Bug 745203 - Warning about missing keytab causing confusion
Summary: Warning about missing keytab causing confusion
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 17
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Peter Krempa
QA Contact: Fedora Extras Quality Assurance
: 577964 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2011-10-11 16:08 UTC by Mark McLoughlin
Modified: 2012-11-15 02:45 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-11-15 02:45:00 UTC
Type: ---

Attachments (Terms of Use)

Description Mark McLoughlin 2011-10-11 16:08:10 UTC
libvirtd wasn't starting for me and I found this in the logs:

  libvirtd: Could not find keytab file: /etc/libvirt/krb5.tab: No such file or directory

after ages tracking down the *real* problem, I realized that the keytab message is a harmless warning

i.e. everything works fine without the keytab, because libvirt isn't even configured to use gssapi ... so we really don't need this unconditional warning

Comment 1 Dave Allan 2011-10-11 16:15:56 UTC
*** Bug 577964 has been marked as a duplicate of this bug. ***

Comment 2 Dave Allan 2011-10-11 16:18:17 UTC
What was the real problem?

Comment 3 Mark McLoughlin 2011-10-11 16:21:00 UTC
(In reply to comment #2)
> What was the real problem?

I had an out-of-date glibc

But that's besides the point - this bug is about the harmless condition being reported as an error in syslog and confusing the hell out of people :)

Comment 5 Fedora Admin XMLRPC Client 2012-01-10 02:15:40 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 6 Petr Lautrbach 2012-06-20 13:46:44 UTC
libvirt itself sets filename for keytab to /etc/libvirt/krb5.tab via KRB5_KTNAME variable in initscript/job  or /etc/libvirt/libvirt.conf but it doesn't create this file before. cyrus-sasl just warns that this file doesn't exist.

Comment 7 Daniel Berrangé 2012-06-20 14:11:06 UTC
We had never actually attempted to /use/ the Kerberos auth at this point though.

Cyrus-sasl should not spew warning messages to the logs until the point where this non-existant file is actually used, because it misleads the user into thinking there is a problem here.

Comment 8 Dave Allan 2012-06-20 15:13:28 UTC
(In reply to comment #6)
> libvirt itself sets filename for keytab to /etc/libvirt/krb5.tab via
> KRB5_KTNAME variable in initscript/job  or /etc/libvirt/libvirt.conf but it
> doesn't create this file before. cyrus-sasl just warns that this file
> doesn't exist.

Would touching that file resolve the problem?

Comment 9 Petr Lautrbach 2012-06-20 16:02:44 UTC
I am able to generate this warning only with gssapi included in mech_list in libvirt.conf.

/etc/init.d/libvirtd contains these lines:
43 KRB5_KTNAME=/etc/libvirt/krb5.tab

Either check if $KRB5_KTNAME exists or touch $KRB5_KTNAME should work.

Comment 10 Daniel Berrangé 2012-06-20 16:24:15 UTC
> I am able to generate this warning only with gssapi included in mech_list in libvirt.conf.

Hmm, perhaps this can be made NOTABUG/WORKSFORME then. IIUC, the original reporter was apparently seeing this even when 'mech_list=digest-md5'  ie no gssapi, which is what was confusing

Comment 11 Dave Allan 2012-06-20 16:59:25 UTC
I get it with the default F17 config which is mech_list: digest-md5

Could we just touch that file and silence the message?  Mark can't be the only one confused by it.

Comment 12 Daniel Berrangé 2012-06-20 17:40:29 UTC
No, I don't think we should be touching files for this. If you haven't configured 'gssapi', then the code has no business complaining in the logs.

Comment 13 Dave Allan 2012-06-20 19:28:43 UTC
How do we make the warning go away then?  I hope I'm not putting words in Peter's mouth, but it sounds like he doesn't think it should be removed, and we're the ones taking the BZs.

Comment 14 Daniel Berrangé 2012-06-21 08:57:02 UTC
This fundamentally isn't a libvirt problem - the same issue can occur with any app using cryus-sasl, so that's the only place where a fix makes sense. If cyrus-sasl doesn't want to fix it, then users will just have to live with the bogus warning message.

Comment 15 Dave Allan 2012-06-21 13:32:12 UTC
Peter (not Petr), I think we're speculating about when this message appears and where it should be fixed.  Dan says this must be fixed in cyrus-sasl; Petr appears to be saying it should be fixed in libvirt.  Absent better data about the exact behavior, I can take no position on which is correct.  Can you look into this and see if you can produce a minimal application that clarifies the behavior?  Thanks, Dave

Comment 16 Cole Robinson 2012-10-20 18:52:58 UTC
I've sent a patch to libvirt with an easy workaround:


Comment 17 Fedora Update System 2012-10-27 22:15:11 UTC
libvirt- has been submitted as an update for Fedora 17.

Comment 18 Fedora Update System 2012-10-30 03:50:48 UTC
Package libvirt-
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libvirt-'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 19 Fedora Update System 2012-11-15 02:45:03 UTC
libvirt- has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.