[Freeipa-users] ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server
Alexander Bokovoy
abokovoy at redhat.com
Sun Dec 18 09:27:25 UTC 2016
On la, 17 joulu 2016, Jochen Hein wrote:
>
>I'm running a privacyidea server, which has my tokens and provides
>external RADIUS access for other services like FreeIPA. When a user
>authenticates I have the following communications:
>
>1. IPA Client -> IPA server (Kerberos)
>2. IPA Server (kdc) -> ipa-otpd (internal radius) [*]
>3. ipa-otpd -> FreeRADIUS for privacyidea
>4. FreeRADIUS -> privacyidea (OTP-PIN/yubikey OTP)
>5. privacyidea -> privacyidea (yubico validation server)
>
>[*] Here is where the trouble starts: Since we have a couple of TCP/IP
>sessions with SSL handshakes it takes a couple of seconds (mostly 6-8
>seconds) to establish communication and get the answer from privacyidea
>back.
>
>man kdc.conf has:
>,----
>| [otp]
>| timeout An integer which specifies the time in seconds
>| during which the KDC should attempt to contact the
>| RADIUS server. This tag is the total time across
>| all retries and should be less than the time which
>| an OTP value remains valid for. The default is 5
>| seconds.
>|
>| retries This tag specifies the number of retries to make to
>| the RADIUS server. The default is 3 retries (4
>| tries).
>`----
>
>So I've added the following to /var/kerberos/krb5kdc/kdc.conf and restarted kdc:
>
>,----
>| [otp]
>| DEFAULT = {
>| timeout = 15
>| retries = 0
>| strip_realm = false
>| }
>`----
>
>After that I can use my OTP tokens without problems. With the default
>timeout of five seconds I had to have luck to get an authentication
>back. Would it be possible to raise the timeout to 10 seconds as a
>default? That sould work for me too.
>
>Is there a better way to add my configuration to kdc.conf, so it will
>survive upgrades? I didn't find any obvious place, nor some place where
>something for ipa-otp had been configured.
You don't state which FreeIPA version you are using: distribution,
package version, etc. There was a bug fixed in RHEL 7.3 / Fedora 25
about timeouts in OTP handling both in MIT Kerberos and FreeIPA's
ipa-otpd daemon.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list