Re: [Freeipa-users] Valid Sender ? - Re: ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server

Sun, 18 Dec 2016 02:32:53 -0800 

Alexander Bokovoy <aboko...@redhat.com> writes:

>>So I've added the following to /var/kerberos/krb5kdc/kdc.conf and restarted 
>>kdc:
>>
>>,----
>>| [otp]
>>|  DEFAULT = {
>>|   timeout = 15
>>|   retries = 0
>>|   strip_realm = false
>>|  }
>>`----
>>
>>After that I can use my OTP tokens without problems. With the default
>>timeout of five seconds I had to have luck to get an authentication
>>back.  Would it be possible to raise the timeout to 10 seconds as a
>>default?  That sould work for me too.
>>
>>Is there a better way to add my configuration to kdc.conf, so it will
>>survive upgrades?  I didn't find any obvious place, nor some place where
>>something for ipa-otp had been configured.

> You don't state which FreeIPA version you are using: distribution,
> package version, etc. There was a bug fixed in RHEL 7.3 / Fedora 25
> about timeouts in OTP handling both in MIT Kerberos and FreeIPA's
> ipa-otpd daemon.

I'm running my old master on Fedora 24
(freeipa-server-4.3.2-2.fc24.x86_64) and the new on CentOS 7.3
(ipa-server-4.4.0-14.el7.centos.x86_64). I've seen the bugs and checked
in CentOS git that the fix is in the package. And beside the timeout it
now seems to work.

We have two timeouts to consider:

1. KDC to ipa-otd: this can be changed in
/var/kerberos/krb5kdc/kdc.conf. I think the timeout should be larger
then the (largest) second timeout - and I think retries=0 is best.
This is for communication between KDC and ipa-otd.

2. There is a timeout in each RADIUS server config in IPA for the
communication from ipa-otp to external RADIUS servers:
,----
| [root@freeipa krb5kdc]# ipa radiusproxy-find
| -----------------------------
| 1 RADIUS proxy server matched
| -----------------------------
|   RADIUS proxy server name: athene
|   Server: athene.jochen.org
|   Timeout: 10
|   Retries: 0
|   User attribute: User-Name
| -------------------------------------
| Anzahl der zurückgegebenen Einträge 1
| -------------------------------------
`----
Again I think that for OTPs we are probably best with retries=0.

On older clients it might be helpful to add "udp_preference_limit = 0"
to /etc/krb5.conf - at least on my Debian/Ubuntu machines.

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to