mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-11-08 22:39:56 +00:00
fe772f24a6
On F17 at least, every time libvirtd starts we get this in syslog: libvirtd: Could not find keytab file: /etc/libvirt/krb5.tab: No such file or directory This comes from cyrus-sasl, and happens regardless of whether the gssapi plugin is requested, which is what actually uses /etc/libvirt/krb5.tab. While cyrus-sasl shouldn't complain, we can easily make it shut up by commenting out the keytab value by default. Also update the keytab comment to the more modern one from qemu's sasl config file.
32 lines
1.2 KiB
Plaintext
32 lines
1.2 KiB
Plaintext
# If you want to use the non-TLS socket, then you *must* include
|
|
# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
|
|
# ones that can offer session encryption as well as authentication.
|
|
#
|
|
# If you're only using TLS, then you can turn on any mechanisms
|
|
# you like for authentication, because TLS provides the encryption
|
|
#
|
|
# Default to a simple username+password mechanism
|
|
mech_list: digest-md5
|
|
|
|
# Before you can use GSSAPI, you need a service principle on the
|
|
# KDC server for libvirt, and that to be exported to the keytab
|
|
# file listed below
|
|
#mech_list: gssapi
|
|
#
|
|
# You can also list many mechanisms at once, then the user can choose
|
|
# by adding '?auth=sasl.gssapi' to their libvirt URI, eg
|
|
# qemu+tcp://hostname/system?auth=sasl.gssapi
|
|
#mech_list: digest-md5 gssapi
|
|
|
|
# Some older builds of MIT kerberos on Linux ignore this option &
|
|
# instead need KRB5_KTNAME env var.
|
|
# For modern Linux, and other OS, this should be sufficient
|
|
#
|
|
# There is no default value here, uncomment if you need this
|
|
#keytab: /etc/libvirt/krb5.tab
|
|
|
|
# If using digest-md5 for username/passwds, then this is the file
|
|
# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
|
|
# to add entries, and 'sasldblistusers2 -a libvirt' to browse it
|
|
sasldb_path: /etc/libvirt/passwd.db
|