[Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients

Thu Dec 4 18:17:06 UTC 2014

On Tue, 2014-12-02 at 11:55 -0500, Nathaniel McCallum wrote:
> On Tue, 2014-12-02 at 17:51 +0100, Martin Kosek wrote:
> > On 12/02/2014 05:49 PM, Nathaniel McCallum wrote:
> > > On Tue, 2014-12-02 at 17:48 +0100, Martin Kosek wrote:
> > >> On 12/02/2014 05:36 PM, Simo Sorce wrote:
> > >>> On Tue, 02 Dec 2014 11:12:11 -0500
> > >>> Nathaniel McCallum <npmccallum at redhat.com> wrote:
> > >>>
> > >>>> On Thu, 2014-11-06 at 18:00 -0500, Nathaniel McCallum wrote:
> > >>>>> On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote:
> > >>>>>>
> > >>>>>> ----- Original Message -----
> > >>>>>>> On 3.10.2013 23:43, Nathaniel McCallum wrote:
> > >>>>>>>> Patch attached.
> > >>>>>>>
> > >>>>>>> I'm curious - what is the purpose of this patch? To prevent 1
> > >>>>>>> second timeouts and re-transmits when OTP is in place?
> > >>>>>>>
> > >>>>>>> What is the expected performance impact? Could it be configured
> > >>>>>>> for OTP separately - somehow? (I guess that it is not possible
> > >>>>>>> now ...)
> > >>>>>>
> > >>>>>> It benefits also communication of large packets (when large
> > >>>>>> MS-PAC or CAMMAC AD Data are attached), so it is a better choice
> > >>>>>> for IPA in general. Especially given we have multiple KDC
> > >>>>>> processes configured we do not want clients wasting KDC resources
> > >>>>>> by making multiple processes do the same operation.
> > >>>>>
> > >>>>> So apparently this patch never got reviewed over a year ago.
> > >>>>>
> > >>>>> It was related to a bug which was opened in SSSD. However, when it
> > >>>>> became clear we wanted to solve this in FreeIPA, the SSSD bug was
> > >>>>> closed but no corresponding FreeIPA bug was opened. The patch then
> > >>>>> fell through the cracks.
> > >>>>>
> > >>>>> Without this patch, if OTP validation runs long we get retransmits
> > >>>>> and failures.
> > >>>>>
> > >>>>> One question I have is how to handle this for upgrades since (I
> > >>>>> think) this patch only handles new installs.
> > >>>>>
> > >>>>> Anyway, this patch is somewhat urgent now. So help is appreciated.
> > >>>>>
> > >>>>> I have attached a rebased version which has no other changes.
> > >>>>
> > >>>> I still need a review on this. Any takers?
> > >>>
> > >>> The patch looks good to me
> > >>>
> > >>> Simo.
> > >>
> > >> This fixes the new installations. Can you please refresh the memory what is the
> > >> decision regarding the upgrades?
> > > 
> > > The need to fix upgrades will be documented. In the future, we will
> > > get /etc/krb.conf.d and we will ship a file there.
> > > 
> > > Nathaniel
> > > 
> > 
> > Nobody reads the documentation :-) What is the implication for users doing
> > client update (majority of them) and using OTP feature?
> 
> They will get spurious failures. Most will think it is a bug or a
> network issue. If the failures happen consistently enough, users might
> get locked out.

So what is the plan with this patch? We need to get it sorted. :)