[Freeipa-devel] NTP in FreeIPA

Thu Nov 24 15:11:08 UTC 2016

On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti <mbasti at redhat.com> wrote:

>
>
> On 24.11.2016 07:06, David Kupka wrote:
>
>> On 22/11/16 23:15, Gabe Alford wrote:
>>
>>> I would say that it is worth keeping in FreeIPA. I know myself and some
>>> customers use its functionality by having the clients sync to the IPA
>>> servers and have the servers sync to the NTP source. This way if the NTP
>>> source ever gets disrupted for long periods of time (which has happened
>>> in
>>> my environment) the client time drifts with the authentication source.
>>> This
>>> is the way that AD often works and is configured.
>>>
>>
>> Hello Gabe,
>> I agree that it's common practice to synchronize all nodes in network
>> with single source in order to have the same time and save bandwidth. Also
>> I understand that it's comfortable to let FreeIPA installer take care of it.
>> But I don't think FreeIPA should do it IMO this is job for Ansible or
>> similar tool. Also the problem is that in some situations FreeIPA installer
>> makes it worse.
>>
>> Example:
>>
>> 1. Install FreeIPA server (ipa1.example.org)
>> 2. Install FreeIPA client on all nodes in network
>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase
>> redundancy
>>
>
Why not have NTP look at a _srv_records?

> Now all the clients have ipa1.example.org as the only server in
>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients
>> will be able to contact KDC on the other server thanks to DNS autodiscovery
>> in libkrb5 but will be unable to synchronize time.
>>
>>
> This can be resolved by DHCP configured NTP. When NTP server changed, you
> just change DHCPd config and hosts conf will be synced.
> We may keep NTP on IPA server side configured, but I'm voting for removing
> it from clients and document+endorse people to use DHCP (anyway distros
> have always enabled some time synchronization so it should naturally work
> without even in small deployments)
>

If NTP is still configured on the IPA server, this may be less of an issue.
Not everyone has/is/will be using ansible. Also in secure environments,
DHCP
is not allowed/used at all.

> Also NTP is somehow incompatible with containers, usually containers have
> time synchronized from host, and by default IPA client container don't do
> NTP configuration.
>

Isn't that what the --no-ntp option in the client is for anyway?

>
> Let deprecate it in 4.5
>
> Martin^2
>
>
>
>
>>> On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta <jcholast at redhat.com>
>>> wrote:
>>>
>>> On 22.11.2016 13:06, Petr Spacek wrote:
>>>>
>>>> On 22.11.2016 12:15, David Kupka wrote:
>>>>>
>>>>> Hello everyone!
>>>>>>
>>>>>> Is it worth to keep configuring NTP in FreeIPA?
>>>>>>
>>>>>> In usual environment there're no special requirements for time
>>>>>> synchronization
>>>>>> and the distribution default (be it ntpd, chrony or anything else)
>>>>>> will
>>>>>> just
>>>>>> work. Any tampering with the configuration can't make it any better.
>>>>>>
>>>>>> In environment with special requirements (network disconnected from
>>>>>> public
>>>>>> internet, nodes disconnected from topology for longer time, ...) time
>>>>>> synchronization must be taken care of accordingly by system
>>>>>> administrator and
>>>>>> FreeIPA simply can't help here.
>>>>>>
>>>>>> Also there are problems and weird behavior with the current FreeIPA
>>>>>> installers:
>>>>>>
>>>>>> * ipa-client-install replaces all servers in /etc/ntp.conf with the
>>>>>> ones
>>>>>> specified by user or resolved from DNS. If none were provided nor
>>>>>> resolved the
>>>>>> FreeIPA server specified/resolved during installation it used. This
>>>>>> leads in
>>>>>> just single server in the configuration and no time synchronization
>>>>>> when
>>>>>> this
>>>>>> server is down/decommissioned.
>>>>>>
>>>>>> * ipa-client-install replaces the NTP configuration. If there was any
>>>>>> parts
>>>>>> previously edited by system administrator it's lost.
>>>>>>
>>>>>> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to
>>>>>> /etc/ntp.conf.
>>>>>> What's the point in doing that? These servers're already in the
>>>>>> configuration
>>>>>> file installed with ntp package.
>>>>>>
>>>>>> I have NTP-related WIP patches that solve some of the issues but in
>>>>>> general I
>>>>>> would prefer to remove the whole thing together with documenting
>>>>>> "Please
>>>>>> make
>>>>>> sure that time on all FreeIPA servers and clients is synchronized. On
>>>>>> most
>>>>>> distributions this was already done during system installation."
>>>>>>
>>>>>> Can we mark NTP options deprecated in 4.5 and remove them and stop
>>>>>> touching
>>>>>> any time syncing service in 4.6?
>>>>>>
>>>>>>
>>>>> Considering that default config is just fine for normal cases, and
>>>>> given
>>>>> how
>>>>> poorly integrated it is into FreeIPA, I agree with David. FreeIPA
>>>>> should
>>>>> get
>>>>> out of configuration management business.
>>>>>
>>>>>
>>>> +1
>>>>
>>>> --
>>>> Jan Cholasta
>>>>
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161124/a9fab19c/attachment.htm>