[Bug 92918] Use correct SASL service name

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Nov 18 05:36:35 PST 2015


https://bugs.freedesktop.org/show_bug.cgi?id=92918

--- Comment #12 from Marek Kasik <mkasik at redhat.com> ---
(In reply to Christophe Fergeau from comment #11)
> Please bear with me if I'm slow/if I ask basic questions, but I'm very
> unfamiliar with kerberos/freeipa/..., even "principal" does not mean a lot
> to me /o\

Sure :)
FreeIPA is a very nice tool which simplifies configuration of combination of
LDAP and Kerberos servers from my point of view (it does other things too but I
don't use them now). So I can easily add users, hosts and services there.
Kerberos calls all of them principals which is a little confusing (correct me
somebody if I'm wrong).
To have this working it was enough to run "ipa-server-install", add user
"mkasik" with "ipa user-add", add hostname for which I'll request tickets with
"ipa host-add", add services for which I need tickets with "ipa service-add"
and finally export keytab for the required services. (+ you really need well
resolved hostnames and correct permissions on the keytab files!)

> (In reply to Marek Kasik from comment #10)
> > It should be at least possible if we will create the "/etc/sasl2/spice.conf"
> > which can configure the keytab file.
> 
> Do we _have_ to use a spice.conf file? I think the use of qemu.conf is more
> or less by design.

I just tried to make the suggestion from comment #5 working (and #3).


> > Btw, I used FreeIPA's guide to create the keytab and the command
> > "ipa-getkeytab" doesn't allow me to create keytab with more than 1 principal
> > (see
> > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/
> > Configuring_Service_Principals-Creating_and_Using_Service_Principals.html).
> 
> Hmm I guess the crux of it is
> « The following example demonstrates creating a service principal and keytab
> on a client host for the HTTP service. »
> 
> « Similar locations can be specified for each service that needs to be made
> Kerberos aware. [...] each service should have its keytab saved in a
> specific location and the access privileges (and possibly SELinux rules)
> should be configured so that only this service has access to the keytab. »
> 
> QEMU uses /etc/sasl2/qemu.conf for both the SPICE and VNCC services, so a
> different keytab file cannot be used for both SPICE and VNC, which is wrong
> according to the instructions above?

Looking at "https://libvirt.org/auth.html#ACL_server_config" and using kadmin
it seems that it is possible to add more principals to one keytab file (and it
works).

So, I'm not sure right now whether to add the spice.conf or just use the qemu
configuration (the proposed patches).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-bugs/attachments/20151118/8c2a7786/attachment-0001.html>


More information about the spice-bugs mailing list