[Freeipa-users] Valid Sender ? - Re: ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server
Jochen Hein
jochen at jochen.org
Sun Dec 18 10:25:55 UTC 2016
Alexander Bokovoy <abokovoy at redhat.com> writes:
>>So I've added the following to /var/kerberos/krb5kdc/kdc.conf and restarted kdc:
>>
>>,----
>>| [otp]
>>| DEFAULT = {
>>| timeout = 15
>>| retries = 0
>>| strip_realm = false
>>| }
>>`----
>>
>>After that I can use my OTP tokens without problems. With the default
>>timeout of five seconds I had to have luck to get an authentication
>>back. Would it be possible to raise the timeout to 10 seconds as a
>>default? That sould work for me too.
>>
>>Is there a better way to add my configuration to kdc.conf, so it will
>>survive upgrades? I didn't find any obvious place, nor some place where
>>something for ipa-otp had been configured.
> You don't state which FreeIPA version you are using: distribution,
> package version, etc. There was a bug fixed in RHEL 7.3 / Fedora 25
> about timeouts in OTP handling both in MIT Kerberos and FreeIPA's
> ipa-otpd daemon.
I'm running my old master on Fedora 24
(freeipa-server-4.3.2-2.fc24.x86_64) and the new on CentOS 7.3
(ipa-server-4.4.0-14.el7.centos.x86_64). I've seen the bugs and checked
in CentOS git that the fix is in the package. And beside the timeout it
now seems to work.
We have two timeouts to consider:
1. KDC to ipa-otd: this can be changed in
/var/kerberos/krb5kdc/kdc.conf. I think the timeout should be larger
then the (largest) second timeout - and I think retries=0 is best.
This is for communication between KDC and ipa-otd.
2. There is a timeout in each RADIUS server config in IPA for the
communication from ipa-otp to external RADIUS servers:
,----
| [root at freeipa krb5kdc]# ipa radiusproxy-find
| -----------------------------
| 1 RADIUS proxy server matched
| -----------------------------
| RADIUS proxy server name: athene
| Server: athene.jochen.org
| Timeout: 10
| Retries: 0
| User attribute: User-Name
| -------------------------------------
| Anzahl der zurückgegebenen Einträge 1
| -------------------------------------
`----
Again I think that for OTPs we are probably best with retries=0.
On older clients it might be helpful to add "udp_preference_limit = 0"
to /etc/krb5.conf - at least on my Debian/Ubuntu machines.
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
More information about the Freeipa-users
mailing list