On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote: > > ----- Original Message ----- > > On 3.10.2013 23:43, Nathaniel McCallum wrote: > > > Patch attached. > > > > I'm curious - what is the purpose of this patch? To prevent 1 second > > timeouts > > and re-transmits when OTP is in place? > > > > What is the expected performance impact? Could it be configured for OTP > > separately - somehow? (I guess that it is not possible now ...) > > It benefits also communication of large packets (when large MS-PAC or CAMMAC > AD Data > are attached), so it is a better choice for IPA in general. Especially given > we have > multiple KDC processes configured we do not want clients wasting KDC > resources by > making multiple processes do the same operation.
So apparently this patch never got reviewed over a year ago. It was related to a bug which was opened in SSSD. However, when it became clear we wanted to solve this in FreeIPA, the SSSD bug was closed but no corresponding FreeIPA bug was opened. The patch then fell through the cracks. Without this patch, if OTP validation runs long we get retransmits and failures. One question I have is how to handle this for upgrades since (I think) this patch only handles new installs. Anyway, this patch is somewhat urgent now. So help is appreciated. I have attached a rebased version which has no other changes. Nathaniel
From cf8b32db6b3b7766fcd2ecc7bff1f8b48bc344bf Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum <[email protected]> Date: Thu, 6 Nov 2014 17:19:31 -0500 Subject: [PATCH] Prefer TCP connections to UDP in krb5 clients https://fedorahosted.org/sssd/ticket/914 --- contrib/RHEL4/ipa-client-setup | 1 + install/share/krb5.conf.template | 1 + install/tools/ipa-replica-conncheck | 1 + ipa-client/ipa-install/ipa-client-install | 1 + 4 files changed, 4 insertions(+) diff --git a/contrib/RHEL4/ipa-client-setup b/contrib/RHEL4/ipa-client-setup index 4d1fead981d0e10232e974527222a2f9a62252b4..6edfa7c38a1d0c17236c3f755f3f7480b14d6a7c 100644 --- a/contrib/RHEL4/ipa-client-setup +++ b/contrib/RHEL4/ipa-client-setup @@ -310,6 +310,7 @@ def main(): libopts.append({'name':'dns_lookup_kdc', 'type':'option', 'value':'true'}) libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + libopts.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'}) opts.append({'name':'libdefaults', 'type':'section', 'value':libopts}) opts.append({'name':'empty', 'type':'empty'}) diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index 7c82083e3331cfacccc1995cd9dfa6ddd88edd1f..6cb5ee34704cd6158e882bfa89fc597f3ff1bb0f 100644 --- a/install/share/krb5.conf.template +++ b/install/share/krb5.conf.template @@ -12,6 +12,7 @@ includedir /var/lib/sss/pubconf/krb5.include.d/ rdns = false ticket_lifetime = 24h forwardable = yes + udp_preference_limit = 0 $OTHER_LIBDEFAULTS [realms] $REALM = { diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index 88e42bafbc600fb7c36b7727c770e75edccd2196..22348fc2158e59afc2e1aa51e3d3f51e90b99e39 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -208,6 +208,7 @@ def configure_krb5_conf(realm, kdc, filename): libdefaults.append({'name':'rdns', 'type':'option', 'value':'false'}) libdefaults.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libdefaults.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + libdefaults.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'}) opts.append({'name':'libdefaults', 'type':'section', 'value': libdefaults}) opts.append({'name':'empty', 'type':'empty'}) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 612ff62a12a24672e6bc390bcd5165cd20bf834a..0fe93a05b372b4304c30c9d6c488556d64929273 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1043,6 +1043,7 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, libopts.append({'name':'rdns', 'type':'option', 'value':'false'}) libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + libopts.append({'name':'udp_preference_limit', 'type':'option', 'value':'0'}) # Configure KEYRING CCACHE if supported if kernel_keyring.is_persistent_keyring_supported(): -- 2.1.0
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
