Intermittent failures of mod_krb5
Alan DeKok
aland at deployingradius.com
Thu Mar 1 15:11:41 CET 2018
On Mar 1, 2018, at 8:56 AM, Brian Candler <b.candler at pobox.com> wrote:
>
> Many thanks for the hints, especially KRB5_TRACE.
>
> It certainly looks like the KDC (Samba4) is taking a long time to reply. In the example below, when freeradius gets a UDP response saying the data is too big for UDP, it reconnects over TCP. This happens twice - once to get a TGT for the authenticating user and once to get a service ticket - and these are taking 2.4 and 6.2 seconds respectively. With additional UDP round-trips, the whole thing is taking nearly 12 seconds in the example below.
Yeah. There's little you can do to FreeRADIUS to fix that.
> My suspicion is something DNS-related, although Samba4 is authoritative for both the forward and reverse domains in question.
Maybe not DNS... DNS timeouts are usually 30s. A 2-4s delay is likely something else.
Alan DeKok.
More information about the Freeradius-Users
mailing list