Hello All.
There are several good NTP servers/clients. And different Linux distributions use them (not only ntpd or chronyd). But FreeIPA chose ntpd strictly. It is a bottleneck for a platform porting. Perhaps, FreeIPA should allow to select administrator which one to use and should support it (like install and work). Thank you. 24.01.2018 18:57, Simo Sorce via FreeIPA-devel пишет: > On Wed, 2018-01-24 at 16:25 +0100, Tibor Dudlák via FreeIPA-devel > wrote: >> Hello FreeIPA-devel list fellow beings! >> >> I would like to continue the discussion started in [1], and find its >> solution. >> >> While using the Single-Sign-on authentication provided via an MIT Kerberos >> KDC there must not be any significant clock skew between server and >> clients so a time synchronization service is required. >> >> Red Hat Enterprise Linux is about to deprecate ntpd service and will >> support chronyd instead. This will happen in release 8 and by this time we >> should agree on some changes in IPA - whether to remove or replace the >> already >> used ntpd service. I would like to sum up this change in a design page but >> there should be an agreement first. >> >> IPA, as is, checks the system configuration and if there is an NTP service >> configured and running then it forces ntpd, meaning it disables any other >> NTP service. It also alters its configuration, and restarts the NTP service >> instance. >> >> We may now want to consider, as the time sync service change is required, >> to NOT configure a service that is not a part of the identity management >> such as NTP, and leave it to system/IPA administrators. > Let me explain why we do this: > As you noted above kerberos will fail to work properly if clocks drift > too much, so we wanted to provide a simple way to keep the whole domain > in sync. We also had plans to keep the domain in sync *securely* as an > attacker could create Denial pf Service attacks by subtly drifting > different machines clocks. > > ntpd was the only one that offered hooks to sign NTP packets (which > were used by Samba only at the time and required compile time changes > when we started) using kerberos keys, so the original plan was to > eventually get there. Unfortunately we never prioritized this work. > > So given the above we initially decided to make IPA servers also ntp > servers and configure client to use IPA server as time sources. > > This is just to give an overview of the reasons behind choosing ntpd > specifically and why it was overriding ntp config on servers/clients > >> IPA install script may only check wheter there is an NTP service running >> and if not, it would ask the administrator to configure it before the IPA >> installation. > I do not think we need this strictly for the first server, these days > time keeping is more important in general and servers tend to be > already kept in sync, either via virt devices, or ntp. > however what we may want to do is, instead, to check the time > synchronization on clients (and therefore future ipa replicas, as ipa > client install is always done fist now), by dissecting a kerberos reply > from the server that carries the server time (I think this information > is actually stored in the ccache after a successful kinit, so we could > just inspect the ccache as well). > > If we detect a drift bigger than X (where X < 5 min), we could fail the > install and ask the admin to check the client and server time are > synchronized. > >> Upgrade of IPA might be more complicated because there will be the ntpd >> service entry in LDAP, and the service will be up and running. I would >> suggest that we do not remove any working ntpd service already configured >> but only disown it from IPA's LDAP tree. > Why would we need to disown it ? > I think it is ok to proposed that in new installs (even in an existing > domain) new servers will stop configuring ntp by default, but I see no > reason to touch existing servers. > > however I think we should *retain* the option to install and configure > ntpd, it is very convenient for tests and custom installs/pocs, where > you want to minimize the amount of prepping to do, and want something > that "just works". > > If ntpd is dropped from a distribution I would assume we'll use the > platform portability code to replace ntpd with whatever other > NTP/timesync server/client is appropriate for the platform when the > option to install NTP is requested. > > HTH, > Simo. > >> I will be glad for any input from you people and hopefully there will be an >> acceptable solution for this soon :) >> >> Thanks! >> >> [1] >> https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html >> >> _______________________________________________ >> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
