<div dir="ltr">I've noticed if ntpd is already running on the client when you run the ipa-client-install, you will get that error. I'm guessing its using ntpdate IP ADDRESS to sync time, and cannot do so when the daemon is running.<div class="gmail_extra"> <div><div dir="ltr">Steve </div></div> <div class="gmail_quote">On Sat, Feb 8, 2014 at 8:34 AM, Mauricio Tavares <<a href="mailto:raubvogel@gmail.com" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=raubvogel@gmail.com&cc=&bcc=&su=&body=','_blank');return false;">raubvogel@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Even though I already have a ntp server, I setup my newly created freeipa kdc to do that too (it is a slave to my primary ntp). I then build a centos host to be the test client. Just to make sure it can see and use auth's ntp, I tested with ntpdate: [root@centos64 ~]# ntpdate auth 8 Feb 08:13:35 ntpdate[3251]: adjust time server 10.0.0.11 offset -0.003097 sec [root@centos64 ~]# so far so good, so how about running ipa-client-install? [root@centos64 ~]# hostname centos64 [root@centos64 ~]# ipa-client-install --hostname=`hostname -f` Discovery was successful! Hostname: <a href="http://centos64.in.domain.com" target="_blank">centos64.in.domain.com</a> Realm: <a href="http://DOMAIN.COM" target="_blank">DOMAIN.COM</a> DNS Domain: <a href="http://domain.com" target="_blank">domain.com</a> IPA Server: <a href="http://auth.in.domain.com" target="_blank">auth.in.domain.com</a> BaseDN: dc=domain,dc=com [so far so good!] Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for <a href="mailto:admin@DOMAIN.COM" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=admin@DOMAIN.COM&cc=&bcc=&su=&body=','_blank');return false;">admin@DOMAIN.COM</a>: But, it had not problems using ntpdate against auth. to add insult to injury, the log claims it is using ntpdate: 2014-02-08T13:14:31Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v <a href="http://auth.in.domain.com" target="_blank">auth.in.domain.com</a> 2014-02-08T13:14:31Z DEBUG stdout= 2014-02-08T13:14:31Z DEBUG stderr= 2014-02-08T13:14:31Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Could it be it is pissed because it was in sync to begin with? I mean, if we run the exact command the log file claims to have run, [root@centos64 ~]# /usr/sbin/ntpdate -U ntp -s -b -v <a href="http://auth.in.domain.com" target="_blank">auth.in.domain.com</a>| echo $? 0 [root@centos64 ~]# We see it was successful. I am feeling rather clueless here... _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=Freeipa-users@redhat.com&cc=&bcc=&su=&body=','_blank');return false;">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote></div> </div></div>