audisp-remote with krb5

Ray Shaw ray.v.shaw at gmail.com
Wed Apr 17 13:01:56 UTC 2019 

I've been struggling to set up audisp-remote with krb5 enabled, and also
struggling to find much information/guidance regarding it.

I'm trying to get this working on RHEL7 due to organizational
requirements.  Based on the man pages, I created a key file on the server:

addprinc -randkey auditd/server.example.com
ktadd -k /home/me/audit.key auditd/server.example.com

then placed this (root:root 0400) in /etc/audit and set the following:

enable_krb5 = yes
krb5_principal = auditd
krb5_key_file = /etc/audit/audit.key

For the client:

addprinc -randkey auditd/client.example.com
ktadd -k /home/me/audisp-remote.key auditd/client.example.com

then placed this (root:root 0400) in /etc/audisp and set the following:

enable_krb5 = yes
krb5_principal = auditd/server.example.com
krb5_client_name = auditd
krb5_key_file = /etc/audisp/audisp-remote.key

I'm getting this message over and over again on the client:

Apr 17 08:21:07 client audisp-remote: GSS error: initializing context:
Success
Apr 17 08:21:07 client audisp-remote: kerberos principal: auditd/
client.example.com at REALM.COM
Apr 17 08:21:07 client audisp-remote: GSS error: initializing context:
Invalid token was supplied

and this on the server:

Apr 17 08:56:53 server auditd[134051]: GSS-API error: event length excedes
MAX_AUDIT_LENGTH
Apr 17 08:56:53 server auditd[134051]: TCP session from ::ffff:<client
IP>:44354 will be closed, error ignored

(sorry about having to mask the actual hostnames/IPs/etc.)

Any idea what I'm doing wrong?  Based on what I've found online, it seems
most people don't use krb5, but unfortunately I'm now required to try.
We've been using audisp for years, and it works fine with krb5 disabled.
I'm...pretty sure my Kerberos realm is fine, since that's what we use for
authentication (gdm, SSH, etc.)  Though it is not the RHEL-provided
Kerberos.

Any assistance would be greatly appreciated.

--Ray
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190417/60e0205f/attachment.htm>

More information about the Linux-audit mailing list