Any version of dev-libs/cyrus-sasl in the tree fails to use the proper keytab name as set in /etc/sasl2/service.conf, when cyrus-sasl is compiled with mit-krb5 support. I suspect this does not happen with heimdal but I have not tested it. Reproducible: Always Steps to Reproduce: 1. Install libvirt with sasl and kerberos enabled globally 2. Configure libvirt to use sasl for authentication. set these in libvirtd.conf: auth_tcp = "sasl", listen_tls = 0, listen_tcp = 1 3. Enable kerberos in /etc/sasl2/libvirt.conf: mech_list: gssapi; keytab: /etc/libvirt/krb5.tab 4. Start libvirtd *manually* (the init scripts sets KRB5_KTNAME which completely overrides the other setting in the sasl config file). sudo /usr/sbin/libvirtd --daemon 5. Of course, make sure you have a libvirt/$(hostname -f) keytab in /etc/libvirt/krb5.tab 6. Try to connect to the instance with "virsh -c qemu+tcp://$HOSTNAME/system list" virsh -c qemu+tcp://$HOSTNAME/system Actual Results: > virsh -c qemu+tcp://$HOSTNAME/system list error: authentication failed error: failed to connect to the hypervisor Expected Results: > virsh -c qemu+tcp://$HOSTNAME/system list Id Name State ---------------------------------- There is already a patch available that is applied in Fedora. I tried adding it to the dev-libs/cyrus-sasl-2.1.23-r1 ebuild and it works flawlessly. I demonstrated one issue I had with libvirt but it has an easy workaround - setting the environment variable KRB5_KTNAME in the init script. However, when configuring sasl and kerberos for qemu, this becomes a real problem, since the environment variables passed to qemu are decided by the libvirt daemon.
Created attachment 247177 [details, diff] cyrus-sasl-2.1.21-keytab.patch The patch from Fedora. Original posted here: http://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg115814.html
Created attachment 247178 [details, diff] cyrus-sasl-2.1.23-r1.ebuild.patch A patch for the ebuild to apply the keytab patch.
+*cyrus-sasl-2.1.23-r4 (10 May 2011) + + 10 May 2011; Eray Aslan <eras@gentoo.org> + +files/cyrus-sasl-2.1.21-keytab.patch, +cyrus-sasl-2.1.23-r4.ebuild: + Add kerberos keytab support - bug 337163. Thanks to Georgi Georgiev. +