On 22/11/16 23:15, Gabe Alford wrote:
I would say that it is worth keeping in FreeIPA. I know myself and some
customers use its functionality by having the clients sync to the IPA
servers and have the servers sync to the NTP source. This way if the NTP
source ever gets disrupted for long periods of time (which has happened in
my environment) the client time drifts with the authentication source. This
is the way that AD often works and is configured.

Hello Gabe,
I agree that it's common practice to synchronize all nodes in network with single source in order to have the same time and save bandwidth. Also I understand that it's comfortable to let FreeIPA installer take care of it. But I don't think FreeIPA should do it IMO this is job for Ansible or similar tool. Also the problem is that in some situations FreeIPA installer makes it worse.

Example:

1. Install FreeIPA server (ipa1.example.org)
2. Install FreeIPA client on all nodes in network
3. Install replica (ipa2.example.org) of FreeIPA server to increase redundancy

Now all the clients have ipa1.example.org as the only server in /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients will be able to contact KDC on the other server thanks to DNS autodiscovery in libkrb5 but will be unable to synchronize time.


On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta <jchol...@redhat.com> wrote:

On 22.11.2016 13:06, Petr Spacek wrote:

On 22.11.2016 12:15, David Kupka wrote:

Hello everyone!

Is it worth to keep configuring NTP in FreeIPA?

In usual environment there're no special requirements for time
synchronization
and the distribution default (be it ntpd, chrony or anything else) will
just
work. Any tampering with the configuration can't make it any better.

In environment with special requirements (network disconnected from
public
internet, nodes disconnected from topology for longer time, ...) time
synchronization must be taken care of accordingly by system
administrator and
FreeIPA simply can't help here.

Also there are problems and weird behavior with the current FreeIPA
installers:

* ipa-client-install replaces all servers in /etc/ntp.conf with the ones
specified by user or resolved from DNS. If none were provided nor
resolved the
FreeIPA server specified/resolved during installation it used. This
leads in
just single server in the configuration and no time synchronization when
this
server is down/decommissioned.

* ipa-client-install replaces the NTP configuration. If there was any
parts
previously edited by system administrator it's lost.

* ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf.
What's the point in doing that? These servers're already in the
configuration
file installed with ntp package.

I have NTP-related WIP patches that solve some of the issues but in
general I
would prefer to remove the whole thing together with documenting "Please
make
sure that time on all FreeIPA servers and clients is synchronized. On
most
distributions this was already done during system installation."

Can we mark NTP options deprecated in 4.5 and remove them and stop
touching
any time syncing service in 4.6?


Considering that default config is just fine for normal cases, and given
how
poorly integrated it is into FreeIPA, I agree with David. FreeIPA should
get
out of configuration management business.


+1

--
Jan Cholasta


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code






--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to