Re-factored my second patch. :) Gabe
On Tue, Apr 29, 2014 at 8:04 PM, Gabe Alford <redhatri...@gmail.com> wrote: > Updated patch to not run ntpdate if ntpd is running. > > Gabe > > > > On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford <redhatri...@gmail.com>wrote: > >> Thanks Petr! >> >> Will rework patch to just skip ntpdate if ntpd is already running. >> >> >> On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek <pspa...@redhat.com> wrote: >> >>> Hello Gabe! >>> >>> >>> On 25.4.2014 16:28, Gabe Alford wrote: >>> >>>> Here is a patch for https://fedorahosted.org/ >>>> freeipa/ticket/3735. >>>> It seemed better to try to stop ntpd before running ntpdate rather than >>>> not >>>> running ntpdate if ntpd was already running. I believe this patch only >>>> applies to the ipa-3-3 branch as ntpdate is not used anymore in the >>>> master. >>>> >>> >>> IMHO we should never stop ntpd if it is running. Plain ntpdate opens >>> potential security hole because attacker can fake NTP answers and force the >>> machine to rewind it's clock to the past. >>> >>> This opens potential for replay attacks/re-suing old compromised keys >>> etc. >>> >>> -- >>> Petr^2 Spacek >>> >>> _______________________________________________ >>> Freeipa-devel mailing list >>> Freeipa-devel@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> >> >> >
From 9327e377a085cbd0ea80a9e9f2630199e05fe756 Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Thu, 8 May 2014 19:47:51 -0600 Subject: [PATCH] ipa-client-install skip running ntpdate if ntpd is running https://fedorahosted.org/freeipa/ticket/3735 --- ipa-client/ipa-install/ipa-client-install | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index afed54e5ddbf5ed985b637f20ac61d8ab1632364..fa70998010be4b9da5254c2546785006d638cb18 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2093,19 +2093,24 @@ def install(options, env, fstore, statestore): # We assume that NTP servers are discoverable through SRV records in the DNS # If that fails, we try to sync directly with IPA server, assuming it runs NTP root_logger.info('Synchronizing time with KDC...') - ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False) - synced_ntp = False - if ntp_servers: - for s in ntp_servers: - synced_ntp = ipaclient.ntpconf.synconce_ntp(s) - if synced_ntp: - break - if not synced_ntp: - synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0]) - if not synced_ntp: - root_logger.warning("Unable to sync time with IPA NTP " + + ntpd_enabled = ipaservices.knownservices.ntpd.is_running() + + if not ntpd_enabled: + ntp_servers = ds.ipadns_search_srv(cli_domain, '_ntp._udp', None, break_on_first=False) + synced_ntp = False + if ntp_servers: + for s in ntp_servers: + synced_ntp = ipaclient.ntpconf.synconce_ntp(s) + if synced_ntp: + break + if not synced_ntp: + synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0]) + if not synced_ntp: + root_logger.warning("Unable to sync time with IPA NTP " + "server, assuming the time is in sync. Please check " + "that 123 UDP port is opened.") + else: + root_logger.info('The NTP service is already running. Skipping ntpdate sync...') (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) if configure_krb5_conf( -- 1.9.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
