[GH-ISSUE #397] Maybe the computer login name need more string #248

New issue

Open

opened 2026-02-27 15:57:57 +03:00 by kerem · 2 comments

kerem commented

2026-02-27 15:57:57 +03:00

Owner

Originally created by @lushtech on GitHub (Dec 12, 2020).
Original GitHub issue: https://github.com/retspen/webvirtcloud/issues/397

My comuputer software installed:

ubun18.04LTS
qemu-img version 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.34)
ibvirt version: 4.0.0, package: 1ubuntu8.17 (Marc Deslauriers marc.deslauriers@ubuntu.com Wed, 06 May 2020 14:18:23 -0400)

The issue description
And use these below command is normal:
virsh list

sudo saslpasswd2 -a libvirt virtadmin

And I check the username virtadmin ，
sudo sasldblistusers2 -f /etc/libvirt/passwd.db
It is ok ,result is

virtadmin@dell-ubuntu-server1804: userPassword

But when I use the command below and put in the usename and password ：
virsh -c qemu+tcp://localhost/system list
It show error:

error: failed to connect to the hypervisor
error: authentication failed: authentication failed

In the sametime I check the libvirt.log,it shows error message:
2020-12-12 16:47:51.760+0000: 2715: error : virNetSASLSessionServerStep:594 : authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user not found: unable to canonify user and get auxprops)
2020-12-12 16:47:51.760+0000: 2715: error : remoteDispatchAuthSaslStep:3625 : authentication failed: authentication failed
2020-12-12 16:47:51.762+0000: 2706: error : virNetSocketReadWire:1811 : End of file while reading data: Input/output error

The issue located
I took my one daytime to find how to solve the problem：

In some version of libvirtd or sasl, must use full username and hostname as admin@hostname to login to libvirtd.

I test login like this:
virsh -c qemu+tcp://localhost/system list
when ask put in the usename ，I put in virtadmin@dell-ubuntu-server1804 not just virtadmin，and then password，and it login successful.

The issue for discuss
But now ，another problem coming， the webvirtcloud login name it is not enough long in the creat computer webpage.So I can not use virtadmin@dell-ubuntu-server1804 to fill the login field.

Originally created by @lushtech on GitHub (Dec 12, 2020). Original GitHub issue: https://github.com/retspen/webvirtcloud/issues/397 **My comuputer software installed:** - ubun18.04LTS - qemu-img version 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.34) - ibvirt version: 4.0.0, package: 1ubuntu8.17 (Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 06 May 2020 14:18:23 -0400) **The issue description** And use these below command is normal: `virsh list` `sudo saslpasswd2 -a libvirt virtadmin ` And I check the username virtadmin ， `sudo sasldblistusers2 -f /etc/libvirt/passwd.db ` It is ok ,result is > virtadmin@dell-ubuntu-server1804: userPassword But when I use the command below and put in the usename and password ： `virsh -c qemu+tcp://localhost/system list` It show error: > error: failed to connect to the hypervisor > error: authentication failed: authentication failed In the sametime I check the libvirt.log,it shows error message: `2020-12-12 16:47:51.760+0000: 2715: error : virNetSASLSessionServerStep:594 : authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user not found: unable to canonify user and get auxprops)` `2020-12-12 16:47:51.760+0000: 2715: error : remoteDispatchAuthSaslStep:3625 : authentication failed: authentication failed` `2020-12-12 16:47:51.762+0000: 2706: error : virNetSocketReadWire:1811 : End of file while reading data: Input/output error ` **The issue located** I took my one daytime to find how to solve the problem： In some version of libvirtd or sasl, must use full username and hostname as admin@hostname to login to libvirtd. I test login like this: `virsh -c qemu+tcp://localhost/system list ` when ask put in the usename ，I put in virtadmin@dell-ubuntu-server1804 not just virtadmin，and then password，and it login successful. **The issue for discuss** But now ，another problem coming， the webvirtcloud login name it is not enough long in the creat computer webpage.So I can not use virtadmin@dell-ubuntu-server1804 to fill the login field.

kerem commented

2026-02-27 15:57:58 +03:00

Author

Owner

@catborise commented on GitHub (Dec 12, 2020):

Did you change the digest mechanism.?
Look to that question:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1835427

Change mechanism to digest-md5 , probably the problem will be solved.

