Bug 1044014 - When SSSD is installed, libvirt configuration requires authentication, but not clear to user
Summary: When SSSD is installed, libvirt configuration requires authentication, but no...
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 19
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: TRACKER-bugs-affecting-libguestfs
TreeView+ depends on / blocked
Reported: 2013-12-17 15:38 UTC by james labocki
Modified: 2014-01-30 03:38 UTC (History)
10 users (show)

Fixed In Version: libguestfs-1.24.5-1.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-01-08 21:01:58 UTC
Type: Bug

Attachments (Terms of Use)

Description james labocki 2013-12-17 15:38:37 UTC
When installing sssd from ovirt the libvirt configuration appears to be changed and users require authentication. When services using libvirt interact with it, the authentication request from libvirt isn't clear to the user that it is from libvirt. Also, the error message afterwards is not useful.

# virt-tar-out -a /tmp/myimage/myimage/myimage.qcow2 / -
Please enter your authentication name: 
Please enter your password:

libvirt: XML-RPC error : authentication failed: Failed to step SASL negotiation: -1 (SASL(-1): generic failure: All-whitespace username.)
libguestfs: error: could not connect to libvirt (URI = NULL): authentication failed: Failed to step SASL negotiation: -1 (SASL(-1): generic failure: All-whitespace username.) [code=45 domain=7]

Comment 1 Daniel Berrangé 2013-12-17 15:50:13 UTC
The libguestfs code actually provides its own auth callback for prompting the user for credentials, so if it wants to print some leading text like "Authentication required to connect to libvirt" then I think it ought to be able todo that.

The error message libvirt provides here is mostly inherited from the error message from SASL. I'm loathe to remove this data from SASL since it is sometimes important to have.

Libvirt could however provide a specific error code VIR_ERR_AUTHENTICATION_FAILED to allow apps like libguestfs to identify authentication failures without having todo string matching, which would in turn let them display a friendlier error by default.

Comment 2 Richard W.M. Jones 2014-01-02 10:45:07 UTC
guestfish/virt-tar-out use the libvirt virConnectAuthPtrDefault
(default auth handler) function.  See the function
guestfs___open_libvirt_connection here, else clause:


A simple change (to libvirt) would be for this handler to print
a message saying that authentication is required for libvirt,
since at the moment it's not clear who is asking for authentication
for what.

A VIR_ERR_AUTHENTICATION_FAILED error code would also be welcome.

Comment 3 Richard W.M. Jones 2014-01-02 12:22:40 UTC
It's going to be hard to modify virConnectAuthPtrDefault
because it is allocated statically and therefore it cannot
access the current connection handle (eg. to print out the

Therefore I propose a workaround in libguestfs instead:


However this is only compile tested.  I can't test this with
current libvirt because it is broken (bug 1047861).  Since
this is on a critical codepath I don't want to add this patch
without proper testing.

Comment 4 Richard W.M. Jones 2014-01-08 21:01:58 UTC
This is fixed/worked around in libguestfs 1.25.20.  libguestfs
will now print:

libvirt needs authentication to connect to libvirt URI [uri here]
(see also: http://libvirt.org/auth.html http://libvirt.org/uri.html)
Enter username for [server]:

Comment 5 Fedora Update System 2014-01-21 08:44:28 UTC
libguestfs-1.24.5-1.fc20 has been submitted as an update for Fedora 20.

Comment 6 Fedora Update System 2014-01-30 03:38:42 UTC
libguestfs-1.24.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.