[Freeipa-devel] NTP in FreeIPA

John Dennis jdennis at redhat.com
Mon Nov 28 20:18:53 UTC 2016 

On 11/28/2016 02:57 PM, Rob Crittenden wrote:
> David Kupka wrote:
>> On 22/11/16 23:15, Gabe Alford wrote:
>>> I would say that it is worth keeping in FreeIPA. I know myself and some
>>> customers use its functionality by having the clients sync to the IPA
>>> servers and have the servers sync to the NTP source. This way if the NTP
>>> source ever gets disrupted for long periods of time (which has
>>> happened in
>>> my environment) the client time drifts with the authentication source.
>>> This
>>> is the way that AD often works and is configured.
>>
>> Hello Gabe,
>> I agree that it's common practice to synchronize all nodes in network
>> with single source in order to have the same time and save bandwidth.
>> Also I understand that it's comfortable to let FreeIPA installer take
>> care of it.
>> But I don't think FreeIPA should do it IMO this is job for Ansible or
>> similar tool. Also the problem is that in some situations FreeIPA
>> installer makes it worse.
>>
>> Example:
>>
>> 1. Install FreeIPA server (ipa1.example.org)
>> 2. Install FreeIPA client on all nodes in network
>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase
>> redundancy
>>
>> Now all the clients have ipa1.example.org as the only server in
>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all
>> clients will be able to contact KDC on the other server thanks to DNS
>> autodiscovery in libkrb5 but will be unable to synchronize time.
>
> Remember that the goal of IPA was to herd together a bunch of software
> to make hard things easier. This included dealing with the 5-minute
> Kerberos window so ntp was configured on the client and server (which is
> less of any issue now).
>
> When making changes you have to ask yourself who are you making this
> easier for: you or the user.
>
> Yes, getting NTP right is hard, but does it meet the 80/20 rule in terms
> of success? I'd think so. I
>
> If someone wants to configure it using Ansible they can use the
> --no-ntp. If they want to use different time servers they can pass in
> --ntp-server. But by default IMHO it should do something sane to give a
> good experience.
>
> There don't seem to be a ton of NTP tickets and I don't recall a lot of
> user's pressing for it to go away (the reverse, many times their
> problems revolve around time not being synced). I wonder if a survey on
> freeipa-users would be in order to see how hot an issue this really is.

+1 Thanks Rob for taking the words out of my mouth.


-- 
John

More information about the Freeipa-devel mailing list