@catborise commented on GitHub (Dec 12, 2020): Did you change the digest mechanism.? Look to that question: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1835427 Change mechanism to digest-md5 , probably the problem will be solved.

kerem commented

2026-02-27 15:57:58 +03:00

Author

Owner

@lushtech commented on GitHub (Dec 13, 2020):

Did you change the digest mechanism.?
Look to that question:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1835427

Change mechanism to digest-md5 , probably the problem will be solved.

Yes,I had changed mechanism to digest-md5,but the problem still appears.
But I have another computer installed With ubuntu-18.04.5-live-server-amd64.iso ,no this problem.
The problem’computer installed with Ubuntu-18.04-server-arm64.iso,because I use this Ubuntu version made a software raid1 for my hard disk when installing os system.
Maybe the difference between no live and live Ubuntu version cause the problem.And someone discussed the same issue in Bug 1663395 - when libvirtd use listen_tls and auth_tls="sasl", libvirtd report error: authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user not found: unable to canonify user and get auxprops.

You inspired me. I look at the code digestmd5.c in the cyrussasl,because libvirt.org said: Libvirt integrates with the cyrus-sasl library to provide a pluggable authentication system using the SASL protocol. And I found some scripts in digestmd5.c ：

The defaul value client_ignores_realm = 0

 int            client_ignores_realm = 0;

and a function check the parameters

/* Sanity check the parameters */
    if (text->nonce) {
	/* CLAIM: realm is not NULL below */
	if (text->realm == NULL) {
	    sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
				"The client specifies a realm when the server hasn't provided one. Using client's realm.");
	    _plug_strdup(sparams->utils, realm, &text->realm, NULL);
	} else if ((strcmp(realm, text->realm) != 0) &&
		   /* XXX - Not sure why the check for text->realm not being empty is needed,
		      as it should always be non-empty */
		   (text->realm[0] != 0)) {

	    client_ignores_realm = 1;
	    sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG,
				"The client tries to override server provided realm");
	    if (text->realm) sparams->utils->free(text->realm);
	    _plug_strdup(sparams->utils, realm, &text->realm, NULL);
	}

	if (strcmp((char *) nonce, (char *) text->nonce) != 0) {
	    SETERROR(sparams->utils,
		     "nonce changed: authentication aborted");
	    result = SASL_BADAUTH;
	    goto FreeAllMem;
	}

and another function do the real thing,but I can not find why I no use realm in virsh command and then here run into the
"unable to canonify user and get auxprops".

 if (client_ignores_realm) {
	if (strlen(text->realm) == 0) {
	    /* Don't put @ at the end of the username, if the realm is empty */
	    _plug_strdup(sparams->utils, username, &full_username, NULL);
	} else {
	    full_username = (char *) sparams->utils->malloc(strlen(username) +
					strlen(text->realm) + 2);
	    full_username[0] = '\0';
	    sprintf (full_username, "%s@%s", username, text->realm);
	}
	internal_username = full_username;
    } else {
	internal_username = username;
    }

    canon_flags = SASL_CU_AUTHID;
    if (!authorization_id || !*authorization_id) {
	canon_flags |= SASL_CU_AUTHZID;
    }

    result = sparams->canon_user(sparams->utils->conn,
				 internal_username,
				 0,
				 canon_flags,
				 oparams);
    if (result != SASL_OK) {
	SETERROR(sparams->utils, "unable to canonify user and get auxprops");
	goto FreeAllMem;
    }
    
    if (authorization_id != NULL && *authorization_id != '\0') {
	result = sparams->canon_user(sparams->utils->conn,
				     authorization_id, 0, SASL_CU_AUTHZID,
				     oparams);
    }

Maybe someone familiar with the cyrus-sasl can find the reason.

