RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1018434 - qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory
Summary: qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or dir...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.5
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: rc
: ---
Assignee: Laszlo Ersek
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 994246 1056252 1070830
TreeView+ depends on / blocked
 
Reported: 2013-10-12 02:11 UTC by Sibiao Luo
Modified: 2019-04-16 14:05 UTC (History)
17 users (show)

Fixed In Version: qemu-kvm-0.12.1.2-2.423.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 06:53:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1490 0 normal SHIPPED_LIVE qemu-kvm bug fix and enhancement update 2014-10-14 01:28:27 UTC

Description Sibiao Luo 2013-10-12 02:11:01 UTC 
Description of problem:
when boot guest with qemu-kvm, there will display a message "qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory" in /var/log/message.
BTW, rhel7.0 host did not hit such issue.

Version-Release number of selected component (if applicable):
host info:
# uname -r && rpm -q qemu-kvm-rhev
2.6.32-422.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.412.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1.monitor the /var/log/message
# tailf /var/log/message
2.start qemu-kvm process.
e.g: # /usr/libexec/qemu-kvm &

Actual results:
after step 2, there will display a message "qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory" in /var/log/message after you start a qemu-kvm process. if start two qemu-kvm, there will output two message by analogy.

Expected results:
there should no "qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory" in /var/log/message after you start a qemu-kvm process.

Additional info:
Comment 1 Sibiao Luo 2013-10-12 02:12:21 UTC 
# /usr/libexec/qemu-kvm &
[1] 8558
# VNC server running on `::1:5900'

# /usr/libexec/qemu-kvm &
[2] 8561
# VNC server running on `::1:5901'

# /usr/libexec/qemu-kvm &
[3] 8564
# VNC server running on `::1:5902'

# tailf /var/log/messages
Oct 12 09:54:27 dell-per820-02 qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory
Oct 12 09:54:32 dell-per820-02 qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory
Oct 12 09:54:33 dell-per820-02 qemu-kvm: Could not find keytab file: /etc/qemu/krb5.tab: No such file or directory
Comment 3 RHEL Program Management 2013-10-15 03:45:22 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 9 Laszlo Ersek 2014-03-03 15:47:07 UTC 
This warning is issued by the cyrus-sasl library ("cyrus-sasl-lib" package). Function gssapiv2_server_plug_init(), file "plugins/gssapi.c" (ie. kerberos backend).

Qemu can use SASL for spice and vnc authentication, and is linked against cyrus-sasl (libsasl2.so).

The "/etc/sasl2/qemu-kvm.conf" file is part of the qemu-kvm package, and it has an entry like this:

> # Some older builds of MIT kerberos on Linux ignore this option &
> # instead need KRB5_KTNAME env var.
> # For modern Linux, and other OS, this should be sufficient
> keytab: /etc/qemu/krb5.tab

The keytab file is to be configured by the user.

The interesting thing is of course that the cyrus-sasl library complains even if the user does *not* select SASL auth for either spice or vnc. The library still parses the "/etc/sasl2/qemu-kvm.conf" file during initialization, and tries to load the referenced "/etc/qemu/krb5.tab" file. Which then elicits the warning.

This issue has been seen in libvirtd as well, and worked around:

> 2012-10-21  Cole Robinson  <crobinso>
> 
> daemon: Avoid 'Could not find keytab file' in syslog
> On F17 at least, every time libvirtd starts we get this in syslog:
> 
> libvirtd: Could not find keytab file: /etc/libvirt/krb5.tab:
> No such file or directory
> 
> This comes from cyrus-sasl, and happens regardless of whether the
> gssapi plugin is requested, which is what actually uses
> /etc/libvirt/krb5.tab.
> 
> While cyrus-sasl shouldn't complain, we can easily make it shut up by
> commenting out the keytab value by default.

Note the following comment in the libsasl2 source ("plugins/gssapi.c"), near the warning:

    /* FIXME: This code is broken */
    
    utils->getopt(utils->getopt_context, "GSSAPI", "keytab", &keytab, &rl);
    if (keytab != NULL) {
        if (access(keytab, R_OK) != 0) {
            utils->log(NULL, SASL_LOG_ERR,
                       "Could not find keytab file: %s: %m",
                       keytab, errno);
            return SASL_FAIL;
        }

Since this problem can (and based on libvirt's example, does) affect several clients of the libsasl2 library, I'm moving this BZ to the libsasl2 library. If it would be too problematic to fix in libsasl2, we can move the BZ back, and work around the issue the same way as libvirtd has (ie. commenting out the keytab entry in "etc/sasl2/qemu-kvm.conf").
Comment 11 Petr Lautrbach 2014-03-03 15:53:32 UTC 
This seems to be duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1024488 
I'll to provide provide a test build soon.
Comment 12 Petr Lautrbach 2014-03-04 13:10:54 UTC 
  (In reply to Petr Lautrbach from comment #11)
> This seems to be duplicate of
> https://bugzilla.redhat.com/show_bug.cgi?id=1024488 
> I'll to provide provide a test build soon.

I've taken it wrong, this comment is not valid, sorry.
Comment 13 Petr Lautrbach 2014-03-05 11:50:28 UTC 
Simple workaround is to un-install cyrus-sasl-gssapi package so that gssapi plugin won't do initialization.

I personally would prefer to not ship a configuration file pointing to non-existing file.  It would mean to comment out the keytab line as mentioned in #c9. 

Although I think that it's the correct to log message about wrong configuration or non-existing file, I'm still looking into it if it's reasonably possible for gssapi plugin to not check keytab file when it's mechanism is not enabled.
Comment 14 Laszlo Ersek 2014-03-05 11:57:25 UTC 
(In reply to Petr Lautrbach from comment #13)
> Simple workaround is to un-install cyrus-sasl-gssapi package so that gssapi
> plugin won't do initialization.
> 
> I personally would prefer to not ship a configuration file pointing to
> non-existing file.  It would mean to comment out the keytab line as
> mentioned in #c9. 
> 
> Although I think that it's the correct to log message about wrong
> configuration or non-existing file, I'm still looking into it if it's
> reasonably possible for gssapi plugin to not check keytab file when it's
> mechanism is not enabled.

Thanks! Let me know if/when your final verdict is that we should comment out the keytab line, and then I'll take the BZ back and do that.
Comment 15 Petr Lautrbach 2014-03-13 14:48:07 UTC 
Please comment out the line with keytab. Thanks.
Comment 16 Laszlo Ersek 2014-03-14 14:41:47 UTC 
Posted upstream patch:
http://thread.gmane.org/gmane.comp.emulators.qemu/261914
Comment 17 Laszlo Ersek 2014-03-17 10:11:55 UTC 
commit dfb3804d478bce02350bdf87534dc7dd3d1ded51
Author: Laszlo Ersek <lersek>
Date:   Fri Mar 14 15:39:36 2014 +0100

    sasl: Avoid 'Could not find keytab file' in syslog

Also, we'll need a RHEL7 clone.
Comment 21 Miroslav Rezanina 2014-03-27 09:49:59 UTC 
Fix included in qemu-kvm-0.12.1.2-2.423.el6
Comment 23 Shaolong Hu 2014-07-04 08:46:38 UTC 
Verified on qemu-kvm-0.12.1.2-2.428.el6.x86_64:

after qemu running, no dmesg output.
Comment 24 errata-xmlrpc 2014-10-14 06:53:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1490.html
Note You need to log in before you can comment on or make changes to this bug.