On 24.11.2016 16:11, Gabe Alford wrote:
On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti <mba...@redhat.com
On 24.11.2016 07:06, David Kupka wrote:
On 22/11/16 23:15, Gabe Alford wrote:
I would say that it is worth keeping in FreeIPA. I know
myself and some
customers use its functionality by having the clients sync
to the IPA
servers and have the servers sync to the NTP source. This
way if the NTP
source ever gets disrupted for long periods of time (which
has happened in
my environment) the client time drifts with the
authentication source. This
is the way that AD often works and is configured.
I agree that it's common practice to synchronize all nodes in
network with single source in order to have the same time and
save bandwidth. Also I understand that it's comfortable to let
FreeIPA installer take care of it.
But I don't think FreeIPA should do it IMO this is job for
Ansible or similar tool. Also the problem is that in some
situations FreeIPA installer makes it worse.
1. Install FreeIPA server (ipa1.example.org
2. Install FreeIPA client on all nodes in network
3. Install replica (ipa2.example.org
<http://ipa2.example.org>) of FreeIPA server to increase
Why not have NTP look at a _srv_records?
Do ntpclients support this natively? I just found some ugly hacks for
chrony, i.e extra service that is dynamically changing config file.
But yes this may be way too, but dirty.
Now all the clients have ipa1.example.org
<http://ipa1.example.org> as the only server in /etc/ntp.conf.
If the first FreeIPA server becomes unreachable all clients
will be able to contact KDC on the other server thanks to DNS
autodiscovery in libkrb5 but will be unable to synchronize time.
This can be resolved by DHCP configured NTP. When NTP server
changed, you just change DHCPd config and hosts conf will be synced.
We may keep NTP on IPA server side configured, but I'm voting for
removing it from clients and document+endorse people to use DHCP
(anyway distros have always enabled some time synchronization so
it should naturally work without even in small deployments)
If NTP is still configured on the IPA server, this may be less of an
issue. Not everyone has/is/will be using ansible. Also in secure
is not allowed/used at all.
Also NTP is somehow incompatible with containers, usually
containers have time synchronized from host, and by default IPA
client container don't do NTP configuration.
Isn't that what the --no-ntp option in the client is for anyway?
Let deprecate it in 4.5
On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta
<jchol...@redhat.com <mailto:jchol...@redhat.com>> wrote:
On 22.11.2016 13:06, Petr Spacek wrote:
On 22.11.2016 12:15, David Kupka wrote:
Is it worth to keep configuring NTP in FreeIPA?
In usual environment there're no special
requirements for time
and the distribution default (be it ntpd,
chrony or anything else) will
work. Any tampering with the configuration
can't make it any better.
In environment with special requirements
(network disconnected from
internet, nodes disconnected from topology for
longer time, ...) time
synchronization must be taken care of
accordingly by system
FreeIPA simply can't help here.
Also there are problems and weird behavior
with the current FreeIPA
* ipa-client-install replaces all servers in
/etc/ntp.conf with the ones
specified by user or resolved from DNS. If
none were provided nor
FreeIPA server specified/resolved during
installation it used. This
just single server in the configuration and no
time synchronization when
server is down/decommissioned.
* ipa-client-install replaces the NTP
configuration. If there was any
previously edited by system administrator it's
* ipa-server-install adds
<http://PLATFORM.pool.ntp.org> to /etc/ntp.conf.
What's the point in doing that? These
servers're already in the
file installed with ntp package.
I have NTP-related WIP patches that solve some
of the issues but in
would prefer to remove the whole thing
together with documenting "Please
sure that time on all FreeIPA servers and
clients is synchronized. On
distributions this was already done during
Can we mark NTP options deprecated in 4.5 and
remove them and stop
any time syncing service in 4.6?
Considering that default config is just fine for
normal cases, and given
poorly integrated it is into FreeIPA, I agree with
David. FreeIPA should
out of configuration management business.
Manage your subscription for the Freeipa-devel mailing
Contribute to FreeIPA:
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code