|
 |
e3ffab |
From 0538c3040f65dea97a8e98eab7be2c8fc8ff17a9 Mon Sep 17 00:00:00 2001
|
|
|
e3ffab |
From: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
e3ffab |
Date: Fri, 5 Dec 2014 11:18:55 -0500
|
|
|
e3ffab |
Subject: [PATCH] Prefer TCP connections to UDP in krb5 clients
|
|
|
e3ffab |
|
|
|
e3ffab |
In general, TCP is a better fit for FreeIPA due to large packet sizes.
|
|
|
e3ffab |
|
|
|
e3ffab |
However, there is also a specific need for TCP when using OTP. If a UDP
|
|
|
e3ffab |
packet is delivered to the server and the server takes longer to process
|
|
|
e3ffab |
it than the client timeout (likely), the OTP value will be resent.
|
|
|
e3ffab |
Unfortunately, this will cause failures or even lockouts. Switching to
|
|
|
e3ffab |
TCP avoids this problem altogether.
|
|
|
e3ffab |
|
|
|
e3ffab |
https://fedorahosted.org/freeipa/ticket/4725
|
|
|
e3ffab |
|
|
|
e3ffab |
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
|
|
e3ffab |
---
|
|
|
e3ffab |
install/share/krb5.conf.template | 1 +
|
|
|
e3ffab |
install/tools/ipa-replica-conncheck | 1 +
|
|
|
e3ffab |
ipa-client/ipa-install/ipa-client-install | 1 +
|
|
|
e3ffab |
3 files changed, 3 insertions(+)
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
|
|
|
e3ffab |
index 7c82083e3331cfacccc1995cd9dfa6ddd88edd1f..6cb5ee34704cd6158e882bfa89fc597f3ff1bb0f 100644
|
|
|
e3ffab |
--- a/install/share/krb5.conf.template
|
|
|
e3ffab |
+++ b/install/share/krb5.conf.template
|
|
|
e3ffab |
@@ -12,6 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
|
|
|
e3ffab |
rdns = false
|
|
|
e3ffab |
ticket_lifetime = 24h
|
|
|
e3ffab |
forwardable = yes
|
|
|
e3ffab |
+ udp_preference_limit = 0
|
|
|
e3ffab |
$OTHER_LIBDEFAULTS
|
|
|
e3ffab |
[realms]
|
|
|
e3ffab |
$REALM = {
|
|
|
e3ffab |
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
|
|
|
e3ffab |
index 88e42bafbc600fb7c36b7727c770e75edccd2196..22348fc2158e59afc2e1aa51e3d3f51e90b99e39 100755
|
|
|
e3ffab |
--- a/install/tools/ipa-replica-conncheck
|
|
|
e3ffab |
+++ b/install/tools/ipa-replica-conncheck
|
|
|
e3ffab |
@@ -208,6 +208,7 @@ def configure_krb5_conf(realm, kdc, filename):
|
|
|
e3ffab |
libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'})
|
|
|
e3ffab |
libdefaults.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
|
|
|
e3ffab |
libdefaults.append({'name':'forwardable', 'type':'option', 'value':'yes'})
|
|
|
e3ffab |
+ libdefaults.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'})
|
|
|
e3ffab |
|
|
|
e3ffab |
opts.append({'name':'libdefaults', 'type':'section', 'value': libdefaults})
|
|
|
e3ffab |
opts.append({'name':'empty', 'type':'empty'})
|
|
|
e3ffab |
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
|
|
|
e3ffab |
index 7b1e2f8b0b873375c14d02558dce65b68a5ad173..75a1711a7e1fdc9359ad02d55ad94d65af51ea93 100755
|
|
|
e3ffab |
--- a/ipa-client/ipa-install/ipa-client-install
|
|
|
e3ffab |
+++ b/ipa-client/ipa-install/ipa-client-install
|
|
|
e3ffab |
@@ -1047,6 +1047,7 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
|
|
|
e3ffab |
libopts.append({'name':'rdns', 'type':'option', 'value':'false'})
|
|
|
e3ffab |
libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
|
|
|
e3ffab |
libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
|
|
|
e3ffab |
+ libopts.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'})
|
|
|
e3ffab |
|
|
|
e3ffab |
# Configure KEYRING CCACHE if supported
|
|
|
e3ffab |
if kernel_keyring.is_persistent_keyring_supported():
|
|
|
e3ffab |
--
|
|
|
e3ffab |
2.1.0
|
|
|
e3ffab |
|