On Wed, 2018-01-24 at 16:25 +0100, Tibor Dudlák via FreeIPA-devel wrote: > Hello FreeIPA-devel list fellow beings! > > I would like to continue the discussion started in [1], and find its > solution. > > While using the Single-Sign-on authentication provided via an MIT Kerberos > KDC there must not be any significant clock skew between server and > clients so a time synchronization service is required. > > Red Hat Enterprise Linux is about to deprecate ntpd service and will > support chronyd instead. This will happen in release 8 and by this time we > should agree on some changes in IPA - whether to remove or replace the already > used ntpd service. I would like to sum up this change in a design page but > there should be an agreement first. > > IPA, as is, checks the system configuration and if there is an NTP service > configured and running then it forces ntpd, meaning it disables any other > NTP service. It also alters its configuration, and restarts the NTP service > instance. > > We may now want to consider, as the time sync service change is required, > to NOT configure a service that is not a part of the identity management > such as NTP, and leave it to system/IPA administrators.
Let me explain why we do this: As you noted above kerberos will fail to work properly if clocks drift too much, so we wanted to provide a simple way to keep the whole domain in sync. We also had plans to keep the domain in sync *securely* as an attacker could create Denial pf Service attacks by subtly drifting different machines clocks. ntpd was the only one that offered hooks to sign NTP packets (which were used by Samba only at the time and required compile time changes when we started) using kerberos keys, so the original plan was to eventually get there. Unfortunately we never prioritized this work. So given the above we initially decided to make IPA servers also ntp servers and configure client to use IPA server as time sources. This is just to give an overview of the reasons behind choosing ntpd specifically and why it was overriding ntp config on servers/clients > IPA install script may only check wheter there is an NTP service running > and if not, it would ask the administrator to configure it before the IPA > installation. I do not think we need this strictly for the first server, these days time keeping is more important in general and servers tend to be already kept in sync, either via virt devices, or ntp. however what we may want to do is, instead, to check the time synchronization on clients (and therefore future ipa replicas, as ipa client install is always done fist now), by dissecting a kerberos reply from the server that carries the server time (I think this information is actually stored in the ccache after a successful kinit, so we could just inspect the ccache as well). If we detect a drift bigger than X (where X < 5 min), we could fail the install and ask the admin to check the client and server time are synchronized. > Upgrade of IPA might be more complicated because there will be the ntpd > service entry in LDAP, and the service will be up and running. I would > suggest that we do not remove any working ntpd service already configured > but only disown it from IPA's LDAP tree. Why would we need to disown it ? I think it is ok to proposed that in new installs (even in an existing domain) new servers will stop configuring ntp by default, but I see no reason to touch existing servers. however I think we should *retain* the option to install and configure ntpd, it is very convenient for tests and custom installs/pocs, where you want to minimize the amount of prepping to do, and want something that "just works". If ntpd is dropped from a distribution I would assume we'll use the platform portability code to replace ntpd with whatever other NTP/timesync server/client is appropriate for the platform when the option to install NTP is requested. HTH, Simo. > I will be glad for any input from you people and hopefully there will be an > acceptable solution for this soon :) > > Thanks! > > [1] > https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html > > _______________________________________________ > FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org > To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
