From d73ed48cf7fa820b6ff8c46b394ff6da19bc7087 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Fri, 5 Dec 2014 11:18:55 -0500 Subject: Prefer TCP connections to UDP in krb5 clients In general, TCP is a better fit for FreeIPA due to large packet sizes. However, there is also a specific need for TCP when using OTP. If a UDP packet is delivered to the server and the server takes longer to process it than the client timeout (likely), the OTP value will be resent. Unfortunately, this will cause failures or even lockouts. Switching to TCP avoids this problem altogether. https://fedorahosted.org/freeipa/ticket/4725 Reviewed-By: Martin Kosek --- install/share/krb5.conf.template | 1 + install/tools/ipa-replica-conncheck | 1 + ipa-client/ipa-install/ipa-client-install | 1 + 3 files changed, 3 insertions(+) diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index 7c82083e3..6cb5ee347 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -12,6 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/ rdns = false ticket_lifetime = 24h forwardable = yes + udp_preference_limit = 0 $OTHER_LIBDEFAULTS [realms] $REALM = { diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 88e42bafb..22348fc21 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -208,6 +208,7 @@ def configure_krb5_conf(realm, kdc, filename): libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'}) libdefaults.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libdefaults.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + libdefaults.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'}) opts.append({'name':'libdefaults', 'type':'section', 'value': libdefaults}) opts.append({'name':'empty', 'type':'empty'}) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 54a85a7f1..f8825da42 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1047,6 +1047,7 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, libopts.append({'name':'rdns', 'type':'option', 'value':'false'}) libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + libopts.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'}) # Configure KEYRING CCACHE if supported if kernel_keyring.is_persistent_keyring_supported(): -- cgit