[Freeipa-users] Enabling ntp if not done during ipa-server-install

Fri Aug 15 18:11:14 UTC 2014

On 08/15/2014 10:33 AM, Redmond, Stacy wrote:

> I installed my ipa server with –no-ntp but find that I want to enable
> it on my server, and all my replicas.  Is it possible to do post install?
>
>  
>
> *Stacy Redmond | *Unix/Linux System Administrator
>
> Build Engineering | Bluedof California
>
> 4203 Town Center Boulevard | El Dorado Hills, CA 95762
>
> *Desk:*916.350.7912 | *FAX:* 916.350.8943
>
> *Email:*Stacy Redmond at blueshieldca.com <mailto:Stacy at blueshieldca.com>
>
>  
>
>  
>
> “This message (including any attachments) contains business
> proprietary/confidentialinformation intended for a specific individual
> and purpose and is protected by law. If you are not the intended
> recipient, you should delete this message and all attachments from
> your computer or email server. Any disclosure, copying, or
> distribution of this message, or the taking of any action based on it,
> without the express permission of the originator, is strictly prohibited.”
>
>  
>
>
>
Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP
isn’t integrated with FreeIPA as much as it’s a good idea to run it
along side FreeIPA/; Kerberos and other crypto operations depend on good
time-sync. All you need to do to replicate the default
|ipa-server-install| behavior (without —no-ntp) is enable inbound
connections to /ntpd/, add the other servers to its server list, and for
extra credit add an /SRV/ resource record for each server. (Does
anything actually uses the SRV records?)

/ntpd(8)/ should be installed, but make sure— it’s usually just called
/ntp/. You’ll then need to open UDP port 123 and configure the daemon
appropriately. Here’s an example |/etc/ntp.conf| file (it assumes there
are two other servers in the cluster, ipa2 and ipa3; edit as you see fit):

|# ntp.conf
#
# Keep ntpd from panicking in the event of a large clock skew
# when a VM guest is suspended and resumed.
# (disable this if running on a physical machine with a battery-backed RTC)
tinker panic 0

# Permit time synchronization with our time source, but do not'
# permit the source to query or modify the service on this system.'
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

# Servers
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org

server ipa2.example.com
server ipa3.example.com

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
# (disable this if running on a virtual machine)
server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10

# Driftfile.
driftfile /var/lib/ntp/drift
|

Run this command to add an SRV RR for /ipa1.example.com/ (don’t forget
the trailing dot):

|ipa dnsrecord-add example.com _ntp._udp --srv-priority=0 --srv-weight=100 --srv-port=123 --srv-target=ipa1.example.com.
|

--  
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
NASA Space and Earth Science Data Analysis (606.9)
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140815/19d6a8d9/attachment.htm>