[Freeipa-devel] [PATCH] NTP configuration for client and server
Karl MacMillan
kmacmill at redhat.com
Thu Nov 1 19:35:09 UTC 2007
# HG changeset patch
# User "Karl MacMillan <kmacmill at redhat.com>"
# Date 1193945702 14400
# Node ID 919346fa283e74afc386a46b7ec3e6f27af4af12
# Parent c0f72de1e5d83c8536a46c193989b78609506c29
NTP configuration for client and server.
Configure ipa servers as an ntp server and clients
to (by default) us the ipa server as an ntp server.
Also corrected the messages about which ports should
be opened.
diff -r c0f72de1e5d8 -r 919346fa283e ipa-client/ipa-install/ipa-client-install
--- a/ipa-client/ipa-install/ipa-client-install Thu Nov 01 11:23:34 2007 -0400
+++ b/ipa-client/ipa-install/ipa-client-install Thu Nov 01 15:35:02 2007 -0400
@@ -30,6 +30,7 @@ from optparse import OptionParser
from optparse import OptionParser
import ipaclient.ipadiscovery
import ipaclient.ipachangeconf
+import ipaclient.ntpconf
from ipa.ipautil import run
def parse_options():
@@ -43,6 +44,8 @@ def parse_options():
default=False, help="print debugging information")
parser.add_option("-U", "--unattended", dest="unattended",
help="unattended installation never prompts the user")
+ parser.add_option("-N", "--no-ntp", action="store_false",
+ help="do not configure ntp", default=True, dest="conf_ntp")
options, args = parser.parse_args()
@@ -67,14 +70,6 @@ def logging_setup(options):
console.setFormatter(formatter)
logging.getLogger('').addHandler(console)
-def check_ntp():
- ret_code = 1
- p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
- stderr=subprocess.PIPE)
- stdout, stderr = p.communicate()
-
- return p.returncode
-
def main():
options = parse_options()
logging_setup(options)
@@ -208,10 +203,8 @@ def main():
#Modify pam to add pam_krb5
run(["/usr/sbin/authconfig", "--enablekrb5", "--update"])
- # print warning about ntp
- if check_ntp() != 0:
- print "WARNING: Kerberos requires time synchronization between clients"
- print "and servers for correct operation. You should consider enabling ntpd."
+ if options.conf_ntp:
+ ipaclient.ntpconf.config_ntp(ds.getServerName())
return 0
diff -r c0f72de1e5d8 -r 919346fa283e ipa-client/ipaclient/Makefile.am
--- a/ipa-client/ipaclient/Makefile.am Thu Nov 01 11:23:34 2007 -0400
+++ b/ipa-client/ipaclient/Makefile.am Thu Nov 01 15:35:02 2007 -0400
@@ -6,6 +6,7 @@ app_PYTHON = \
dnsclient.py \
ipachangeconf.py \
ipadiscovery.py \
+ ntpconf.py \
$(NULL)
EXTRA_DIST = \
diff -r c0f72de1e5d8 -r 919346fa283e ipa-client/ipaclient/ntpconf.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-client/ipaclient/ntpconf.py Thu Nov 01 15:35:02 2007 -0400
@@ -0,0 +1,89 @@
+# Authors: Karl MacMillan <kmacmillan at redhat.com>
+#
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+from ipa.ipautil import *
+import shutil
+
+ntp_conf = """# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
+
+# Permit all access over the loopback interface. This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
+restrict 127.0.0.1
+restrict -6 ::1
+
+# Hosts on local network are less restricted.
+#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
+
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+server $SERVER
+
+#broadcast 192.168.1.255 key 42 # broadcast server
+#broadcastclient # broadcast client
+#broadcast 224.0.1.1 key 42 # multicast server
+#multicastclient 224.0.1.1 # multicast client
+#manycastserver 239.255.254.254 # manycast server
+#manycastclient 239.255.254.254 key 42 # manycast client
+
+# Undisciplined Local Clock. This is a fake driver intended for backup
+# and when no outside source of synchronized time is available.
