[Freeipa-devel] NTP in FreeIPA

[Alexander Bokovoy]

On ke, 30 marras 2016, Rob Crittenden wrote:
>David Kupka wrote:
>> On 29/11/16 18:10, Alexander Bokovoy wrote:
>>> Still, bug reports and users' complaints is the only external measure we
>>> have. There are close to nothing in complaints about NTP functionality,
>>> other than requests to support chronyd and a better discover of existing
>>> NTP setups. I don't think that requires dramatic action like removal of
>>> NTP support at all.
>>>
>>
>> As Petr already pointed out, since Fedora 16 chronyd is enabled by
>> default and ipa-client-install doesn't configure time synchronization
>> when chronyd is enabled.
>>
>> I believe that majority of users haven't used '--force-ntpd' and since
>> it still worked they haven't filed any ticket.
>>
>> IMO in this case no bug reports means no users rather than no bugs or
>> requests.
>>
>> Unfortunately, this is just my guess and AFAIK we don't have any data
>> from users showing how they use FreeIPA.
>
>For argument's sake, let's say NTP configuration in the client is
>dropped and managed by the OS or other administrators.
>
>What implication does this have for configuring NTP server on masters?
>Would that be stopped as well? What about existing installs?
Here is the problem: in Kerberos realm services must have time
synchronized with KDC. The patches from StefW which added ability to
record a time skew between the Kerberos client and KDC do not apply to
Kerberos client - Kerberos service communication.

Given that IPA clients can host Kerberos services (at the very least,
SSH is such a service), this practically means they need to have a time
source that is synchronized with the KDC(s) they are talking to.

To me this means we should not really remove NTP configuration but
instead expand ntpd support to cover chronyd as well.


>I don't believe there is a precedence for removing a service from IPA.
Neither do I.

-- 
/ Alexander Bokovoy