[Freeipa-users] ipa-otpd: timeout from kerberos when talking to an external 'slow' RADIUS server
Jochen Hein
jochen at jochen.org
Sat Dec 17 21:45:52 UTC 2016
I'm running a privacyidea server, which has my tokens and provides
external RADIUS access for other services like FreeIPA. When a user
authenticates I have the following communications:
1. IPA Client -> IPA server (Kerberos)
2. IPA Server (kdc) -> ipa-otpd (internal radius) [*]
3. ipa-otpd -> FreeRADIUS for privacyidea
4. FreeRADIUS -> privacyidea (OTP-PIN/yubikey OTP)
5. privacyidea -> privacyidea (yubico validation server)
[*] Here is where the trouble starts: Since we have a couple of TCP/IP
sessions with SSL handshakes it takes a couple of seconds (mostly 6-8
seconds) to establish communication and get the answer from privacyidea
back.
man kdc.conf has:
,----
| [otp]
| timeout An integer which specifies the time in seconds
| during which the KDC should attempt to contact the
| RADIUS server. This tag is the total time across
| all retries and should be less than the time which
| an OTP value remains valid for. The default is 5
| seconds.
|
| retries This tag specifies the number of retries to make to
| the RADIUS server. The default is 3 retries (4
| tries).
`----
So I've added the following to /var/kerberos/krb5kdc/kdc.conf and restarted kdc:
,----
| [otp]
| DEFAULT = {
| timeout = 15
| retries = 0
| strip_realm = false
| }
`----
After that I can use my OTP tokens without problems. With the default
timeout of five seconds I had to have luck to get an authentication
back. Would it be possible to raise the timeout to 10 seconds as a
default? That sould work for me too.
Is there a better way to add my configuration to kdc.conf, so it will
survive upgrades? I didn't find any obvious place, nor some place where
something for ipa-otp had been configured.
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
More information about the Freeipa-users
mailing list