[Freeipa-users] ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server

Alexander Bokovoy abokovoy at redhat.com
Sun Dec 18 09:27:25 UTC 2016 

On la, 17 joulu 2016, Jochen Hein wrote:
>
>I'm running a privacyidea server, which has my tokens and provides
>external RADIUS access for other services like FreeIPA.  When a user
>authenticates I have the following communications:
>
>1. IPA Client -> IPA server (Kerberos)
>2. IPA Server (kdc) -> ipa-otpd (internal radius) [*]
>3. ipa-otpd -> FreeRADIUS for privacyidea
>4. FreeRADIUS -> privacyidea (OTP-PIN/yubikey OTP)
>5. privacyidea -> privacyidea (yubico validation server)
>
>[*] Here is where the trouble starts: Since we have a couple of TCP/IP
>sessions with SSL handshakes it takes a couple of seconds (mostly 6-8
>seconds) to establish communication and get the answer from privacyidea
>back.
>
>man kdc.conf has:
>,----
>|    [otp]
>|       timeout       An integer which specifies the time in seconds
>|                     during which the KDC should attempt to contact the
>|                     RADIUS server.  This tag is the total time across
>|                     all retries and should be less than the time which
>|                     an OTP value remains valid for.  The default is 5
>|                     seconds.
>|
>|        retries      This tag specifies the number of retries to make to
>|                     the RADIUS server.  The default is 3 retries (4
>|                     tries).
>`----
>
>So I've added the following to /var/kerberos/krb5kdc/kdc.conf and restarted kdc:
>
>,----
>| [otp]
>|  DEFAULT = {
>|   timeout = 15
>|   retries = 0
>|   strip_realm = false
>|  }
>`----
>
>After that I can use my OTP tokens without problems. With the default
>timeout of five seconds I had to have luck to get an authentication
>back.  Would it be possible to raise the timeout to 10 seconds as a
>default?  That sould work for me too.
>
>Is there a better way to add my configuration to kdc.conf, so it will
>survive upgrades?  I didn't find any obvious place, nor some place where
>something for ipa-otp had been configured.
You don't state which FreeIPA version you are using: distribution,
package version, etc. There was a bug fixed in RHEL 7.3 / Fedora 25
about timeouts in OTP handling both in MIT Kerberos and FreeIPA's
ipa-otpd daemon.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list