Hello, I'm trying to set up a kerberos encrypted remote audit log using auditd and audisp-remote. The problem seems to be that audisp-remote assumes a kerberos principal of the form "auditd/hostname@REALM" instead of "auditd/fqdn@REALM". The man page states under "krb5_client_name" that "[...] the remainder of the principal will consist of the host's fully qualified domain name and the default kerberos realm, like this: auditd/[email protected] [...]". Is there any way to make audisp-remote use the fqdn form because our freeIPA is setup to do so and I'm not sure if that can be changed at all. The errors I'm getting on the listening daemon are: "auditd[16836]: TCP session from [IP:PORT] will be closed, error ignored" On the audisp-remote end: "audisp-remote[34614]: krb5 error: Keytab contains no suitable keys for [auditd/hostname@REALM] in krb5_get_init_creds_keytab" and "audispd[34520]: plugin /sbin/audisp-remote terminated unexpectedly". The auditd and audisp-remote version is 2.4.5. It seems to me that freeIPA has struggled with this before at some point: https://www.redhat.com/archives/freeipa-users/2014-August/msg00079.html
Any input would be much appreciated. Regards, Jan Horstmann -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
