Discussion:
Aggressive kinit timeouts
Jonathan Maron
2018-08-07 10:46:54 UTC
Permalink
Hi,

We have an LDAP realm setup that doesn’t communicate with a local LDAP DB, but rather goes through a number of gateways to access a remote LDAP resource. This introduces some latency that at times exceeds 1 second. That appears to be an issue - we often see authentication failures, possibly since the order of responses for repeated AS_REQ may be out of order? Anyhow, we are definitely seeing auth failures, and the 1 second timeout appears to play a role.

We are unfortunately still using version 1.10. Has this issue been addressed in subsequent versions? Is the 1 second timeout now configurable?

— Jon


_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.
Greg Hudson
2018-08-07 14:15:57 UTC
Permalink
Please use ***@mit.edu for operational questions like this. For
simplicity I will go ahead and answer here.
Post by Jonathan Maron
We have an LDAP realm setup that doesn’t communicate with a local LDAP DB, but rather goes through a number of gateways to access a remote LDAP resource. This introduces some latency that at times exceeds 1 second. That appears to be an issue - we often see authentication failures, possibly since the order of responses for repeated AS_REQ may be out of order? Anyhow, we are definitely seeing auth failures, and the 1 second timeout appears to play a role.
I'm not sure how out-of-order responses could account for the problem.
After one second, the client retransmits or tries a different KDC, but
neither request should result in a failure.
Post by Jonathan Maron
We are unfortunately still using version 1.10. Has this issue been addressed in subsequent versions? Is the 1 second timeout now configurable?
It's not configurable, but as of 1.12, if you use TCP, the client waits
ten seconds before moving on if the KDC accepts the TCP connection
within one second. You can use "udp_preference_limit = 0" in
[libdefaults] to force the initial use of TCP.
_______________________________________________
krbdev mailing list ***@m
Jonathan Maron
2018-08-07 14:21:41 UTC
Permalink
Post by Jonathan Maron
We have an LDAP realm setup that doesn’t communicate with a local LDAP DB, but rather goes through a number of gateways to access a remote LDAP resource. This introduces some latency that at times exceeds 1 second. That appears to be an issue - we often see authentication failures, possibly since the order of responses for repeated AS_REQ may be out of order? Anyhow, we are definitely seeing auth failures, and the 1 second timeout appears to play a role.
I'm not sure how out-of-order responses could account for the problem. After one second, the client retransmits or tries a different KDC, but neither request should result in a failure.
Difficult for me to dig any further, but I can see that the elapsed time it greater than a second (sometimes as long as 3 seconds), and the the authentication attempt fails.
Post by Jonathan Maron
We are unfortunately still using version 1.10. Has this issue been addressed in subsequent versions? Is the 1 second timeout now configurable?
It's not configurable, but as of 1.12, if you use TCP, the client waits ten seconds before moving on if the KDC accepts the TCP connection within one second. You can use "udp_preference_limit = 0" in [libdefaults] to force the initial use of TCP.
That’s helpful. Thanks!


_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbde
Jonathan Maron
2018-08-13 13:52:40 UTC
Permalink
Post by Jonathan Maron
We have an LDAP realm setup that doesn’t communicate with a local LDAP DB, but rather goes through a number of gateways to access a remote LDAP resource. This introduces some latency that at times exceeds 1 second. That appears to be an issue - we often see authentication failures, possibly since the order of responses for repeated AS_REQ may be out of order? Anyhow, we are definitely seeing auth failures, and the 1 second timeout appears to play a role.
I'm not sure how out-of-order responses could account for the problem. After one second, the client retransmits or tries a different KDC, but neither request should result in a failure.
Post by Jonathan Maron
We are unfortunately still using version 1.10. Has this issue been addressed in subsequent versions? Is the 1 second timeout now configurable?
It's not configurable, but as of 1.12, if you use TCP, the client waits ten seconds before moving on if the KDC accepts the TCP connection within one second. You can use "udp_preference_limit = 0" in [libdefaults] to force the initial use of TCP.
We’ve updated our client (kinit) to version 1.16.1 and do see the behavior you describe. We are noticing some issues with the KDC appearing not to accept TCP connections? Could this be due to the version discrepancy (client 1.16, server 1.10) and the change to TCP connection acceptance behavior in 1.13?


_______________________________________________
krbdev mailing list ***@mit.e
Greg Hudson
2018-08-13 14:35:37 UTC
Permalink
Post by Jonathan Maron
We’ve updated our client (kinit) to version 1.16.1 and do see the behavior you describe. We are noticing some issues with the KDC appearing not to accept TCP connections? Could this be due to the version discrepancy (client 1.16, server 1.10) and the change to TCP connection acceptance behavior in 1.13?
In 1.10 you have to explicit configure the KDC to accept TCP connections
(by setting "kdc_tcp_ports = 88" in [kdcdefaults] or the realm
subsection), but I'm not aware of any other issues.
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/

Loading...