[Freeipa-users] ipa-client-install does not seem to like the ipa's ntp
Martin Kosek
mkosek at redhat.com
Tue Feb 11 09:12:50 UTC 2014
On 02/10/2014 10:08 PM, Mauricio Tavares wrote:
> On Mon, Feb 10, 2014 at 3:40 PM, Dmitri Pal <dpal at redhat.com> wrote:
>> On 02/09/2014 09:52 PM, Mauricio Tavares wrote:
>>>
>>> On Sun, Feb 9, 2014 at 9:07 PM, Steve Dainard<sdainard at miovision.com>
>>> wrote:
>>>>
>>>> I've noticed if ntpd is already running on the client when you run the
>>>> ipa-client-install, you will get that error. I'm guessing its using
>>>> ntpdate
>>>> IP ADDRESS to sync time, and cannot do so when the daemon is running.
>>>>
>>>> I've noticed if ntpd is already running on the client when you run the
>>>> ipa-client-install, you will get that error. I'm guessing its using
>>>> ntpdate
>>>> IP ADDRESS to sync time, and cannot do so when the daemon is running.
>>>>
>>> Now that you mentioned that I would agree with you in that it is
>>> failing because ntpd is running already; I could not see it because of
>>> the option "-s" in
>>>
>>> [root at centos64 ~]# service ntpd status
>>> ntpd (pid 3721) is running...
>>> [root at centos64 ~]# /usr/sbin/ntpdate -U ntp -s -b -v auth.in.domain.com
>>> [root at centos64 ~]#
>>>
>>> I could not find what all of those arguments mean in the centos 6.5
>>> ntpdate man page, but here is what I found under ubuntu's:
>>>
>>> -b Force the time to be stepped using the settimeofday()
>>> system
>>> call, rather than slewed (default) using the adjtime()
>>> system
>>> call. This option should be used when called from a startup
>>> file
>>> at boot time.
>>>
>>> -s Divert logging output from the standard output (default) to
>>> the
>>> system syslog facility. This is designed primarily for
>>> conve‐
>>> nience of cron scripts.
>>>
>>> -v Be verbose. This option will cause ntpdate's version
>>> identifica‐
>>> tion string to be logged.
>>>
>>> In other words, -s is sending the output to syslog. And, if we check
>>> /var/log/messages we will find that
>>>
>>> Feb 9 21:17:06 centos64 ntpdate[8275]: the NTP socket is in use, exiting
>>>
>>> as you expected. Now, how did it detect the ntpdate failed?
>>>
>>>> Steve
>>>>
>>>>
>>>> On Sat, Feb 8, 2014 at 8:34 AM, Mauricio Tavares<raubvogel at gmail.com>
>>>> wrote:
>>>>>
>>>>> Even though I already have a ntp server, I setup my newly
>>>>> created freeipa kdc to do that too (it is a slave to my primary ntp).
>>>>>
>>>>> I then build a centos host to be the test client. Just to make sure it
>>>>> can see and use auth's ntp, I tested with ntpdate:
>>>>>
>>>>> [root at centos64 ~]# ntpdate auth
>>>>> 8 Feb 08:13:35 ntpdate[3251]: adjust time server 10.0.0.11 offset
>>>>> -0.003097 sec
>>>>> [root at centos64 ~]#
>>>>>
>>>>> so far so good, so how about running ipa-client-install?
>>>>>
>>>>> [root at centos64 ~]# hostname
>>>>> centos64
>>>>> [root at centos64 ~]# ipa-client-install --hostname=`hostname -f`
>>>>> Discovery was successful!
>>>>> Hostname: centos64.in.domain.com
>>>>> Realm: DOMAIN.COM
>>>>> DNS Domain: domain.com
>>>>> IPA Server: auth.in.domain.com
>>>>> BaseDN: dc=domain,dc=com
>>>>>
>>>>> [so far so good!]
>>>>>
>>>>> Continue to configure the system with these values? [no]: yes
>>>>> User authorized to enroll computers: admin
>>>>> Synchronizing time with KDC...
>>>>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>>>>> Please check that 123 UDP port is opened.
>>>>> Password for admin at DOMAIN.COM:
>>>>>
>>>>> But, it had not problems using ntpdate against auth. to add insult to
>>>>> injury, the log claims it is using ntpdate:
>>>>>
>>>>> 2014-02-08T13:14:31Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v
>>>>> auth.in.domain.com
>>>>> 2014-02-08T13:14:31Z DEBUG stdout=
>>>>> 2014-02-08T13:14:31Z DEBUG stderr=
>>>>> 2014-02-08T13:14:31Z WARNING Unable to sync time with IPA NTP server,
>>>>> assuming the time is in sync. Please check that 123 UDP port is
>>>>> opened.
>>>>>
>>>>> Could it be it is pissed because it was in sync to begin with? I mean,
>>>>> if we run the exact command the log file claims to have run,
>>>>>
>>>>> [root at centos64 ~]# /usr/sbin/ntpdate -U ntp -s -b -v auth.in.domain.com|
>>>>> echo $?
>>>>> 0
>>>>> [root at centos64 ~]#
>>>>>
>>>>> We see it was successful.
>>>>>
>>>>> I am feeling rather clueless here...
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> This sounds like a bug to me but I would wait for European gurus to chime in
>> the morning.
>> If it is a bug we need a ticket.
>>
> I dunno where to file a ticket but here is my suggestion:
>
> in /usr/lib/python2.6/site-packages/ipaclient/ntpconf.py, function def
> synconce_ntp(server_fqdn):
>
> replace
>
> cmd = [ntpdate, "-U", "ntp", "-s", "-b", "-v", server_fqdn]
>
> with
>
> cmd = [ntpdate, "-U", "ntp", "-s", "-b", "-v", "-u", server_fqdn]
>
> Reasoning:
>
> [root at centos64 ~]# date +%T -s "10:13:13"
> 10:13:13
> [root at centos64 ~]# date
> Mon Feb 10 10:13:15 EST 2014
> [root at centos64 ~]# /usr/sbin/ntpdate -U ntp -s -b -v -u auth
> [root at centos64 ~]# date
> Mon Feb 10 16:05:49 EST 2014
> [root at centos64 ~]# service ntpd status
> ntpd (pid 8870) is running...
> [root at centos64 ~]#
Just to close the loop - this is the filed Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1063512
I will clone it upstream so that we can triage it.
Martin
More information about the Freeipa-users
mailing list