[Freeipa-devel] [PATCH] Print warning about NTP

Karl MacMillan kmacmill at redhat.com
Mon Oct 22 15:58:38 UTC 2007 

# HG changeset patch
# User "Karl MacMillan <kmacmill at redhat.com>"
# Date 1193068711 14400
# Node ID 492654169fe314db9c9324849e3e6c8657761c80
# Parent  f7f85a88b2b4c1f21a97348fc5237be473c3e2fa
Print warning about NTP

After looking into setting up ntpd on the IPA servers I decided it
was better just to warn admins. There are just too many valid setups
for time synchronization for us to try to get this right. Additionally,
just installing ntp and accepting the default config will result in
a configuration that is perfectly valid for IPA.

This patch checks if ntpd is running and suggests enabling it if it
is not - for client and server. It also adds some suggested next
steps to the server installation.

diff -r f7f85a88b2b4 -r 492654169fe3 ipa-client/ipa-install/ipa-client-install
--- a/ipa-client/ipa-install/ipa-client-install	Mon Oct 22 10:09:39 2007 -0400
+++ b/ipa-client/ipa-install/ipa-client-install	Mon Oct 22 11:58:31 2007 -0400
@@ -67,6 +67,14 @@ def logging_setup(options):
     console.setFormatter(formatter)
     logging.getLogger('').addHandler(console)
 
+def check_ntp():
+    ret_code = 1
+    p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
+                         stderr=subprocess.PIPE)
+    stdout, stderr = p.communicate()
+
+    return p.returncode
+
 def main():
     options = parse_options()
     logging_setup(options)
@@ -200,6 +208,11 @@ def main():
     #Modify pam to add pam_krb5
     run(["/usr/sbin/authconfig", "--enablekrb5", "--update"])
 
+    # print warning about ntp
+    if check_ntp() != 0:
+        print "WARNING: Kerberos requires time synchronization between clients"
+        print "and servers for correct operation. You should consider enabling ntpd."
+
     return 0
 
 main()
diff -r f7f85a88b2b4 -r 492654169fe3 ipa-server/ipa-install/ipa-server-install
--- a/ipa-server/ipa-install/ipa-server-install	Mon Oct 22 10:09:39 2007 -0400
+++ b/ipa-server/ipa-install/ipa-server-install	Mon Oct 22 11:58:31 2007 -0400
@@ -372,6 +372,15 @@ def read_admin_password():
     admin_password = read_password("IPA admin")
     return admin_password
 
+def check_ntp():
+    ret_code = 1
+    p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
+                         stderr=subprocess.PIPE)
+    stdout, stderr = p.communicate()
+
+    return p.returncode
+    
+
 def main():
     global ds
     ds = None
@@ -584,6 +593,28 @@ def main():
     fd.write("realm=" + realm_name + "\n")
     fd.close()
 
+    print "=============================================================================="
+    print "Setup complete"
+    print ""
+    print "Next steps:"
+    print "\t1. You may need to open some network ports - specifically:"
+    print "\t\tTCP Ports:"
+    print "\t\t  * 80, 443, 8080: HTTP/HTTPS"
+    print "\t\t  * 389, 636: LDAP/LDAPS"
+    print "\t\t  * 464: kpasswd"
+    print "\t\tUDP Ports:"
+    print "\t\t  * 88, 750: kerberos"
+    print ""
+    print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'."
+    print "\t   This ticket will allow you to use the IPA tools (e.g., ipa-adduser)"
+    print "\t   and the web user interface."
+
+    if check_ntp() != 0:
+        print "\t3. Kerberos requires time synchronization between clients"
+        print "\t   and servers for correct operation. You should consider enabling ntpd."
+
+
+
     return 0
 
 try:

More information about the Freeipa-devel mailing list