When installing sssd from ovirt the libvirt configuration appears to be changed and users require authentication. When services using libvirt interact with it, the authentication request from libvirt isn't clear to the user that it is from libvirt. Also, the error message afterwards is not useful. # virt-tar-out -a /tmp/myimage/myimage/myimage.qcow2 / - Please enter your authentication name: Please enter your password: libvirt: XML-RPC error : authentication failed: Failed to step SASL negotiation: -1 (SASL(-1): generic failure: All-whitespace username.) libguestfs: error: could not connect to libvirt (URI = NULL): authentication failed: Failed to step SASL negotiation: -1 (SASL(-1): generic failure: All-whitespace username.) [code=45 domain=7]
The libguestfs code actually provides its own auth callback for prompting the user for credentials, so if it wants to print some leading text like "Authentication required to connect to libvirt" then I think it ought to be able todo that. The error message libvirt provides here is mostly inherited from the error message from SASL. I'm loathe to remove this data from SASL since it is sometimes important to have. Libvirt could however provide a specific error code VIR_ERR_AUTHENTICATION_FAILED to allow apps like libguestfs to identify authentication failures without having todo string matching, which would in turn let them display a friendlier error by default.
guestfish/virt-tar-out use the libvirt virConnectAuthPtrDefault (default auth handler) function. See the function guestfs___open_libvirt_connection here, else clause: https://github.com/libguestfs/libguestfs/blob/master/src/libvirt-auth.c#L162 A simple change (to libvirt) would be for this handler to print a message saying that authentication is required for libvirt, since at the moment it's not clear who is asking for authentication for what. A VIR_ERR_AUTHENTICATION_FAILED error code would also be welcome.
It's going to be hard to modify virConnectAuthPtrDefault because it is allocated statically and therefore it cannot access the current connection handle (eg. to print out the URI). Therefore I propose a workaround in libguestfs instead: https://www.redhat.com/archives/libguestfs/2014-January/msg00003.html However this is only compile tested. I can't test this with current libvirt because it is broken (bug 1047861). Since this is on a critical codepath I don't want to add this patch without proper testing.
This is fixed/worked around in libguestfs 1.25.20. libguestfs will now print: libvirt needs authentication to connect to libvirt URI [uri here] (see also: http://libvirt.org/auth.html http://libvirt.org/uri.html) Enter username for [server]:
libguestfs-1.24.5-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/libguestfs-1.24.5-1.fc20
libguestfs-1.24.5-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.