, I'm moving this BZ to the libsasl2 library. If it would be too problematic to fix in libsasl2, we can move the BZ back, and work around the issue the same way as libvirtd has (ie. commenting out the keytab entry in "etc/sasl2/qemu-kvm.conf").
Comment 11 Petr Lautrbach 2014-03-03 10:53:32 EST
This seems to be duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1024488 
I'll to provide provide a test build soon.
Comment 12 Petr Lautrbach 2014-03-04 08:10:54 EST
  (In reply to Petr Lautrbach from comment #11)
> This seems to be duplicate of
> https://bugzilla.redhat.com/show_bug.cgi?id=1024488 
> I'll to provide provide a test build soon.

I've taken it wrong, this comment is not valid, sorry.
Comment 13 Petr Lautrbach 2014-03-05 06:50:28 EST
Simple workaround is to un-install cyrus-sasl-gssapi package so that gssapi plugin won't do initialization.

I personally would prefer to not ship a configuration file pointing to non-existing file.  It would mean to comment out the keytab line as mentioned in #c9. 

Although I think that it's the correct to log message about wrong configuration or non-existing file, I'm still looking into it if it's reasonably possible for gssapi plugin to not check keytab file when it's mechanism is not enabled.
Comment 14 Laszlo Ersek 2014-03-05 06:57:25 EST
(In reply to Petr Lautrbach from comment #13)
> Simple workaround is to un-install cyrus-sasl-gssapi package so that gssapi
> plugin won't do initialization.
> 
> I personally would prefer to not ship a configuration file pointing to
> non-existing file.  It would mean to comment out the keytab line as
> mentioned in #c9. 
> 
> Although I think that it's the correct to log message about wrong
> configuration or non-existing file, I'm still looking into it if it's
> reasonably possible for gssapi plugin to not check keytab file when it's
> mechanism is not enabled.

Thanks! Let me know if/when your final verdict is that we should comment out the keytab line, and then I'll take the BZ back and do that.
Comment 15 Petr Lautrbach 2014-03-13 10:48:07 EDT
Please comment out the line with keytab. Thanks.
Comment 16 Laszlo Ersek 2014-03-14 10:41:47 EDT
Posted upstream patch:
http://thread.gmane.org/gmane.comp.emulators.qemu/261914
Comment 17 Laszlo Ersek 2014-03-17 06:11:55 EDT
commit dfb3804d478bce02350bdf87534dc7dd3d1ded51
Author: Laszlo Ersek <lersek@redhat.com>
Date:   Fri Mar 14 15:39:36 2014 +0100

    sasl: Avoid 'Could not find keytab file' in syslog

Also, we'll need a RHEL7 clone.
Comment 21 Miroslav Rezanina 2014-03-27 05:49:59 EDT
Fix included in qemu-kvm-0.12.1.2-2.423.el6
Comment 23 Shaolong Hu 2014-07-04 04:46:38 EDT
Verified on qemu-kvm-0.12.1.2-2.428.el6.x86_64:

after qemu running, no dmesg output.
Comment 24 errata-xmlrpc 2014-10-14 02:53:00 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1490.html

Note You need to log in before you can comment on or make changes to this bug.