[Bug 92918] Use correct SASL service name

Wed Nov 18 03:07:29 PST 2015

https://bugs.freedesktop.org/show_bug.cgi?id=92918

--- Comment #8 from Marek Kasik <mkasik at redhat.com> ---
(In reply to Christophe Fergeau from comment #7)
> When QEMU is used, the server ends up using /etc/sasl2/qemu.conf because
> QEMU is calling
> spice_server_set_sasl_appname(spice_server, "qemu");
> which will cause spice-server to call
> sasl_server_init(NULL, "qemu");
> rather than the default
> sasl_server_init(NULL, "spice");
> 
> I'm not sure what SASL does with the service name passed to
> sasl_{server,client}_new() though. This one is always "spice" both
> server-side and client-side.
> 
> http://www.sendmail.org/~ca/email/cyrus2/programming.html#sasl_server_new
> indicates that « [The name of the service] is used by Kerberos mechanisms
> and possibly other mechanisms. It is also used for PAM authentication », but
> I don't know exactly how. If it uses this to locate configuration files,
> strace -e open should tell us.

Thank you for pointing me there. SASL creates the path to the configuration
file from the "appname" passed to it which is "qemu" when running qemu (see
https://cgit.cyrus.foundation/cyrus-sasl/tree/lib/server.c#n653). stracing qemu
shows that it really opened the /etc/sasl2/qemu.conf instead of the
/etc/sasl2/spice.conf so it could not find the correct keytab file. Not
allowing the application to initialize the "appname" makes the authentication
working.
(I'm not sure why the libvirt worked for me before - probably the same
keytab...)

So what is the right way to make this work?
Should we disable usage of the appname passed by
"spice_server_set_sasl_appname()" in spice server or don't set it in qemu?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-bugs/attachments/20151118/bb7042e7/attachment.html>