[Freeipa-users] Valid Sender ? - Re: ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server

Sun Dec 18 10:33:32 UTC 2016

On su, 18 joulu 2016, Jochen Hein wrote:
>Alexander Bokovoy <abokovoy at redhat.com> writes:
>
>>>So I've added the following to /var/kerberos/krb5kdc/kdc.conf and restarted kdc:
>>>
>>>,----
>>>| [otp]
>>>|  DEFAULT = {
>>>|   timeout = 15
>>>|   retries = 0
>>>|   strip_realm = false
>>>|  }
>>>`----
>>>
>>>After that I can use my OTP tokens without problems. With the default
>>>timeout of five seconds I had to have luck to get an authentication
>>>back.  Would it be possible to raise the timeout to 10 seconds as a
>>>default?  That sould work for me too.
>>>
>>>Is there a better way to add my configuration to kdc.conf, so it will
>>>survive upgrades?  I didn't find any obvious place, nor some place where
>>>something for ipa-otp had been configured.
>
>> You don't state which FreeIPA version you are using: distribution,
>> package version, etc. There was a bug fixed in RHEL 7.3 / Fedora 25
>> about timeouts in OTP handling both in MIT Kerberos and FreeIPA's
>> ipa-otpd daemon.
>
>I'm running my old master on Fedora 24
>(freeipa-server-4.3.2-2.fc24.x86_64) and the new on CentOS 7.3
>(ipa-server-4.4.0-14.el7.centos.x86_64). I've seen the bugs and checked
>in CentOS git that the fix is in the package. And beside the timeout it
>now seems to work.
>
>We have two timeouts to consider:
>
>1. KDC to ipa-otd: this can be changed in
>/var/kerberos/krb5kdc/kdc.conf. I think the timeout should be larger
>then the (largest) second timeout - and I think retries=0 is best.
>This is for communication between KDC and ipa-otd.
>
>2. There is a timeout in each RADIUS server config in IPA for the
>communication from ipa-otp to external RADIUS servers:
>,----
>| [root at freeipa krb5kdc]# ipa radiusproxy-find
>| -----------------------------
>| 1 RADIUS proxy server matched
>| -----------------------------
>|   RADIUS proxy server name: athene
>|   Server: athene.jochen.org
>|   Timeout: 10
>|   Retries: 0
>|   User attribute: User-Name
>| -------------------------------------
>| Anzahl der zurückgegebenen Einträge 1
>| -------------------------------------
>`----
>Again I think that for OTPs we are probably best with retries=0.
>
>On older clients it might be helpful to add "udp_preference_limit = 0"
>to /etc/krb5.conf - at least on my Debian/Ubuntu machines.
Ok. It would probably make sense to file a ticket to FreeIPA tracker to
get these changes in FreeIPA 4.5.

-- 
/ Alexander Bokovoy