Open lushtech opened 3 years ago
catborise
commented
3 years ago Did you change the digest mechanism.? Look to that question: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1835427
Change mechanism to digest-md5 , probably the problem will be solved.
lushtech
commented
3 years ago Did you change the digest mechanism.? Look to that question: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1835427
Change mechanism to digest-md5 , probably the problem will be solved.
Yes,I had changed mechanism to digest-md5,but the problem still appears. But I have another computer installed With ubuntu-18.04.5-live-server-amd64.iso ,no this problem. The problem’computer installed with Ubuntu-18.04-server-arm64.iso,because I use this Ubuntu version made a software raid1 for my hard disk when installing os system. Maybe the difference between no live and live Ubuntu version cause the problem.And someone discussed the same issue in Bug 1663395 - when libvirtd use listen_tls and auth_tls="sasl", libvirtd report error: authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user not found: unable to canonify user and get auxprops.
You inspired me. I look at the code digestmd5.c in the cyrussasl,because libvirt.org said: Libvirt integrates with the cyrus-sasl library to provide a pluggable authentication system using the SASL protocol. And I found some scripts in digestmd5.c :
The defaul value client_ignores_realm = 0
int client_ignores_realm = 0;and a function check the parameters
/* Sanity check the parameters */
if (text->nonce) {
/* CLAIM: realm is not NULL below */
if (text->realm == NULL) {
sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
"The client specifies a realm when the server hasn't provided one. Using client's realm.");
_plug_strdup(sparams->utils, realm, &text->realm, NULL);
} else if ((strcmp(realm, text->realm) != 0) &&
/* XXX - Not sure why the check for text->realm not being empty is needed,
as it should always be non-empty */
(text->realm[0] != 0)) {
client_ignores_realm = 1;
sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
"The client tries to override server provided realm");
if (text->realm) sparams->utils->free(text->realm);
_plug_strdup(sparams->utils, realm, &text->realm, NULL);
}
if (strcmp((char *) nonce, (char *) text->nonce) != 0) {
SETERROR(sparams->utils,
"nonce changed: authentication aborted");
result = SASL_BADAUTH;
goto FreeAllMem;
}and another function do the real thing,but I can not find why I no use realm in virsh command and then here run into the "unable to canonify user and get auxprops".
if (client_ignores_realm) {
if (strlen(text->realm) == 0) {
/* Don't put @ at the end of the username, if the realm is empty */
_plug_strdup(sparams->utils, username, &full_username, NULL);
} else {
full_username = (char *) sparams->utils->malloc(strlen(username) +
strlen(text->realm) + 2);
full_username[0] = '\0';
sprintf (full_username, "%s@%s", username, text->realm);
}
internal_username = full_username;
} else {
internal_username = username;
}
canon_flags = SASL_CU_AUTHID;
if (!authorization_id || !*authorization_id) {
canon_flags |= SASL_CU_AUTHZID;
}
result = sparams->canon_user(sparams->utils->conn,
internal_username,
0,
canon_flags,
oparams);
if (result != SASL_OK) {
SETERROR(sparams->utils, "unable to canonify user and get auxprops");
goto FreeAllMem;
}
if (authorization_id != NULL && *authorization_id != '\0') {
result = sparams->canon_user(sparams->utils->conn,
authorization_id, 0, SASL_CU_AUTHZID,
oparams);
}Maybe someone familiar with the cyrus-sasl can find the reason.
My comuputer software installed:
ubun18.04LTS
qemu-img version 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.34)
ibvirt version: 4.0.0, package: 1ubuntu8.17 (Marc Deslauriers marc.deslauriers@ubuntu.com Wed, 06 May 2020 14:18:23 -0400)
The issue description And use these below command is normal:
virsh listsudo saslpasswd2 -a libvirt virtadminAnd I check the username virtadmin ,
sudo sasldblistusers2 -f /etc/libvirt/passwd.dbIt is ok ,result isBut when I use the command below and put in the usename and password :
virsh -c qemu+tcp://localhost/system listIt show error:In the sametime I check the libvirt.log,it shows error message:
2020-12-12 16:47:51.760+0000: 2715: error : virNetSASLSessionServerStep:594 : authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user not found: unable to canonify user and get auxprops)2020-12-12 16:47:51.760+0000: 2715: error : remoteDispatchAuthSaslStep:3625 : authentication failed: authentication failed2020-12-12 16:47:51.762+0000: 2706: error : virNetSocketReadWire:1811 : End of file while reading data: Input/output errorThe issue located I took my one daytime to find how to solve the problem:
In some version of libvirtd or sasl, must use full username and hostname as admin@hostname to login to libvirtd.
I test login like this:
virsh -c qemu+tcp://localhost/system listwhen ask put in the usename ,I put in virtadmin@dell-ubuntu-server1804 not just virtadmin,and then password,and it login successful.The issue for discuss But now ,another problem coming, the webvirtcloud login name it is not enough long in the creat computer webpage.So I can not use virtadmin@dell-ubuntu-server1804 to fill the login field.