The standard etc_t selinux type appeared to work fine.The keytabs are 600 root:root for libvirt and 600 qemu:root for qemu.
On CentOS 7, the VNC keytab should be located in /etc/qemu-kvm instead of /etc/qemu.Ipa-getkeytab -s -p vnc/ -k /etc/qemu/krb5.tab Ipa-getkeytab -s -p libvirt/ -k /etc/libvirt/krb5.tab On (or any system with ipa-admintools installed or the GUI): In order to allow for all this to work keytabs need to be arranged for libvirt and VNC. The prerequisites to work through this guide are a working IPA topology and a working libvirt/kvm server (which only needs to allow root to manage the guests) that has been joined to the IPA domain.įor the purposes of this document the IPA server will be in the realm EXAMPLE.COM, the virtualization server will be and the guest will be .Ĭreating the services and obtaining the keytabs Leveraging the SASL mechanisms in libvirt allows GSSAPI for an authentication mechanism (X509 certificates are also possible but since 'user certificates' are not yet in IPA and I've not tested that in this workplace I'll leave that out of scope of this document). The 'default' behaviour of KVM with libvirt is to use a UNIX socket rather than network and to only allow root read/write access to the system session with others only having user-session access read/write and the system session being read only - with this controlled via PolicyKit. 4 Configuring qemu to allow SASL authentication for VNC.3 Configuring libvirt to use kerberos via SASL.2 Creating the services and obtaining the keytabs.
0 kommentar(er)
