Alexander Bokovoy <aboko...@redhat.com> writes: >>So I've added the following to /var/kerberos/krb5kdc/kdc.conf and restarted >>kdc: >> >>,---- >>| [otp] >>| DEFAULT = { >>| timeout = 15 >>| retries = 0 >>| strip_realm = false >>| } >>`---- >> >>After that I can use my OTP tokens without problems. With the default >>timeout of five seconds I had to have luck to get an authentication >>back. Would it be possible to raise the timeout to 10 seconds as a >>default? That sould work for me too. >> >>Is there a better way to add my configuration to kdc.conf, so it will >>survive upgrades? I didn't find any obvious place, nor some place where >>something for ipa-otp had been configured.
> You don't state which FreeIPA version you are using: distribution, > package version, etc. There was a bug fixed in RHEL 7.3 / Fedora 25 > about timeouts in OTP handling both in MIT Kerberos and FreeIPA's > ipa-otpd daemon. I'm running my old master on Fedora 24 (freeipa-server-4.3.2-2.fc24.x86_64) and the new on CentOS 7.3 (ipa-server-4.4.0-14.el7.centos.x86_64). I've seen the bugs and checked in CentOS git that the fix is in the package. And beside the timeout it now seems to work. We have two timeouts to consider: 1. KDC to ipa-otd: this can be changed in /var/kerberos/krb5kdc/kdc.conf. I think the timeout should be larger then the (largest) second timeout - and I think retries=0 is best. This is for communication between KDC and ipa-otd. 2. There is a timeout in each RADIUS server config in IPA for the communication from ipa-otp to external RADIUS servers: ,---- | [root@freeipa krb5kdc]# ipa radiusproxy-find | ----------------------------- | 1 RADIUS proxy server matched | ----------------------------- | RADIUS proxy server name: athene | Server: athene.jochen.org | Timeout: 10 | Retries: 0 | User attribute: User-Name | ------------------------------------- | Anzahl der zurückgegebenen Einträge 1 | ------------------------------------- `---- Again I think that for OTPs we are probably best with retries=0. On older clients it might be helpful to add "udp_preference_limit = 0" to /etc/krb5.conf - at least on my Debian/Ubuntu machines. Jochen -- The only problem with troubleshooting is that the trouble shoots back. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project