From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ken Bass Subject: Re: krb5 issues Date: Tue, 24 May 2016 10:07:57 -0400 Message-ID: <5744603D.9020504@kenbass.com> References: <57432011.1060201@kenbass.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx09.extmail.prod.ext.phx2.redhat.com [10.5.110.38]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u4OE8UiS014757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 24 May 2016 10:08:30 -0400 Received: from mail.kenbass.com (kenbass.com [216.127.139.130]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0B963D3C14 for ; Tue, 24 May 2016 14:08:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.kenbass.com (Postfix) with ESMTP id 0F1F52AA for ; Tue, 24 May 2016 10:08:28 -0400 (EDT) Received: from mail.kenbass.com ([127.0.0.1]) by localhost (mail.kenbass.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id E8dr6AaKOwQO for ; Tue, 24 May 2016 10:07:57 -0400 (EDT) In-Reply-To: <57432011.1060201@kenbass.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 05/23/2016 11:21 AM, Ken Bass wrote: > I enabled krb5 in my audisp-remote and audispd-remote reports "GSS-API > error sending token length" and fails to log remotely. > > If I reboot the destination auditd server AFTER the clients are > running it appears to work. But if I reboot any clients machine, > logging from that rebooted machine fails. > I created my service principals using freeipa - all systems are clean > installs of Centos 7.2. > > For now, I disabled krb5, but that is not a good solution. After disabling krb5 and rebooting the client servers several times I am seeing similar problems. I am seeing a dozen or so log file entries of Too many connections from 10.10.10.10:39107 - rejected I only have 2 clients and all I am doing is rebooting them. I tried increasing the tcp_listen_queue to 20 (from the default of 5) which made no difference. I seem to have traced it to needing to specify the tcp_client_ports to 60 rather than using whatever the default was. What would have been blocking this? And why only when the clients are rebooted second does it fail? After changing this the Kerberos works, so I think the 'error sending token length' is basically the same message but in a different code path to indicate the connection is rejected / cannot write to the TCP socket. Was the commented out ##tcp_client_ports parameter supposed to be changed by the end user? Was the defaults supposed to work? On a related note, using krb5 causes a problem with selinux. Unless I disable it (or figure out a rule) auditd fails to start because it is denied permission to create /var/tmp/auditd_0 kerberos replay cache file. Is there a rule or procedure to properly fix that?