[Freeipa-users] Enabling ntp if not done during ipa-server-install

Mark Heslin mheslin at redhat.com
Fri Aug 15 20:58:36 UTC 2014 

On 08/15/2014 03:51 PM, Simo Sorce wrote:
> On Fri, 2014-08-15 at 20:46 +0200, Petr Viktorin wrote:
>> On 08/15/2014 08:11 PM, Lucas Yamanishi wrote:
>>> On 08/15/2014 10:33 AM, Redmond, Stacy wrote:
>>>
>>>> I installed my ipa server with –no-ntp but find that I want to enable
>>>> it on my server, and all my replicas.  Is it possible to do post install?
>>> Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP
>>> isn’t integrated with FreeIPA as much as it’s a good idea to run it
>>> along side FreeIPA/; Kerberos and other crypto operations depend on good
>>> time-sync. All you need to do to [...]
>> Thanks for the instructions, Lucas.
>>
>>
>> Adding it may be easy, but users don't necessarily know that, so it
>> would make sense to provide an ipa-ntp-install command to take care of
>> all the details.
>> I filed a RFE for ipa-ntp-install:
>> https://fedorahosted.org/freeipa/ticket/4497
> IIRC Ntpd also supports an interface (may require patching) to allow
> signing packets (I remember vaguely samba AD has an interface for this).
>
> Maybe we should open a ticket to make use of that too and really
> formally integrate and configure ntpd to sign outgoing packets.
>
> Simo.
>

I just wanted to add 2 points that may or may not apply to you:

  1. The RHEL7 IdM guide recommends *not* running NTP on an IdM server 
that is on a VM:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#prereq-ntp

       It's not entirely clear to me whether this still holds true today 
or if it's an old documentation artifact.

2. For RHEL 7, the default time service is chronyd, not ntpd. From my 
readings it appears that chronyd
     is primarily for "mobile" devices like laptops. If you're running 
IdM on a RHEL 7 server then I'd suggest
     masking the chronyd service (systemctl mask chronyd) and enabling 
ntpd just as outlined
     in the OSE-IdM reference architecture:

       https://access.redhat.com/articles/1155603

       See sections 2.2.5 Time Services (ntpd, chronyd) and 4.5 
Configure Time Service (NTP).

-m

More information about the Freeipa-users mailing list