Tibor Dudlák via FreeIPA-devel wrote:
> Hello FreeIPA-devel listfellow beings!
> I would like to continue the discussion started in , and find
> While using the Single-Sign-on authentication provided via anMIT
> Kerberos KDC there must not be any significant clock skew between
> server and clients so a time synchronization service is required.
> Red Hat Enterprise Linux is about to deprecate ntpd service and will
> support chronyd instead. This will happen in release 8 and by this time
> we should agree on some changes in IPA-whether to remove or replace the
> already used ntpd service. I would like to sum up thischange in a design
> page but there shouldbe an agreementfirst.
> IPA,as is,checks the system configuration and if there is anNTP service
> configured and running then it forces ntpd, meaning it disablesany other
> NTP service. It also altersits configuration, and restartsthe NTP
> service instance.
> We may now want to consider, as the time sync servicechange is required,
> to NOT configureaservice that is not a part oftheidentity management
> such as NTP, and leave it to system/IPA administrators.
> IPA install script may only check wheterthere is an NTP service running
> and if not, it wouldask the administrator to configure it before the IPA
> Upgrade of IPA might be more complicated because there will be thentpd
> service entry in LDAP,and the service will be up and running. I would
> suggest that we do not remove any working ntpd service already
> configured but only disown it from IPA's LDAP tree.
> I will be glad for any input from you people and hopefully there will be
> an acceptable solution for this soon :)
A few comments on
This is mostly off the top of my head so don't take verbatim please :-)
Time is also important for 389-ds replication.
"ntpd is being deprecated in Fedora28 therefore IPA should deprecate it
nit: add space between Fedora and 28
Drop "On the other hand " and "a"
Under Use Cases I think I'd expand on the text a bit.
The use of the IPA time service is optional. If the infrastructure
already has access to time, either internally or via the Internet, then
the -N option can be used if desired. This will disable the IPA NTP service.
IPA by default enables a time service and this is used by clients. The
benefits of this were seen as:
- Clients and the server will be in the same stratum so should avoid
issues (even if the time is wildly off otherwise).
- For closed networks this may be the only time service available
I don't understand the statement about -N and --force-ntp. I think you
mean that for a server install -N will not configure a time service?
I'm not sure what --force-ntp is supposed to do, isn't it force-ntpd? It
is mentioned later that it will be deprecated. If ntpd isn't available
then how can one force it?
Are you sure that changes made via chronyc are written to configuration
files? I didn't get that impression from the man page.
You make a mention of other platforms but there is little mention of
where this will be abstracted. There is already some abstraction for
NTP_*, is that what you are talking about? Just continuing the use of that?
Strictly speaking, Fedora is not a Red Hat product.
Table looks nice!
I don't see that ipa-server-install or ipa-replica-install have a
For -N I think it is more straightforward to say "IPA will not configure
a local time service"
--force-ntp is --force-ntpd on clients
Are any changes planned for --ntp-server?
I think IPA masters just need to restore the ntp files it changed on
install and disable the service. rpm -V will confirm that we got it
right except perhaps the time of the files.
I'm not sure I understand the last 2 steps. It will try to sync time and
if that fails setup chrony? What if it succeeds?
What differences will there be on client vs servers?
FreeIPA-devel mailing list -- email@example.com
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org