Hi,
we have rolled out Sophos on a lot machines recently and had to stop Sophos services on our Kerberos/LDAP machine, because talpa-deny interfered with slapd/sssd and then Kerberos/LDAP authentication of all other servers failed over night, causing some severe trouble.
So I guess there should be some excludes made for Sophos to get this working.
Machine is CentOS 7 (CentOS Linux release 7.8.2003 (Core))
Kernel: 3.10.0-1127.13.1.el7.x86_64
Sophos should be installed as Sophos Cloud Controlled.
Installation works fine, but it doesn't take long to get errors like these:
[Mo Jun 29 12:56:34 2020] talpa-deny: Timeout occurred while opening /var/lib/dirsrv/slapd-SPRING-DE/db/log.0000000694 on behalf of process ns-slapd[2738/5153] owned by 995(995)/991(991) <62>
|
[Mo Jun 29 12:57:21 2020] talpa-deny: Timeout occurred while closing /var/lib/rsyslog/imjournal.state on behalf of process in:imjournal[1147/1169] owned by 0(0)/0(0) <62>
|
[Mo Jun 29 12:57:53 2020] talpa-deny: Timeout occurred while closing /run/lock/dirsrv/slapd-SPRING-DE/lock on behalf of process ns-slapd[2738/5972] owned by 995(995)/991(991) <62>
|
[Mo Jun 29 14:46:34 2020] talpa-deny: Timeout occurred while opening /var/lib/sss/mc/initgroups on behalf of process httpd[20419/20419] owned by 0(0)/48(48) <62>
|
[Mo Jun 29 14:46:55 2020] talpa-deny: Timeout occurred while opening /var/lib/sss/mc/initgroups on behalf of process httpd[20419/20419] owned by 0(0)/48(48) <62>
|
After that, Kerberos/LDAP doesn't work anymore and when Kerberos tickets expire, automatic refresh from our servers won't work anymore.
Kerberos backend used is freeipa:
ipa-client.x86_64 4.6.6-11.el7.centos @base
ipa-server.x86_64 4.6.6-11.el7.centos @base
Does anybody have a similar setup and knows what to exclude so that freeipa and Sophos can work together?
Thx
This thread was automatically locked due to age.
