Re: [Freeipa-users] ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server

Sun, 18 Dec 2016 01:32:05 -0800 

On la, 17 joulu 2016, Jochen Hein wrote:


I'm running a privacyidea server, which has my tokens and provides
external RADIUS access for other services like FreeIPA.  When a user
authenticates I have the following communications:

1. IPA Client -> IPA server (Kerberos)
2. IPA Server (kdc) -> ipa-otpd (internal radius) [*]
3. ipa-otpd -> FreeRADIUS for privacyidea
4. FreeRADIUS -> privacyidea (OTP-PIN/yubikey OTP)
5. privacyidea -> privacyidea (yubico validation server)

[*] Here is where the trouble starts: Since we have a couple of TCP/IP
sessions with SSL handshakes it takes a couple of seconds (mostly 6-8
seconds) to establish communication and get the answer from privacyidea
back.

man kdc.conf has:
,----
|    [otp]
|       timeout       An integer which specifies the time in seconds
|                     during which the KDC should attempt to contact the
|                     RADIUS server.  This tag is the total time across
|                     all retries and should be less than the time which
|                     an OTP value remains valid for.  The default is 5
|                     seconds.
|
|        retries      This tag specifies the number of retries to make to
|                     the RADIUS server.  The default is 3 retries (4
|                     tries).
`----

So I've added the following to /var/kerberos/krb5kdc/kdc.conf and restarted kdc:

,----
| [otp]
|  DEFAULT = {
|   timeout = 15
|   retries = 0
|   strip_realm = false
|  }
`----

After that I can use my OTP tokens without problems. With the default
timeout of five seconds I had to have luck to get an authentication
back.  Would it be possible to raise the timeout to 10 seconds as a
default?  That sould work for me too.

Is there a better way to add my configuration to kdc.conf, so it will
survive upgrades?  I didn't find any obvious place, nor some place where
something for ipa-otp had been configured.

You don't state which FreeIPA version you are using: distribution,
package version, etc. There was a bug fixed in RHEL 7.3 / Fedora 25
about timeouts in OTP handling both in MIT Kerberos and FreeIPA's
ipa-otpd daemon.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






















					Reply via email to