Bug 1730382 - transport=KRB5 does not work
Summary: transport=KRB5 does not work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: audit
Version: ---
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: 8.1
Assignee: Steve Grubb
QA Contact: Ondrej Moriš
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-16 14:54 UTC by Ondrej Moriš
Modified: 2019-11-05 22:29 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
.Audit `transport=KRB5` now works properly Prior to this update, Audit KRB5 transport mode did not work correctly. Consequently, Audit remote logging using the Kerberos peer authentication did not work. With this update, the problem has been fixed, and Audit remote logging now works properly in the described scenario.
Clone Of:
Environment:
Last Closed: 2019-11-05 22:28:56 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3622 None None None 2019-11-05 22:29:09 UTC

Description Ondrej Moriš 2019-07-16 14:54:17 UTC
This bug was created for RHEL-8.1 Beta documentation purposes only. 

Description of problem:

On RHEL-8.1 Beta, KRB5 transport mode, ie. audit-remote logging using KRB5, is not working properly. Connection between server and client is not established and audit events are not sent from client to server.

Version-Release number of selected component (if applicable):

audit-3.0-0.11.20190507gitf58ec40.el8

How reproducible:

100%

Steps to Reproduce:

1. Setup audit remote logging using KRB5 transport mode
2. Log from client.

Actual results:

Connection between server and client is not established. Client's audit events are not propagated to server.

Expected results:

Connection works, authentication is done using KRB5. Client's audit events are propagated to server.

Additional info:

 * There is no workaround. 
 * This bug was created for RHEL-8.1 Beta documentation purposes only. 
 * Described issue is already fixed in audit-3.0-0.12.20190507gitf58ec40.el8.

This bug should be left in NEW state and I will close it as CLOSED CURRENTRELEASE later.

Comment 1 Steve Grubb 2019-08-09 12:58:28 UTC
The code was already fixed. Adding this to the errata.

Comment 3 Ondrej Moriš 2019-08-12 11:24:25 UTC
(In reply to Ondrej Moriš from comment #0)
> This bug was created for RHEL-8.1 Beta documentation purposes only. 
>
> ...
>
> Additional info:
> 
>  * This bug was created for RHEL-8.1 Beta documentation purposes only. 
>  * Described issue is already fixed in audit-3.0-0.12.20190507gitf58ec40.el8.
> 
> This bug should be left in NEW state and I will close it as CLOSED
> CURRENTRELEASE later.

In the end we decided to add this bug to RHEL-8.1.0 errata for audit. Issue was fixed via rebase bug.

This bug is successfully verified on all supported architectures, see TC#553604 in TR#364923 for more detail. Please notice that there is a bug in selinux policy [1] causing AVC issues on remote logging server (workaround is to use permissive mode). 

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1740146

Comment 6 errata-xmlrpc 2019-11-05 22:28:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3622


Note You need to log in before you can comment on or make changes to this bug.