Intermittent failures of mod_krb5
Adam Bishop
Adam.Bishop at jisc.ac.uk
Thu Mar 1 19:27:59 CET 2018
On Mar 1, 2018, at 8:56 AM, Brian Candler <b.candler at pobox.com> wrote:
>> Many thanks for the hints, especially KRB5_TRACE.
>>
>> It certainly looks like the KDC (Samba4) is taking a long time to reply. In the example below, when freeradius gets a UDP response saying the data is too big for UDP, it reconnects over TCP. This happens twice - once to get a TGT for the authenticating user and once to get a service ticket - and these are taking 2.4 and 6.2 seconds respectively. With additional UDP round-trips, the whole thing is taking nearly 12 seconds in the example below.
This is fairly common with Windows Kerberos - the size of the ticket is directly proportional to the the number of times certain changes have been made to the principal, and the number of groups the principal is a member of.
Microsoft's implementation has a setting to allow larger payloads (not sure about Samba), but that can cause other issues if you have e.g. a VPN in play, so the best solution is just to prefer TCP if speed is an issue.
Have you looked at building FreeRADIUS with libwbclient instead, or maybe looking at if you could use sssd to cache?
Regards,
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
More information about the Freeradius-Users
mailing list