+server 127.127.1.0 # local clock
+#fudge 127.127.1.0 stratum 10
+
+# Drift file. Put this in a directory which the daemon can write to.
+# No symbolic links allowed, either, since the daemon updates the file
+# by creating a temporary in the same directory and then rename()'ing
+# it to the file.
+driftfile /var/lib/ntp/drift
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography.
+keys /etc/ntp/keys
+
+# Specify the key identifiers which are trusted.
+#trustedkey 4 8 42
+
+# Specify the key identifier to use with the ntpdc utility.
+#requestkey 8
+
+# Specify the key identifier to use with the ntpq utility.
+#controlkey 8
+"""
+
+def config_ntp(server_fqdn):
+ sub_dict = { }
+ sub_dict["SERVER"] = server_fqdn
+
+ nc = template_str(ntp_conf, sub_dict)
+
+ shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave")
+
+ fd = open("/etc/ntp.conf", "w")
+ fd.write(nc)
+ fd.close()
+
+ # Set the ntpd to start on boot
+ run(["/sbin/chkconfig", "ntpd", "on"])
+
+ # Restart ntpd
+ run(["/sbin/service", "ntpd", "restart"])
diff -r c0f72de1e5d8 -r 919346fa283e ipa-server/ipa-install/ipa-server-install
--- a/ipa-server/ipa-install/ipa-server-install Thu Nov 01 11:23:34 2007 -0400
+++ b/ipa-server/ipa-install/ipa-server-install Thu Nov 01 15:35:02 2007 -0400
@@ -41,10 +41,13 @@ import glob
import glob
import traceback
from optparse import OptionParser
+
import ipaserver.dsinstance
import ipaserver.krbinstance
import ipaserver.bindinstance
import ipaserver.httpinstance
+import ipaserver.ntpinstance
+
from ipa.ipautil import run
def parse_options():
@@ -542,6 +545,10 @@ def main():
ds.restart()
krb.restart()
+ # Configure ntpd
+ ntp = ipaserver.ntpinstance.NTPInstance()
+ ntp.create_instance()
+
try:
selinux=0
try:
@@ -588,6 +595,12 @@ def main():
# Start Kpasswd
run(["/sbin/service", "ipa-kpasswd", "start"])
+
+ # Set the ntpd to start on boot
+ run(["/sbin/chkconfig", "ntpd", "on"])
+
+ # Restart ntpd
+ run(["/sbin/service", "ntpd", "restart"])
except subprocess.CalledProcessError, e:
print "Installation failed:", e
return 1
@@ -610,9 +623,10 @@ def main():
print "\t\tTCP Ports:"
print "\t\t * 80, 443, 8080: HTTP/HTTPS"
print "\t\t * 389, 636: LDAP/LDAPS"
- print "\t\t * 464: kpasswd"
+ print "\t\t * 88, 464: kerberos"
print "\t\tUDP Ports:"
- print "\t\t * 88, 750: kerberos"
+ print "\t\t * 88, 464: kerberos"
+ print "\t\t * 123: ntp"
print ""
print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'."
print "\t This ticket will allow you to use the IPA tools (e.g., ipa-adduser)"
diff -r c0f72de1e5d8 -r 919346fa283e ipa-server/ipa-install/share/Makefile.am
--- a/ipa-server/ipa-install/share/Makefile.am Thu Nov 01 11:23:34 2007 -0400
+++ b/ipa-server/ipa-install/share/Makefile.am Thu Nov 01 15:35:02 2007 -0400
@@ -16,6 +16,7 @@ app_DATA = \
krb5.ini.template \
krb.con.template \
krbrealm.con.template \
+ ntp.conf.server.template \
$(NULL)
EXTRA_DIST = \
diff -r c0f72de1e5d8 -r 919346fa283e ipa-server/ipa-install/share/ntp.conf.server.template
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipa-install/share/ntp.conf.server.template Thu Nov 01 15:35:02 2007 -0400
@@ -0,0 +1,50 @@
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict default kod nomodify notrap
+restrict -6 default kod nomodify notrap
+
+# Permit all access over the loopback interface. This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
+restrict 127.0.0.1
+restrict -6 ::1
+
+# Hosts on local network are less restricted.
