Bug 1463905 - Connection failed when setting the whitelist of allowed SASL usernames according to the documentation.
Connection failed when setting the whitelist of allowed SASL usernames accord...
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt (Show other bugs)
7.4
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Erik Skultety
Lili Zhu
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-22 01:31 EDT by Lili Zhu
Modified: 2017-08-24 07:29 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lili Zhu 2017-06-22 01:31:25 EDT
Description of problem:
Connection failed when setting the whitelist of allowed SASL usernames according 
to the documentation.

Version-Release number of selected component (if applicable):
libvirt-3.2.0-14.el7.x86_64

How reproducible:
100%

Steps to Reproduce:

1. check the description of the whitelist of allowed SASL usernames. 
# A whitelist of allowed SASL usernames. The format for username
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#
# This list may contain wildcards such as
#
#    "*@EXAMPLE.COM"

2. According to the above description, set the allowed sasl usernames as "root/admin@ENGLAB.NAY.REDHAT.COM" or "*@ENGLAB.NAY.REDHAT.COM", for example,

# cat /etc/libvirt/libvirtd.conf
sasl_allowed_username_list = ["root/admin@ENGLAB.NAY.REDHAT.COM" ]

2. list cached Kerberos tickets on the client
# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/admin@ENGLAB.NAY.REDHAT.COM

Valid starting       Expires              Service principal
06/22/2017 13:02:31  06/23/2017 13:02:31  krbtgt/ENGLAB.NAY.REDHAT.COM@ENGLAB.NAY.REDHAT.COM

3. set the other values
listen_tcp = 1
log_level = 1
log_outputs="1:file:/tmp/libvirtd.log"

4. connect to the daemon from the client
# virsh -c qemu+tcp://<hostname of libvirt daemon>/system
error: failed to connect to the hypervisor
error: authentication failed: authentication failed

Actual results:
1. Setting the allowed sasl usernames as "root/admin@ENGLAB.NAY.REDHAT.COM" or "*@ENGLAB.NAY.REDHAT.COM", connection failed in both cases.

2. #cat /tmp/libvirtd.log
2017-06-22 05:13:48.982+0000: 25385: debug : virNetSASLSessionGetIdentity:283 : SASL client username root/admin
2017-06-22 05:13:48.982+0000: 25385: error : virNetSASLContextCheckIdentity:155 : SASL client identity 'root/admin' not allowed in whitelist
2017-06-22 05:13:48.982+0000: 25385: error : virNetSASLContextCheckIdentity:159 : Client's username is not on the list of allowed clients
2017-06-22 05:13:48.982+0000: 25385: debug : virNetSASLSessionGetIdentity:283 : SASL client username root/admin
2017-06-22 05:13:48.982+0000: 25385: info : remoteDispatchAuthSaslStep:3658 : RPC_SERVER_CLIENT_AUTH_DENY: client=0x56501eed2c30 auth=1 identity=root/admin


Expected results:
connection succeeds.


Additional info:
when setting the allowed sasl usernames as "root/admin" in libvirtd.conf, 
connection succeeds.
# cat /etc/libvirt/libvirtd.conf
sasl_allowed_username_list = ["root/admin" ]

# virsh -c qemu+tcp://<hostname of the libvirt daemon>/system
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh #

Note You need to log in before you can comment on or make changes to this bug.