[Bug 92918] Use correct SASL service name
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Nov 18 04:27:22 PST 2015
https://bugs.freedesktop.org/show_bug.cgi?id=92918
--- Comment #11 from Christophe Fergeau <teuf at gnome.org> ---
Please bear with me if I'm slow/if I ask basic questions, but I'm very
unfamiliar with kerberos/freeipa/..., even "principal" does not mean a lot to
me /o\
(In reply to Marek Kasik from comment #10)
> It should be at least possible if we will create the "/etc/sasl2/spice.conf"
> which can configure the keytab file.
Do we _have_ to use a spice.conf file? I think the use of qemu.conf is more or
less by design.
>
> Btw, I used FreeIPA's guide to create the keytab and the command
> "ipa-getkeytab" doesn't allow me to create keytab with more than 1 principal
> (see
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/
> Configuring_Service_Principals-Creating_and_Using_Service_Principals.html).
Hmm I guess the crux of it is
« The following example demonstrates creating a service principal and keytab on
a client host for the HTTP service. »
« Similar locations can be specified for each service that needs to be made
Kerberos aware. [...] each service should have its keytab saved in a specific
location and the access privileges (and possibly SELinux rules) should be
configured so that only this service has access to the keytab. »
QEMU uses /etc/sasl2/qemu.conf for both the SPICE and VNCC services, so a
different keytab file cannot be used for both SPICE and VNC, which is wrong
according to the instructions above?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-bugs/attachments/20151118/c6cc599e/attachment.html>
More information about the spice-bugs
mailing list