Bug 756136
| Summary: | ovirtNode: sasl2/libvirt.conf - mech_list | ||
|---|---|---|---|
| Product: | [Retired] oVirt | Reporter: | Douglas Schilling Landgraf <dougsland> |
| Component: | ovirt-node | Assignee: | Mike Burns <mburns> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acathrow, apevec, jboggs, mburns, ovirt-bugs, ovirt-maint |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | 2.2.0 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-01-05 16:21:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 752464 | ||
Hello Mike,
Just a few more comments:
The SASL mechanism configured by default is DIGEST-MD5, which provides a basic username+password style authentication [1] (which vdsm uses). So if you prefer, we can even no set mech_list. However, we might want be compatible with RHEV-H image.
If this helps, from RHEV env:
# cat /etc/redhat-release
Red Hat Enterprise Virtualization Hypervisor release 6.2 (20111010.2.el6)
# cat /etc/sasl2/libvirt.conf | grep -v '^#\|^$'
mech_list: digest-md5
keytab: /etc/libvirt/krb5.tab
sasldb_path: /etc/libvirt/passwd.db
[1] http://libvirt.org/auth.html
Thanks!
Alan, Do you know why we're updating this to just gssapi? It's only done for fedora based nodes. Leftover from legacy ovirt-server: it used kerberized remote libvirt access. You can drop that now. Patch pushed to master |
Description of problem: Hello Mike, As we talked over irc today, it will required to verify why ovirt Node set mech_list only to gssapi. I have created this BZ to have we tracking it. from post scripts/ovirt-functions/recipe/ovirt16-post.ks: # with libvirt (0.4.0), make sure we we setup gssapi in the mech_list sasl_conf="/etc/sasl2/libvirt.conf" ret = os.system('grep -qE "^mech_list: gssapi %s' % sasl_conf) if ret > 0: os.system("sed -i -e 's/^\([[:space:]]*mech_list.*\)/#\1/' %s" % sasl_conf) os.system('echo "mech_list: gssapi" >> %s' % sasl_conf) =========================== However, if we do not enable into the mech_list digest-md5 too, vdsm throw the below exception during the **approval operational**: vdsm log: ============================================ MainThread::INFO::2011-11-22 05:16:06,790::vdsm::76::vds::(run) VDSM main thread ended. Waiting for 1 other threads... MainThread::INFO::2011-11-22 05:16:06,792::vdsm::79::vds::(run) <_MainThread(MainThread, started 140463204898560)> MainThread::INFO::2011-11-22 05:16:06,793::vdsm::79::vds::(run) <Thread(libvirtEventLoop, started daemon 140462990432000)> MainThread::INFO::2011-11-22 05:16:06,850::vdsm::71::vds::(run) I am the actual vdsm 4.9-0 MainThread::ERROR::2011-11-22 05:16:06,978::vdsm::74::vds::(run) Traceback (most recent call last): File "/usr/share/vdsm/vdsm", line 72, in run serve_clients(log) File "/usr/share/vdsm/vdsm", line 40, in serve_clients cif = clientIF.clientIF(log) File "/usr/share/vdsm/clientIF.py", line 113, in __init__ File "/usr/share/vdsm/libvirtconnection.py", line 111, in get File "/usr/lib64/python2.7/site-packages/libvirt.py", line 102, in openAuth libvirtError: authentication failed: authentication failed libvirtError: authentication failed: Failed to start SASL negotiation: -4 (SASL(-4): no mechanism available: No worthy mechs found) Currently, I am using: =========================== # vi /etc/sasl2/libvirt.conf mech_list: digest-md5 gssapi Thanks for all your help!