On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote:
> 
> ----- Original Message -----
> > On 3.10.2013 23:43, Nathaniel McCallum wrote:
> > > Patch attached.
> > 
> > I'm curious - what is the purpose of this patch? To prevent 1 second 
> > timeouts
> > and re-transmits when OTP is in place?
> > 
> > What is the expected performance impact? Could it be configured for OTP
> > separately - somehow? (I guess that it is not possible now ...)
> 
> It benefits also communication of large packets (when large MS-PAC or CAMMAC 
> AD Data
> are attached), so it is a better choice for IPA in general. Especially given 
> we have
> multiple KDC processes configured we do not want clients wasting KDC 
> resources by
> making multiple processes do the same operation.

So apparently this patch never got reviewed over a year ago.

It was related to a bug which was opened in SSSD. However, when it
became clear we wanted to solve this in FreeIPA, the SSSD bug was closed
but no corresponding FreeIPA bug was opened. The patch then fell through
the cracks.

Without this patch, if OTP validation runs long we get retransmits and
failures.

One question I have is how to handle this for upgrades since (I think)
this patch only handles new installs.

Anyway, this patch is somewhat urgent now. So help is appreciated.

I have attached a rebased version which has no other changes.

Nathaniel
From cf8b32db6b3b7766fcd2ecc7bff1f8b48bc344bf Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Thu, 6 Nov 2014 17:19:31 -0500
Subject: [PATCH] Prefer TCP connections to UDP in krb5 clients

https://fedorahosted.org/sssd/ticket/914
---
 contrib/RHEL4/ipa-client-setup            | 1 +
 install/share/krb5.conf.template          | 1 +
 install/tools/ipa-replica-conncheck       | 1 +
 ipa-client/ipa-install/ipa-client-install | 1 +
 4 files changed, 4 insertions(+)

diff --git a/contrib/RHEL4/ipa-client-setup b/contrib/RHEL4/ipa-client-setup
index 4d1fead981d0e10232e974527222a2f9a62252b4..6edfa7c38a1d0c17236c3f755f3f7480b14d6a7c 100644
--- a/contrib/RHEL4/ipa-client-setup
+++ b/contrib/RHEL4/ipa-client-setup
@@ -310,6 +310,7 @@ def main():
         libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'})
         libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
         libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
+        libopts.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'})
 
         opts.append({'name':'libdefaults', 'type':'section', 'value':libopts})
         opts.append({'name':'empty', 'type':'empty'})
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 7c82083e3331cfacccc1995cd9dfa6ddd88edd1f..6cb5ee34704cd6158e882bfa89fc597f3ff1bb0f 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -12,6 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
+ udp_preference_limit = 0
 $OTHER_LIBDEFAULTS
 [realms]
  $REALM = {
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 88e42bafbc600fb7c36b7727c770e75edccd2196..22348fc2158e59afc2e1aa51e3d3f51e90b99e39 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -208,6 +208,7 @@ def configure_krb5_conf(realm, kdc, filename):
     libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'})
     libdefaults.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
     libdefaults.append({'name':'forwardable', 'type':'option', 'value':'yes'})
+    libdefaults.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'})
 
     opts.append({'name':'libdefaults', 'type':'section', 'value': libdefaults})
     opts.append({'name':'empty', 'type':'empty'})
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 612ff62a12a24672e6bc390bcd5165cd20bf834a..0fe93a05b372b4304c30c9d6c488556d64929273 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1043,6 +1043,7 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
     libopts.append({'name':'rdns', 'type':'option', 'value':'false'})
     libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
     libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
+    libopts.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'})
 
     # Configure KEYRING CCACHE if supported
     if kernel_keyring.is_persistent_keyring_supported():
-- 
2.1.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to