[Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients

[Simo Sorce]

On Thu, 06 Nov 2014 18:00:21 -0500
Nathaniel McCallum <npmccallum at redhat.com> wrote:

> On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote:
> > 
> > ----- Original Message -----
> > > On 3.10.2013 23:43, Nathaniel McCallum wrote:
> > > > Patch attached.
> > > 
> > > I'm curious - what is the purpose of this patch? To prevent 1
> > > second timeouts and re-transmits when OTP is in place?
> > > 
> > > What is the expected performance impact? Could it be configured
> > > for OTP separately - somehow? (I guess that it is not possible
> > > now ...)
> > 
> > It benefits also communication of large packets (when large MS-PAC
> > or CAMMAC AD Data are attached), so it is a better choice for IPA
> > in general. Especially given we have multiple KDC processes
> > configured we do not want clients wasting KDC resources by making
> > multiple processes do the same operation.
> 
> So apparently this patch never got reviewed over a year ago.
> 
> It was related to a bug which was opened in SSSD. However, when it
> became clear we wanted to solve this in FreeIPA, the SSSD bug was
> closed but no corresponding FreeIPA bug was opened. The patch then
> fell through the cracks.
> 
> Without this patch, if OTP validation runs long we get retransmits and
> failures.
> 
> One question I have is how to handle this for upgrades since (I think)
> this patch only handles new installs.
> 
> Anyway, this patch is somewhat urgent now. So help is appreciated.
> 
> I have attached a rebased version which has no other changes.
> 
> Nathaniel

I am not sure we can do much on updates, we do not have a
client-update tool, I would just document it I guess.
Otherwise we'd have to go back to sssd which can inject additional
values in krb5.conf, however I am not sure it would be ok to set
something like this in the sssd's pubconf includes ...

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York