<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 24.11.2016 16:11, Gabe Alford wrote:<br>
</div>
<blockquote
cite="mid:CAGLxfGwcdg62LTkhx4kMZqB0UNWY6PB1=9DfPGv3pNP=JGOwKA@mail.gmail.com"
type="cite">
<div dir="ltr">On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class=""><br>
<br>
On 24.11.2016 07:06, David Kupka wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
On 22/11/16 23:15, Gabe Alford wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I would say that it is worth keeping in FreeIPA. I
know myself and some<br>
customers use its functionality by having the
clients sync to the IPA<br>
servers and have the servers sync to the NTP source.
This way if the NTP<br>
source ever gets disrupted for long periods of time
(which has happened in<br>
my environment) the client time drifts with the
authentication source. This<br>
is the way that AD often works and is configured.<br>
</blockquote>
<br>
Hello Gabe,<br>
I agree that it's common practice to synchronize all
nodes in network with single source in order to have
the same time and save bandwidth. Also I understand
that it's comfortable to let FreeIPA installer take
care of it.<br>
But I don't think FreeIPA should do it IMO this is job
for Ansible or similar tool. Also the problem is that
in some situations FreeIPA installer makes it worse.<br>
<br>
Example:<br>
<br>
1. Install FreeIPA server (<a moz-do-not-send="true"
href="http://ipa1.example.org" rel="noreferrer"
target="_blank">ipa1.example.org</a>)<br>
2. Install FreeIPA client on all nodes in network<br>
3. Install replica (<a moz-do-not-send="true"
href="http://ipa2.example.org" rel="noreferrer"
target="_blank">ipa2.example.org</a>) of FreeIPA
server to increase redundancy<br>
</blockquote>
</span></blockquote>
<div><br>
</div>
<div>Why not have NTP look at a _srv_records?<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Do ntpclients support this natively? I just found some ugly hacks
for chrony, i.e extra service that is dynamically changing config
file.<br>
But yes this may be way too, but dirty.<br>
<br>
<br>
<blockquote
cite="mid:CAGLxfGwcdg62LTkhx4kMZqB0UNWY6PB1=9DfPGv3pNP=JGOwKA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Now all the clients have <a moz-do-not-send="true"
href="http://ipa1.example.org" rel="noreferrer"
target="_blank">ipa1.example.org</a> as the only
server in /etc/ntp.conf. If the first FreeIPA server
becomes unreachable all clients will be able to
contact KDC on the other server thanks to DNS
autodiscovery in libkrb5 but will be unable to
synchronize time.<br>
<br>
</blockquote>
<br>
</span>
This can be resolved by DHCP configured NTP. When NTP
server changed, you just change DHCPd config and hosts
conf will be synced.<br>
We may keep NTP on IPA server side configured, but I'm
voting for removing it from clients and document+endorse
people to use DHCP (anyway distros have always enabled
some time synchronization so it should naturally work
without even in small deployments)<br>
</blockquote>
<div><br>
</div>
<div>If NTP is still configured on the IPA server, this may
be less of an issue. Not everyone has/is/will be using
ansible. Also in secure environments, DHCP <br>
</div>
<div>is not allowed/used at all. <br>
</div>
</div>
</div>
</div>
</blockquote>
<blockquote
cite="mid:CAGLxfGwcdg62LTkhx4kMZqB0UNWY6PB1=9DfPGv3pNP=JGOwKA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Also NTP is somehow incompatible with containers, usually
containers have time synchronized from host, and by
default IPA client container don't do NTP configuration.<br>
</blockquote>
<div><br>
</div>
<div>Isn't that what the --no-ntp option in the client is
for anyway? <br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Let deprecate it in 4.5<br>
<br>
Martin^2
<div class="HOEnZb">
<div class="h5"><br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta <<a
moz-do-not-send="true"
href="mailto:jcholast@redhat.com"
target="_blank">jcholast@redhat.com</a>>
wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
On 22.11.2016 13:06, Petr Spacek wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
On 22.11.2016 12:15, David Kupka wrote:<br>
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
Hello everyone!<br>
<br>
Is it worth to keep configuring NTP in
FreeIPA?<br>
<br>
In usual environment there're no special
requirements for time<br>
synchronization<br>
and the distribution default (be it ntpd,
chrony or anything else) will<br>
just<br>
work. Any tampering with the configuration
can't make it any better.<br>
<br>
In environment with special requirements
(network disconnected from<br>
public<br>
internet, nodes disconnected from topology
for longer time, ...) time<br>
synchronization must be taken care of
accordingly by system<br>
administrator and<br>
FreeIPA simply can't help here.<br>
<br>
Also there are problems and weird behavior
with the current FreeIPA<br>
installers:<br>
<br>
* ipa-client-install replaces all servers in
/etc/ntp.conf with the ones<br>
specified by user or resolved from DNS. If
none were provided nor<br>
resolved the<br>
FreeIPA server specified/resolved during
installation it used. This<br>
leads in<br>
just single server in the configuration and
no time synchronization when<br>
this<br>
server is down/decommissioned.<br>
<br>
* ipa-client-install replaces the NTP
configuration. If there was any<br>
parts<br>
previously edited by system administrator
it's lost.<br>
<br>
* ipa-server-install adds {0-4}.$<a
moz-do-not-send="true"
href="http://PLATFORM.pool.ntp.org"
rel="noreferrer" target="_blank">PLATFORM.pool.ntp.org</a>
to /etc/ntp.conf.<br>
What's the point in doing that? These
servers're already in the<br>
configuration<br>
file installed with ntp package.<br>
<br>
I have NTP-related WIP patches that solve
some of the issues but in<br>
general I<br>
would prefer to remove the whole thing
together with documenting "Please<br>
make<br>
sure that time on all FreeIPA servers and
clients is synchronized. On<br>
most<br>
distributions this was already done during
system installation."<br>
<br>
Can we mark NTP options deprecated in 4.5
and remove them and stop<br>
touching<br>
any time syncing service in 4.6?<br>
<br>
</blockquote>
<br>
Considering that default config is just fine
for normal cases, and given<br>
how<br>
poorly integrated it is into FreeIPA, I agree
with David. FreeIPA should<br>
get<br>
out of configuration management business.<br>
<br>
</blockquote>
<br>
+1<br>
<br>
-- <br>
Jan Cholasta<br>
<br>
<br>
-- <br>
Manage your subscription for the Freeipa-devel
mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-devel"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-devel</a><br>
Contribute to FreeIPA: <a
moz-do-not-send="true"
href="http://www.freeipa.org/page/Contribute/Code"
rel="noreferrer" target="_blank">http://www.freeipa.org/page/Co<wbr>ntribute/Code</a><br>
<br>
</blockquote>
<br>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>