On Thu, 06 Nov 2014 18:00:21 -0500 Nathaniel McCallum <npmccal...@redhat.com> wrote:
> On Fri, 2013-10-04 at 06:12 -0400, Simo Sorce wrote: > > > > ----- Original Message ----- > > > On 3.10.2013 23:43, Nathaniel McCallum wrote: > > > > Patch attached. > > > > > > I'm curious - what is the purpose of this patch? To prevent 1 > > > second timeouts and re-transmits when OTP is in place? > > > > > > What is the expected performance impact? Could it be configured > > > for OTP separately - somehow? (I guess that it is not possible > > > now ...) > > > > It benefits also communication of large packets (when large MS-PAC > > or CAMMAC AD Data are attached), so it is a better choice for IPA > > in general. Especially given we have multiple KDC processes > > configured we do not want clients wasting KDC resources by making > > multiple processes do the same operation. > > So apparently this patch never got reviewed over a year ago. > > It was related to a bug which was opened in SSSD. However, when it > became clear we wanted to solve this in FreeIPA, the SSSD bug was > closed but no corresponding FreeIPA bug was opened. The patch then > fell through the cracks. > > Without this patch, if OTP validation runs long we get retransmits and > failures. > > One question I have is how to handle this for upgrades since (I think) > this patch only handles new installs. > > Anyway, this patch is somewhat urgent now. So help is appreciated. > > I have attached a rebased version which has no other changes. > > Nathaniel I am not sure we can do much on updates, we do not have a client-update tool, I would just document it I guess. Otherwise we'd have to go back to sssd which can inject additional values in krb5.conf, however I am not sure it would be ok to set something like this in the sssd's pubconf includes ... Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel