Tibor Dudlák via FreeIPA-devel wrote:
> Hello FreeIPA-devel listfellow beings!
> I would like to continue the discussion started in [1], and find
> itssolution.
> While using the Single-Sign-on authentication provided via anMIT
> Kerberos KDC  there must not be any significant clock skew between
> server and clients so a time synchronization service is required.
> Red Hat Enterprise Linux is about to deprecate ntpd service and will
> support chronyd instead. This will happen in release 8 and by this time
> we should agree on some changes in IPA-whether to remove or replace the
> already used ntpd service. I would like to sum up thischange in a design
> page but there shouldbe an agreementfirst.
> IPA,as is,checks the system configuration and if there is anNTP service
> configured and running then it forces ntpd, meaning it disablesany other
> NTP service. It also altersits configuration, and restartsthe NTP
> service instance. 
> We may now want to consider, as the time sync servicechange is required,
> to NOT configureaservice that is not a part oftheidentity management
> such as NTP, and leave it to system/IPA administrators. 
> IPA install script may only check wheterthere is an NTP service running
> and if not, it wouldask the administrator to configure it before the IPA
> installation.
> Upgrade of IPA might be more complicated because there will be thentpd
> service entry in LDAP,and the service will be up and running. I would
> suggest that we do not remove any working ntpd service already
> configured but only disown it from IPA's LDAP tree.
> I will be glad for any input from you people and hopefully there will be
> an acceptable solution for this soon :) 
> Thanks!
> [1]
> https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html

A few comments on

This is mostly off the top of my head so don't take verbatim please :-)

Time is also important for 389-ds replication.

"ntpd is being deprecated in Fedora28 therefore IPA should deprecate it
as well."

nit: add space between Fedora and 28

Drop "On the other hand " and "a"

Under Use Cases I think I'd expand on the text a bit.

The use of the IPA time service is optional. If the infrastructure
already has access to time, either internally or via the Internet, then
the -N option can be used if desired. This will disable the IPA NTP service.

IPA by default enables a time service and this is used by clients. The
benefits of this were seen as:

- Clients and the server will be in the same stratum so should avoid
issues (even if the time is wildly off otherwise).
- For closed networks this may be the only time service available

I don't understand the statement about -N and --force-ntp. I think you
mean that for a server install -N will not configure a time service?

I'm not sure what --force-ntp is supposed to do, isn't it force-ntpd? It
is mentioned later that it will be deprecated. If ntpd isn't available
then how can one force it?


Are you sure that changes made via chronyc are written to configuration
files? I didn't get that impression from the man page.

You make a mention of other platforms but there is little mention of
where this will be abstracted. There is already some abstraction for
NTP_*, is that what you are talking about? Just continuing the use of that?

Strictly speaking, Fedora is not a Red Hat product.


Table looks nice!

I don't see that ipa-server-install or ipa-replica-install have a
force-ntp option.

For -N I think it is more straightforward to say "IPA will not configure
a local time service"

--force-ntp is --force-ntpd on clients

Are any changes planned for --ntp-server?


I think IPA masters just need to restore the ntp files it changed on
install and disable the service. rpm -V will confirm that we got it
right except perhaps the time of the files.

I'm not sure I understand the last 2 steps. It will try to sync time and
if that fails setup chrony? What if it succeeds?

What differences will there be on client vs servers?

FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to