[Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining the domain
Rob Crittenden
rcritten at redhat.com
Wed Oct 5 21:36:56 UTC 2011
Alexander Bokovoy wrote:
> On Wed, 05 Oct 2011, Rob Crittenden wrote:
>>> I ended up not using raiseonerr=False as all I needed is a way to
>>> break out of the loop on success so that will come sequentially if
>>> there is no exception.
>>>
>>> Patch attached.
>>
>> This works but there is a noticeable pause on my system when ntpdate
>> is being run. I think it would be handy to output a message saying
>> that the date is being updated.
> I'll add the message.
>
>> Is it necessary to sync the date when a one-time password is being
>> used? It doesn't hurt but it does pause a second or three.
> If I understand correctly, our use of OTP term for hosts is different
> from what current IETF draft on OTP preauth with kerberos assumes.
>
> At least, according to IETF draft on OTP preauth with kerberos,
> http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
> client has to submit next key if clocks have drifted which implies you
> cannot re-use the same OTP next time. To me this looks like in OTP
> case clocks synchronization is very important. In our OTP case it does
> not matter except for an artificial delay...
This is not Kerberos OTP, it does an LDAP simple bind.
> I've added the message.
Ok, I'll take a look.
rob
More information about the Freeipa-devel
mailing list