Re: [Freeipa-users] Valid Sender ? - Re: ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server

Sun, 18 Dec 2016 02:38:03 -0800 

On su, 18 joulu 2016, Jochen Hein wrote:

Alexander Bokovoy <[email protected]> writes:


So I've added the following to /var/kerberos/krb5kdc/kdc.conf and restarted kdc:

,----
| [otp]
|  DEFAULT = {
|   timeout = 15
|   retries = 0
|   strip_realm = false
|  }
`----

After that I can use my OTP tokens without problems. With the default
timeout of five seconds I had to have luck to get an authentication
back.  Would it be possible to raise the timeout to 10 seconds as a
default?  That sould work for me too.

Is there a better way to add my configuration to kdc.conf, so it will
survive upgrades?  I didn't find any obvious place, nor some place where
something for ipa-otp had been configured.



You don't state which FreeIPA version you are using: distribution,
package version, etc. There was a bug fixed in RHEL 7.3 / Fedora 25
about timeouts in OTP handling both in MIT Kerberos and FreeIPA's
ipa-otpd daemon.


I'm running my old master on Fedora 24
(freeipa-server-4.3.2-2.fc24.x86_64) and the new on CentOS 7.3
(ipa-server-4.4.0-14.el7.centos.x86_64). I've seen the bugs and checked
in CentOS git that the fix is in the package. And beside the timeout it
now seems to work.

We have two timeouts to consider:

1. KDC to ipa-otd: this can be changed in
/var/kerberos/krb5kdc/kdc.conf. I think the timeout should be larger
then the (largest) second timeout - and I think retries=0 is best.
This is for communication between KDC and ipa-otd.

2. There is a timeout in each RADIUS server config in IPA for the
communication from ipa-otp to external RADIUS servers:
,----
| [root@freeipa krb5kdc]# ipa radiusproxy-find
| -----------------------------
| 1 RADIUS proxy server matched
| -----------------------------
|   RADIUS proxy server name: athene
|   Server: athene.jochen.org
|   Timeout: 10
|   Retries: 0
|   User attribute: User-Name
| -------------------------------------
| Anzahl der zurückgegebenen Einträge 1
| -------------------------------------
`----
Again I think that for OTPs we are probably best with retries=0.

On older clients it might be helpful to add "udp_preference_limit = 0"
to /etc/krb5.conf - at least on my Debian/Ubuntu machines.

Ok. It would probably make sense to file a ticket to FreeIPA tracker to
get these changes in FreeIPA 4.5.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to