[Freeipa-devel] [PATCH] Print warning about NTP
Simo Sorce
ssorce at redhat.com
Mon Oct 22 17:01:24 UTC 2007
On Mon, 2007-10-22 at 11:58 -0400, Karl MacMillan wrote:
> # HG changeset patch
> # User "Karl MacMillan <kmacmill at redhat.com>"
> # Date 1193068711 14400
> # Node ID 492654169fe314db9c9324849e3e6c8657761c80
> # Parent f7f85a88b2b4c1f21a97348fc5237be473c3e2fa
> Print warning about NTP
>
> After looking into setting up ntpd on the IPA servers I decided it
> was better just to warn admins. There are just too many valid setups
> for time synchronization for us to try to get this right. Additionally,
> just installing ntp and accepting the default config will result in
> a configuration that is perfectly valid for IPA.
>
> This patch checks if ntpd is running and suggests enabling it if it
> is not - for client and server. It also adds some suggested next
> steps to the server installation.
Should we add something in the bind zone we create to point at master
serverts as ntp masters as well? IS there a specific SRV record for ntp
servers ?
> diff -r f7f85a88b2b4 -r 492654169fe3 ipa-client/ipa-install/ipa-client-install
> --- a/ipa-client/ipa-install/ipa-client-install Mon Oct 22 10:09:39 2007 -0400
> +++ b/ipa-client/ipa-install/ipa-client-install Mon Oct 22 11:58:31 2007 -0400
> @@ -67,6 +67,14 @@ def logging_setup(options):
> console.setFormatter(formatter)
> logging.getLogger('').addHandler(console)
>
> +def check_ntp():
> + ret_code = 1
> + p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
> + stderr=subprocess.PIPE)
> + stdout, stderr = p.communicate()
> +
> + return p.returncode
> +
> def main():
> options = parse_options()
> logging_setup(options)
> @@ -200,6 +208,11 @@ def main():
> #Modify pam to add pam_krb5
> run(["/usr/sbin/authconfig", "--enablekrb5", "--update"])
>
> + # print warning about ntp
> + if check_ntp() != 0:
> + print "WARNING: Kerberos requires time synchronization between clients"
> + print "and servers for correct operation. You should consider enabling ntpd."
> +
> return 0
Can you please wrap this code in try/except statements ? I don't like
when setup aborts with a backtrace on a simple check.
> main()
> diff -r f7f85a88b2b4 -r 492654169fe3 ipa-server/ipa-install/ipa-server-install
> --- a/ipa-server/ipa-install/ipa-server-install Mon Oct 22 10:09:39 2007 -0400
> +++ b/ipa-server/ipa-install/ipa-server-install Mon Oct 22 11:58:31 2007 -0400
> @@ -372,6 +372,15 @@ def read_admin_password():
> admin_password = read_password("IPA admin")
> return admin_password
>
> +def check_ntp():
> + ret_code = 1
> + p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
> + stderr=subprocess.PIPE)
> + stdout, stderr = p.communicate()
> +
> + return p.returncode
> +
> +
> def main():
> global ds
> ds = None
> @@ -584,6 +593,28 @@ def main():
> fd.write("realm=" + realm_name + "\n")
> fd.close()
>
> + print "=============================================================================="
> + print "Setup complete"
> + print ""
> + print "Next steps:"
> + print "\t1. You may need to open some network ports - specifically:"
> + print "\t\tTCP Ports:"
> + print "\t\t * 80, 443, 8080: HTTP/HTTPS"
Do we really need 8080 open ?
> + print "\t\t * 389, 636: LDAP/LDAPS"
> + print "\t\t * 464: kpasswd"
> + print "\t\tUDP Ports:"
> + print "\t\t * 88, 750: kerberos"
Kerberos is TCP as well and required when packets are big and do not fit
a single UDP packet.
Also 750 is krb4 do we really need that ?
> + print ""
> + print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'."
> + print "\t This ticket will allow you to use the IPA tools (e.g., ipa-adduser)"
> + print "\t and the web user interface."
> +
> + if check_ntp() != 0:
> + print "\t3. Kerberos requires time synchronization between clients"
> + print "\t and servers for correct operation. You should consider enabling ntpd."
should we say: to work at all! ? :-)
Simo.
More information about the Freeipa-devel
mailing list