From b520cf07f03c2695198c95d96dc37ff72bab46ab Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sat, 20 Oct 2012 14:10:03 -0400 Subject: [PATCH] daemon: Avoid 'Could not find keytab file' in syslog On F17 at least, every time libvirtd starts we get this in syslog: libvirtd: Could not find keytab file: /etc/libvirt/krb5.tab: No such file or directory This comes from cyrus-sasl, and happens regardless of whether the gssapi plugin is requested, which is what actually uses /etc/libvirt/krb5.tab. While cyrus-sasl shouldn't complain, we can easily make it shut up by commenting out the keytab value by default. Also update the keytab comment to the more modern one from qemu's sasl config file. (cherry picked from commit fe772f24a6809b3d937ed6547cbaa9d820e514b6) --- daemon/libvirtd.sasl | 9 ++++++--- docs/auth.html.in | 3 ++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/daemon/libvirtd.sasl b/daemon/libvirtd.sasl index e24a130853..bfa056fd49 100644 --- a/daemon/libvirtd.sasl +++ b/daemon/libvirtd.sasl @@ -18,9 +18,12 @@ mech_list: digest-md5 # qemu+tcp://hostname/system?auth=sasl.gssapi #mech_list: digest-md5 gssapi -# MIT kerberos ignores this option & needs KRB5_KTNAME env var. -# May be useful for other non-Linux OS though.... -keytab: /etc/libvirt/krb5.tab +# Some older builds of MIT kerberos on Linux ignore this option & +# instead need KRB5_KTNAME env var. +# For modern Linux, and other OS, this should be sufficient +# +# There is no default value here, uncomment if you need this +#keytab: /etc/libvirt/krb5.tab # If using digest-md5 for username/passwds, then this is the file # containing the passwds. Use 'saslpasswd2 -a libvirt [username]' diff --git a/docs/auth.html.in b/docs/auth.html.in index ecff0fc462..830a2527ac 100644 --- a/docs/auth.html.in +++ b/docs/auth.html.in @@ -233,7 +233,8 @@ The SASL mechanism configured by default is DIGEST-MD5, which provides a basic username+password style authentication. To enable Kerberos single-sign-on instead, the libvirt SASL configuration file must be changed. This is /etc/sasl2/libvirt.conf. The mech_list parameter must first be changed to gssapi -instead of the default digest-md5. If SASL is enabled on the UNIX +instead of the default digest-md5, and keytab should be set to +/etc/libvirt/krb5.tab . If SASL is enabled on the UNIX and/or TLS sockets, Kerberos will also be used for them. Like DIGEST-MD5, the Kerberos mechanism provides data encryption of the session.