@lushtech commented on GitHub (Dec 13, 2020): > Did you change the digest mechanism.? > Look to that question: > https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1835427 > > Change mechanism to digest-md5 , probably the problem will be solved. Yes,I had changed mechanism to digest-md5,but the problem still appears. But I have another computer installed With [ubuntu-18.04.5-live-server-amd64.iso](https://releases.ubuntu.com/18.04.5/ubuntu-18.04.5-live-server-amd64.iso) ,no this problem. The problem’computer installed with [Ubuntu-18.04-server-arm64.iso](http://old-releases.ubuntu.com/releases/18.04.4/ubuntu-18.04-server-arm64.iso),because I use this Ubuntu version made a software raid1 for my hard disk when installing os system. Maybe the difference between no live and live Ubuntu version cause the problem.And someone discussed the same issue in [Bug 1663395 - when libvirtd use listen_tls and auth_tls="sasl", libvirtd report error: authentication failed: Failed to start SASL negotiation: -20 (SASL(-13): user not found: unable to canonify user and get auxprops](https://bugzilla.redhat.com/show_bug.cgi?id=1663395). You inspired me. I look at the code [digestmd5.c](https://github.com/cyrusimap/cyrus-sasl/blob/9d1bd21a1621823b7e482ea2a35957c0df525913/plugins/digestmd5.c) in the cyrussasl,because libvirt.org said: [Libvirt integrates with the cyrus-sasl library to provide a pluggable authentication system using the SASL protocol](https://libvirt.org/auth.html#ACL_server_username). And I found some scripts in digestmd5.c ： **The defaul value client_ignores_realm = 0** ``` int client_ignores_realm = 0; ``` **and a function check the parameters** ``` /* Sanity check the parameters */ if (text->nonce) { /* CLAIM: realm is not NULL below */ if (text->realm == NULL) { sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, "The client specifies a realm when the server hasn't provided one. Using client's realm."); _plug_strdup(sparams->utils, realm, &text->realm, NULL); } else if ((strcmp(realm, text->realm) != 0) && /* XXX - Not sure why the check for text->realm not being empty is needed, as it should always be non-empty */ (text->realm[0] != 0)) { client_ignores_realm = 1; sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, "The client tries to override server provided realm"); if (text->realm) sparams->utils->free(text->realm); _plug_strdup(sparams->utils, realm, &text->realm, NULL); } if (strcmp((char *) nonce, (char *) text->nonce) != 0) { SETERROR(sparams->utils, "nonce changed: authentication aborted"); result = SASL_BADAUTH; goto FreeAllMem; } ``` **and another function do the real thing,but I can not find why I no use realm in virsh command and then here run into the "unable to canonify user and get auxprops".** ``` if (client_ignores_realm) { if (strlen(text->realm) == 0) { /* Don't put @ at the end of the username, if the realm is empty */ _plug_strdup(sparams->utils, username, &full_username, NULL); } else { full_username = (char *) sparams->utils->malloc(strlen(username) + strlen(text->realm) + 2); full_username[0] = '\0'; sprintf (full_username, "%s@%s", username, text->realm); } internal_username = full_username; } else { internal_username = username; } canon_flags = SASL_CU_AUTHID; if (!authorization_id || !*authorization_id) { canon_flags |= SASL_CU_AUTHZID; } result = sparams->canon_user(sparams->utils->conn, internal_username, 0, canon_flags, oparams); if (result != SASL_OK) { SETERROR(sparams->utils, "unable to canonify user and get auxprops"); goto FreeAllMem; } if (authorization_id != NULL && *authorization_id != '\0') { result = sparams->canon_user(sparams->utils->conn, authorization_id, 0, SASL_CU_AUTHZID, oparams); } ``` **Maybe someone familiar with the cyrus-sasl can find the reason.**