When installing sssd from ovirt the libvirt configuration appears to be changed and users require authentication. When services using libvirt interact with it, the authentication request from libvirt isn't clear to the user that it is from libvirt. Also, the error message afterwards is not useful.
# virt-tar-out -a /tmp/myimage/myimage/myimage.qcow2 / -
Please enter your authentication name:
Please enter your password:
libvirt: XML-RPC error : authentication failed: Failed to step SASL negotiation: -1 (SASL(-1): generic failure: All-whitespace username.)
libguestfs: error: could not connect to libvirt (URI = NULL): authentication failed: Failed to step SASL negotiation: -1 (SASL(-1): generic failure: All-whitespace username.) [code=45 domain=7]
The libguestfs code actually provides its own auth callback for prompting the user for credentials, so if it wants to print some leading text like "Authentication required to connect to libvirt" then I think it ought to be able todo that.
The error message libvirt provides here is mostly inherited from the error message from SASL. I'm loathe to remove this data from SASL since it is sometimes important to have.
Libvirt could however provide a specific error code VIR_ERR_AUTHENTICATION_FAILED to allow apps like libguestfs to identify authentication failures without having todo string matching, which would in turn let them display a friendlier error by default.
guestfish/virt-tar-out use the libvirt virConnectAuthPtrDefault
(default auth handler) function. See the function
guestfs___open_libvirt_connection here, else clause:
A simple change (to libvirt) would be for this handler to print
a message saying that authentication is required for libvirt,
since at the moment it's not clear who is asking for authentication
A VIR_ERR_AUTHENTICATION_FAILED error code would also be welcome.
It's going to be hard to modify virConnectAuthPtrDefault
because it is allocated statically and therefore it cannot
access the current connection handle (eg. to print out the
Therefore I propose a workaround in libguestfs instead:
However this is only compile tested. I can't test this with
current libvirt because it is broken (bug 1047861). Since
this is on a critical codepath I don't want to add this patch
without proper testing.
This is fixed/worked around in libguestfs 1.25.20. libguestfs
will now print:
libvirt needs authentication to connect to libvirt URI [uri here]
(see also: http://libvirt.org/auth.html http://libvirt.org/uri.html)
Enter username for [server]:
libguestfs-1.24.5-1.fc20 has been submitted as an update for Fedora 20.
libguestfs-1.24.5-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.