diff options
author | Nathaniel McCallum <npmccallum@redhat.com> | 2014-12-05 11:18:55 -0500 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-12-08 10:56:06 +0100 |
commit | 7ad9f5d3d5ff2eec43bc355c4e7e9514aff01a31 (patch) | |
tree | ad3b1728001d3caf603f4e775c472dd8144d41e3 /ipa-client/ipa-install | |
parent | d0a781b9c6911f1875df4b0c7da5e6ae030d36de (diff) | |
download | freeipa-7ad9f5d3d5ff2eec43bc355c4e7e9514aff01a31.tar.gz freeipa-7ad9f5d3d5ff2eec43bc355c4e7e9514aff01a31.tar.xz freeipa-7ad9f5d3d5ff2eec43bc355c4e7e9514aff01a31.zip |
Prefer TCP connections to UDP in krb5 clients
In general, TCP is a better fit for FreeIPA due to large packet sizes.
However, there is also a specific need for TCP when using OTP. If a UDP
packet is delivered to the server and the server takes longer to process
it than the client timeout (likely), the OTP value will be resent.
Unfortunately, this will cause failures or even lockouts. Switching to
TCP avoids this problem altogether.
https://fedorahosted.org/freeipa/ticket/4725
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipa-client/ipa-install')
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 69f63d322..dfe0e3b75 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1043,6 +1043,7 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, libopts.append({'name':'rdns', 'type':'option', 'value':'false'}) libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + libopts.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'}) # Configure KEYRING CCACHE if supported if kernel_keyring.is_persistent_keyring_supported(): |