FreeIPA authentication issues across high latency link?

dutsnekcirf

3/29/24, 4:25 PM

We recently setup a FreeIPA server. We're using it for central user management, DNS, and CA. It's been working great with one exception.

Some of the workstations that authenticate with this FreeIPA server are several thousands of miles away. Round Trip Time is about 300 ms. We've noticed some unpredictable authentication failures on these machines. One second they'll fail to authenticate a login attempt and then they'll succeed to authenticate only seconds later. We're thinking that the delay is the culprit.

Is there a way to extend the timeout on the clients? Alternatively, we've been considering setting up an IPA replica at the location where these workstations reside. How would the high latency link affect the replica's ability to replicate with the primary server?

1 + 4

authentication

freeipa

dutsnekcirf

3/29/24, 5:41 PM

I've noticed the following message in the sssd.log: "Timeout for child reached. In case KDC is distant or network is slow you may consider increasing value of krb5_auth_timeout." I suspect this is a symptom of our high latency link.

TomTom

3/29/24, 7:29 PM

300ms is not distance. Europe to America is 50ms to maybe 75 - 300 would be multiple times around the planet. Low latency links (like satellite?) Also note that "extend the timeout on the clients" is not a FreeIPA question - but depends on the client.

dutsnekcirf

3/29/24, 9:00 PM

I suppose I wasn't concerned about being precise when I said it was 300ms. I was guestimating there. I just tried to ping the ipa server and got a round trip time of 240ms; so maybe 120ms there and another 120ms back. So perhaps there's other networking devices along the way that are slowing it down. The clients are Rocky 8.7 machines running the SSSD service. SSSD appears to be configured to use kerberos authentication. I just found I might be able to use the "krb5_auth_timeout" option in the sssd.conf file. Maybe that'll help.

dutsnekcirf

3/29/24, 10:39 PM

I've discovered new details. I no longer believe this is a latency issue. I've discovered that not all machines are suffering from authentication issues. In fact, I've discovered that the sssd service is restarting almost exactly every 1 minute 52 seconds on three machines. In fact, all three machines restart their sssd service at the exact same time on a 1 minute 52 second tempo. At the time that they restart I see (stop-sigterm). So something is sending a signal to them to restart. Assuming I'm interpreting that correctly.

Score:0

Server

dutsnekcirf

3/30/24, 12:03 AM

Holy crap! I've found the problem. Without going into too much detail, essentially someone had created a crontab that is triggering every 2 minutes. The crontab entry kicks off a script that checks the state of the sssd service and restarts it if it's in a hung or weird state. However, the script is evaluating the state of the sssd service incorrectly and has been restarting it every time the crontab triggered. Someone's going to get an earfull in the morning.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: FreeIPA authentication issues across high latency link?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.