Bug 745203 - Warning about missing keytab causing confusion
Warning about missing keytab causing confusion
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Peter Krempa
Fedora Extras Quality Assurance
: 577964 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2011-10-11 12:08 EDT by Mark McLoughlin
Modified: 2012-11-14 21:45 EST (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-11-14 21:45:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mark McLoughlin 2011-10-11 12:08:10 EDT
libvirtd wasn't starting for me and I found this in the logs:

  libvirtd: Could not find keytab file: /etc/libvirt/krb5.tab: No such file or directory

after ages tracking down the *real* problem, I realized that the keytab message is a harmless warning

i.e. everything works fine without the keytab, because libvirt isn't even configured to use gssapi ... so we really don't need this unconditional warning
Comment 1 Dave Allan 2011-10-11 12:15:56 EDT
*** Bug 577964 has been marked as a duplicate of this bug. ***
Comment 2 Dave Allan 2011-10-11 12:18:17 EDT
What was the real problem?
Comment 3 Mark McLoughlin 2011-10-11 12:21:00 EDT
(In reply to comment #2)
> What was the real problem?

I had an out-of-date glibc

But that's besides the point - this bug is about the harmless condition being reported as an error in syslog and confusing the hell out of people :)
Comment 5 Fedora Admin XMLRPC Client 2012-01-09 21:15:40 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 Petr Lautrbach 2012-06-20 09:46:44 EDT
libvirt itself sets filename for keytab to /etc/libvirt/krb5.tab via KRB5_KTNAME variable in initscript/job  or /etc/libvirt/libvirt.conf but it doesn't create this file before. cyrus-sasl just warns that this file doesn't exist.
Comment 7 Daniel Berrange 2012-06-20 10:11:06 EDT
We had never actually attempted to /use/ the Kerberos auth at this point though.

Cyrus-sasl should not spew warning messages to the logs until the point where this non-existant file is actually used, because it misleads the user into thinking there is a problem here.
Comment 8 Dave Allan 2012-06-20 11:13:28 EDT
(In reply to comment #6)
> libvirt itself sets filename for keytab to /etc/libvirt/krb5.tab via
> KRB5_KTNAME variable in initscript/job  or /etc/libvirt/libvirt.conf but it
> doesn't create this file before. cyrus-sasl just warns that this file
> doesn't exist.

Would touching that file resolve the problem?
Comment 9 Petr Lautrbach 2012-06-20 12:02:44 EDT
I am able to generate this warning only with gssapi included in mech_list in libvirt.conf.

/etc/init.d/libvirtd contains these lines:
43 KRB5_KTNAME=/etc/libvirt/krb5.tab

Either check if $KRB5_KTNAME exists or touch $KRB5_KTNAME should work.
Comment 10 Daniel Berrange 2012-06-20 12:24:15 EDT
> I am able to generate this warning only with gssapi included in mech_list in libvirt.conf.

Hmm, perhaps this can be made NOTABUG/WORKSFORME then. IIUC, the original reporter was apparently seeing this even when 'mech_list=digest-md5'  ie no gssapi, which is what was confusing
Comment 11 Dave Allan 2012-06-20 12:59:25 EDT
I get it with the default F17 config which is mech_list: digest-md5

Could we just touch that file and silence the message?  Mark can't be the only one confused by it.
Comment 12 Daniel Berrange 2012-06-20 13:40:29 EDT
No, I don't think we should be touching files for this. If you haven't configured 'gssapi', then the code has no business complaining in the logs.
Comment 13 Dave Allan 2012-06-20 15:28:43 EDT
How do we make the warning go away then?  I hope I'm not putting words in Peter's mouth, but it sounds like he doesn't think it should be removed, and we're the ones taking the BZs.
Comment 14 Daniel Berrange 2012-06-21 04:57:02 EDT
This fundamentally isn't a libvirt problem - the same issue can occur with any app using cryus-sasl, so that's the only place where a fix makes sense. If cyrus-sasl doesn't want to fix it, then users will just have to live with the bogus warning message.
Comment 15 Dave Allan 2012-06-21 09:32:12 EDT
Peter (not Petr), I think we're speculating about when this message appears and where it should be fixed.  Dan says this must be fixed in cyrus-sasl; Petr appears to be saying it should be fixed in libvirt.  Absent better data about the exact behavior, I can take no position on which is correct.  Can you look into this and see if you can produce a minimal application that clarifies the behavior?  Thanks, Dave
Comment 16 Cole Robinson 2012-10-20 14:52:58 EDT
I've sent a patch to libvirt with an easy workaround:

Comment 17 Fedora Update System 2012-10-27 18:15:11 EDT
libvirt- has been submitted as an update for Fedora 17.
Comment 18 Fedora Update System 2012-10-29 23:50:48 EDT
Package libvirt-
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libvirt-'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 19 Fedora Update System 2012-11-14 21:45:03 EST
libvirt- has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.