[Freeipa-devel] [PATCH] Review: rga-0005 Fix order of synchronizing time when running ipa-client-install

Tue, 18 Mar 2014 07:46:45 -0700

AFAIK this patch was only posted to Trac, where it was kind of forgotten. Let's move it to the mailing list.
It looks & works fine, ACK for those aspects. But Dmitri had some concerns about the validity of the ticket itself: 


Unusual but not critical. In future this can be an OTP prompt rather than
password prompt and making sure time is correct on both sides might be
more critical. I do not see a big problem with a slight delay. Banks now
prompt people for user name on one page and then for password on another.
It is a common practice. I would think that decoupling the prompts and
getting people used to it is a benefit rather than a hassle. The trend
of prompting for user and password independently should continue.
We should make it more usable if there are usability concerns but IMO we
should not be trying to push people back to traditional notion of "user
name and password are always together". They are not.



It may be common practice but it doesn't really make sense to temporally 
split related actions if there's no need for it. It is annoying. In the 
banks case, the login pages follow one another, they don't insert some 
completely unrelated output in the middle of the login process.
If we want to teach new expectations to users, ipa-client-install is not 
the place to do it.
The OTP case will work since with the patch, time is synced before both 
prompts.



The comment gives a good reason to move the ticket to Backlog, but since 
we have a fix I'd like to push it.



--
PetrĀ³

From b158c7f22d95cac1e0bf88361c4711e6d4e03150 Mon Sep 17 00:00:00 2001
From: Gabe <[email protected]>
Date: Tue, 18 Feb 2014 19:55:56 -0700
Subject: [PATCH] Fix order of synchronizing time when running
 ipa-client-install

When running ipa-client-install, it asks for user name, synchronizes time, then asks for user password
which the order could be confusing to some users. This changes ipa-client-install to synchronize time
before prompting for user kerberos authentication.

https://fedorahosted.org/freeipa/ticket/3957
---
 ipa-client/ipa-install/ipa-client-install | 36 ++++++++++++++++---------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 7cc0c33973fb9bd2113b33da7cb1d450b66a49dd..22bf2a18303d5e54faee798963c16902f2feed87 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2203,6 +2203,25 @@ def install(options, env, fstore, statestore):
         # skip this step when run by ipa-server-install as it always configures
         # hostname if different from system hostname
         ipaservices.backup_and_replace_hostname(fstore, statestore, options.hostname)
+   
+    if not options.on_master:
+        # Attempt to sync time with IPA server.
+        # We assume that NTP servers are discoverable through SRV records in the DNS
+        # If that fails, we try to sync directly with IPA server, assuming it runs NTP
+        root_logger.info('Synchronizing time with KDC...')
+        ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False)
+        synced_ntp = False
+        if ntp_servers:
+            for s in ntp_servers:
+                synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+                if synced_ntp:
+                    break
+        if not synced_ntp:
+            synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
+        if not synced_ntp:
+            root_logger.warning("Unable to sync time with IPA NTP " +
+                "server, assuming the time is in sync. Please check " +
+                "that 123 UDP port is opened.")
 
     if not options.unattended:
         if (options.principal is None and options.password is None and
@@ -2216,23 +2235,6 @@ def install(options, env, fstore, statestore):
         nolog = tuple()
         # First test out the kerberos configuration
         try:
-            # Attempt to sync time with IPA server.
-            # We assume that NTP servers are discoverable through SRV records in the DNS
-            # If that fails, we try to sync directly with IPA server, assuming it runs NTP
-            root_logger.info('Synchronizing time with KDC...')
-            ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False)
-            synced_ntp = False
-            if ntp_servers:
-                for s in ntp_servers:
-                    synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
-                    if synced_ntp:
-                        break
-            if not synced_ntp:
-                synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0])
-            if not synced_ntp:
-                root_logger.warning("Unable to sync time with IPA NTP " +
-                    "server, assuming the time is in sync. Please check " +
-                    "that 123 UDP port is opened.")
             (krb_fd, krb_name) = tempfile.mkstemp()
             os.close(krb_fd)
             if configure_krb5_conf(
-- 
1.8.3.1


_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel





















					Reply via email to