1. Forum
  2. USENET
  3. comp.protocols.kerberos

  • Kerberos TCP retries

    From Dejmek Pavel@pavel.dejmek@o2.cz to kerberos@mit.edu on Sun Aug 4 12:45:38 2024
    From Newsgroup: comp.protocols.kerberos

    Hello,

    We have been testing integration between linux servers(rhel) and
    Windows active directory + MFA solution from Silverfort.
    Linux servers(rhel 9.4) are using sssd + kerberos 1.21.1.

    When user wants to login to linux, kerberos client running on linux successfully open TCP session towards windows server and send request.
    Due to MFA implementation it takes some time until response is send
    back. User has to find his phone, unlock it, find push notification,
    confirm..

    We discovered that kerberos clients retries to send request after 10sec
    and unfortunately it means that another MFA request is sent.
    Is there any way howto extend this period(10sec to 60sec)?

    I have found one commit which can fix this issue, it is #9105 "Wait indefinitely on KDC TCP connections"
    Is there any plan to include this commit in future release?

    Thank you for your help

    Pavel Dejmek



    Obsah t|-to zpr|ivy m|i v|+lu-in-c komunika-in|! charakter. Nep+Oedstavuje n|ivrh na uzav+Oen|! smlouvy -ii na jej|! zm-cnu ani p+Oijet|! p+O|!padn|-ho n|ivrhu. Smlouvy -ii jejich zm-cny jsou spole-inost|! O2 Czech Republic a.s. uzav|!r|iny v p|!semn|- form-c nebo v podob-c a postupem podle p+O|!slu+in|+ch v+ieobecn|+ch podm|!nek spole-inosti O2 Czech Republic a.s., a pokud jsou dohodnuty v+iechny n|ile++itosti. Smlouvy jsou uzav|!r|iny opr|ivn-cnou osobou na z|iklad-c p|!semn|-ho pov-c+Oen|!. Smlouvy o smlouv-c budouc|! jsou uzav|!r|iny v|+hradn-c v p|!semn|- form-c, vlastnoru-in-c podepsan|- nebo s uzn|ivan|+m elektronick|+m podpisem. Podm|!nky, za nich++ O2 Czech Republic a.s. p+Oistupuje k jedn|in|! o smlouv-c a jak|+mi se +O|!d|!, jsou dostupn|- zde<http://www.o2.cz/spolecnost/transparentnost-pri-vyjednavani-o-smlouve/>.

    The content of this message is intended for communication purposes only. It does neither represent any contract proposal, nor its amendment or acceptance of any potential contract proposal. O2 Czech Republic a.s. concludes contracts or amendments thereto in a written form or in the form and the procedure in accordance with relevant general terms and conditions of O2 Czech Republic a.s., if all requirements are agreed. Contracts are concluded by an authorized person entitled on the basis of a written authorization. Contracts on a future contract are concluded solely in a written form, self-signed or signed by means of an advanced electronic signature. The conditions under which O2 Czech Republic a.s. negotiates contracts and under which it proceeds are available here<http://www.o2.cz/spolecnost/en/transparency-in-contract-negotiations/>.

    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Ken Hornstein@kenh@cmf.nrl.navy.mil to Dejmek Pavel on Sun Aug 4 12:52:26 2024
    From Newsgroup: comp.protocols.kerberos

    We discovered that kerberos clients retries to send request after 10sec
    and unfortunately it means that another MFA request is sent. Is there
    any way howto extend this period(10sec to 60sec)?

    I have found one commit which can fix this issue, it is #9105 "Wait >indefinitely on KDC TCP connections" Is there any plan to include this
    commit in future release?

    We actually had this discussion here last week:

    https://mailman.mit.edu/pipermail/kerberos/2024-July/023175.html

    The answers to your questions are: there is no knob to adjust the
    client timeout and the above commit will be in MIT Kerberos 1.22.

    --Ken
    --- Synchronet 3.21d-Linux NewsLink 1.2