Alexander Bokovoy <> writes:

>>* sssd has a default kerberos timeout of six seconds.
>>  Can be changed in /etc/sssd/sssd.conf: krb5_auth_timeout,
>>  which also seems to work for auth_provider = ipa, but is not
>>  documented in sssd-ipa(5).
> sssd-ipa(5) says:
> --------
>       The IPA provider accepts the same options used by the
>       sssd-ldap(5) identity provider and the sssd-krb5(5)
>       authentication provider with some exceptions described
>       below.
> --------
> I'm not sure how much we could improve here.

I just scanned the option list and did not read the complete text.

> It would be good to write an article on the wiki that covers privacyidea
> integration and explains the workflow.

Cornelius from Privacyidea already asked me for this, but I first wanted
to get something stable and useful running. Now it looks like that is
done I'll try to write something up.

> Technically, we have most of
> Kerberos client (SSS) -> KDC -> IPA-OTPD -> FreeRADIUS covered in
> and
>, but they lack timeouts
> description.

Yes, these pages helped my a lot.


The only problem with troubleshooting is that the trouble shoots back.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to