From 7ad9f5d3d5ff2eec43bc355c4e7e9514aff01a31 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Fri, 5 Dec 2014 11:18:55 -0500
Subject: Prefer TCP connections to UDP in krb5 clients

In general, TCP is a better fit for FreeIPA due to large packet sizes.

However, there is also a specific need for TCP when using OTP. If a UDP
packet is delivered to the server and the server takes longer to process
it than the client timeout (likely), the OTP value will be resent.
Unfortunately, this will cause failures or even lockouts. Switching to
TCP avoids this problem altogether.

https://fedorahosted.org/freeipa/ticket/4725

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 install/share/krb5.conf.template | 1 +
 1 file changed, 1 insertion(+)

(limited to 'install/share')

diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 7c82083e3..6cb5ee347 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -12,6 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
+ udp_preference_limit = 0
 $OTHER_LIBDEFAULTS
 [realms]
  $REALM = {
-- 
cgit