+#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
+
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+server $SERVERA
+server $SERVERB
+server $SERVERC
+
+#broadcast 192.168.1.255 key 42 # broadcast server
+#broadcastclient # broadcast client
+#broadcast 224.0.1.1 key 42 # multicast server
+#multicastclient 224.0.1.1 # multicast client
+#manycastserver 239.255.254.254 # manycast server
+#manycastclient 239.255.254.254 key 42 # manycast client
+
+# Undisciplined Local Clock. This is a fake driver intended for backup
+# and when no outside source of synchronized time is available.
+server 127.127.1.0 # local clock
+#fudge 127.127.1.0 stratum 10
+
+# Drift file. Put this in a directory which the daemon can write to.
+# No symbolic links allowed, either, since the daemon updates the file
+# by creating a temporary in the same directory and then rename()'ing
+# it to the file.
+driftfile /var/lib/ntp/drift
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography.
+keys /etc/ntp/keys
+
+# Specify the key identifiers which are trusted.
+#trustedkey 4 8 42
+
+# Specify the key identifier to use with the ntpdc utility.
+#requestkey 8
+
+# Specify the key identifier to use with the ntpq utility.
+#controlkey 8
diff -r c0f72de1e5d8 -r 919346fa283e ipa-server/ipaserver/Makefile.am
--- a/ipa-server/ipaserver/Makefile.am Thu Nov 01 11:23:34 2007 -0400
+++ b/ipa-server/ipaserver/Makefile.am Thu Nov 01 15:35:02 2007 -0400
@@ -8,6 +8,7 @@ app_PYTHON = \
ipaldap.py \
krbinstance.py \
httpinstance.py \
+ ntpinstance.py \
$(NULL)
EXTRA_DIST = \
diff -r c0f72de1e5d8 -r 919346fa283e ipa-server/ipaserver/dsinstance.py
--- a/ipa-server/ipaserver/dsinstance.py Thu Nov 01 11:23:34 2007 -0400
+++ b/ipa-server/ipaserver/dsinstance.py Thu Nov 01 15:35:02 2007 -0400
@@ -26,8 +26,6 @@ import pwd
import pwd
from ipa.ipautil import *
-
-SHARE_DIR = "/usr/share/ipa/"
SERVER_ROOT_64 = "/usr/lib64/dirsrv"
SERVER_ROOT_32 = "/usr/lib/dirsrv"
diff -r c0f72de1e5d8 -r 919346fa283e ipa-server/ipaserver/ntpinstance.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/ipaserver/ntpinstance.py Thu Nov 01 15:35:02 2007 -0400
@@ -0,0 +1,50 @@
+# Authors: Karl MacMillan <kmacmillan at redhat.com>
+#
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+from ipa.ipautil import *
+import shutil
+
+class NTPInstance:
+ def create_instance(self):
+ # The template sets the config to point towards ntp.pool.org, but
+ # they request that software not point towards the default pool.
+ # We use the OS variable to point it towards either the rhel
+ # or fedora pools. Other distros should be added in the future
+ # or we can get our own pool.
+ os = ""
+ if file_exists("/etc/fedora-release"):
+ os = "fedora."
+ elif file_exists("/etc/redhat-release"):
+ os = "rhel."
+
+ sub_dict = { }
+ sub_dict["SERVERA"] = "0.%spool.ntp.org" % os
+ sub_dict["SERVERB"] = "1.%spool.ntp.org" % os
+ sub_dict["SERVERC"] = "2.%spool.ntp.org" % os
+
+ ntp_conf = template_file(SHARE_DIR + "ntp.conf.server.template", sub_dict)
+
+ shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave")
+
+ fd = open("/etc/ntp.conf", "w")
+ fd.write(ntp_conf)
+ fd.close()
+
+ # we might consider setting the date manually using ntpd -qg in case
+ # the current time is very far off.
More information about the Freeipa-devel
mailing list