[Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining the domain

Alexander Bokovoy abokovoy at redhat.com
Wed Oct 5 14:27:33 UTC 2011 

On Wed, 05 Oct 2011, Rob Crittenden wrote:
> In synconce_ntp() ipautil.run is going to raise an exception when a
> ntpupdate returns non-zero so the retry code isn't going to work.
> You need to add raiseonerr=False to the call.
> 
> It looks like you changed your mind on the retries variable too.
Right.

I ended up not using raiseonerr=False as all I needed is a way to 
break out of the loop on success so that will come sequentially if 
there is no exception.

Patch attached.
-- 
/ Alexander Bokovoy
-------------- next part --------------
>From b80796995a550ff0411fe32b4e6dd1f9c04cbb2f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 5 Oct 2011 17:25:09 +0300
Subject: [PATCH] Before kinit, try to sync time with the NTP servers of the
 domain we are joining

When running ipa-client-install on a system whose clock is not in sync with the
master, kinit fails and enrollment is aborted. Manual checking of current time
at the master and adjusting on the client-to-be is then needed.

The patch tries to fetch SRV records for NTP servers of the domain we aim to
join and runs ntpdate to get time synchronized. If no SRV records are found,
sync with IPA server itself.  If that fails, warn that time might be not in
sync with KDC.

https://fedorahosted.org/freeipa/ticket/1773
---
 ipa-client/ipa-install/ipa-client-install |   14 ++++++++++++++
 ipa-client/ipaclient/ipadiscovery.py      |   21 +++++++++++++++++++++
 ipa-client/ipaclient/ntpconf.py           |   22 ++++++++++++++++++++++
 3 files changed, 57 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 5f541f316433338d3d932690fb4a325ad5ec447b..657c3be4d27e78b6c558697b4bbb27238a421966 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -921,6 +921,20 @@ def install(options, env, fstore, statestore):
         nolog = tuple()
         # First test out the kerberos configuration
         try:
+            # Attempt to sync time with IPA server.
+            # We assume that NTP servers are discoverable through SRV records in the DNS
+            # If that fails, we try to sync directly with IPA server, assuming it runs NTP
+            ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain))
+            synced_ntp = False
+            if len(ntp_servers) > 0:
+                for s in ntp_servers:
+                   synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+                   if synced_ntp:
+                       break
+            if not synced_ntp:
+                synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server)
+            if not synced_ntp:
+                print "Unable to sync time with IPA NTP server, assuming the time is in sync."
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
             if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 3e31cad37dc1883c01e0729e390c5e5c16e022bd..cd5f81bd5147929deca43e502c4f9b2bdb98f99c 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -316,6 +316,27 @@ class IPADiscovery:
 
         return servers
 
+    def ipadnssearchntp(self, tdomain):
+        servers = ""
+        rserver = ""
+
+        qname = "_ntp._udp."+tdomain
+        # terminate the name
+        if not qname.endswith("."):
+            qname += "."
+        results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
+
+        for result in results:
+            if result.dns_type == ipapython.dnsclient.DNS_T_SRV:
+                rserver = result.rdata.server.rstrip(".")
+                if servers:
+                    servers += "," + rserver
+                else:
+                    servers = rserver
+                break
+
+        return servers
+
     def ipadnssearchkrb(self, tdomain):
         realm = None
         kdc = None
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 8e151089c81fe761dc57fc6e8fb7ff5ba30b98fa..e71692f4019bf410d6107a471330edc98146c29c 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore = None):
 
     # Restart ntpd
     ipaservices.knownservices.ntpd.restart()
+
+def synconce_ntp(server_fqdn):
+    """
+    Syncs time with specified server using ntpdate.
+    Primarily designed to be used before Kerberos setup
+    to get time following the KDC time
+
+    Returns True if sync was successful
+    """
+    ntpdate="/usr/sbin/ntpdate"
+    result = False
+    if os.path.exists(ntpdate):
+        # retry several times -- logic follows /etc/init.d/ntpdate
+        # implementation
+        for retry in range(0,3):
+            try:
+                ipautil.run([ntpdate, "-U", "ntp", "-s", "-b", server_fqdn])
+                result = True
+                break
+            except:
+                pass
+    return result
-- 
1.7.6.4

More information about the Freeipa-devel mailing list