On 24.11.2016 20:31, Gabe Alford wrote:
On Thu, Nov 24, 2016 at 9:14 AM, Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>> wrote:
On 24.11.2016 16:11, Gabe Alford wrote:
On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>> wrote:
On 24.11.2016 07:06, David Kupka wrote:
On 22/11/16 23:15, Gabe Alford wrote:
I would say that it is worth keeping in FreeIPA. I
know myself and some
customers use its functionality by having the clients
sync to the IPA
servers and have the servers sync to the NTP source.
This way if the NTP
source ever gets disrupted for long periods of time
(which has happened in
my environment) the client time drifts with the
authentication source. This
is the way that AD often works and is configured.
Hello Gabe,
I agree that it's common practice to synchronize all
nodes in network with single source in order to have the
same time and save bandwidth. Also I understand that it's
comfortable to let FreeIPA installer take care of it.
But I don't think FreeIPA should do it IMO this is job
for Ansible or similar tool. Also the problem is that in
some situations FreeIPA installer makes it worse.
Example:
1. Install FreeIPA server (ipa1.example.org
<http://ipa1.example.org>)
2. Install FreeIPA client on all nodes in network
3. Install replica (ipa2.example.org
<http://ipa2.example.org>) of FreeIPA server to increase
redundancy
Why not have NTP look at a _srv_records?
Do ntpclients support this natively? I just found some ugly hacks
for chrony, i.e extra service that is dynamically changing config
file.
But yes this may be way too, but dirty.
You are right. It is an ugly. I wonder if we can push to make it not
so ugly so that _srv_ is used for both Chrony and NTP which IMO makes
those two products better. If not and the desire is truly to get rid
of chrony/ntp configuration on the client side, what about adding
Chrony and NTP configuration to ipa-advise?
And I realized that this may be applicable only if IPA is installed with
integrated DNS, when IPA automatically updates system services DNS
records. With external DNS we will bother admins to create SRV records,
so it is the same as creating DHCP configuration.
we can add it to ipa-advise.
Martin^2
Now all the clients have ipa1.example.org
<http://ipa1.example.org> as the only server in
/etc/ntp.conf. If the first FreeIPA server becomes
unreachable all clients will be able to contact KDC on
the other server thanks to DNS autodiscovery in libkrb5
but will be unable to synchronize time.
This can be resolved by DHCP configured NTP. When NTP server
changed, you just change DHCPd config and hosts conf will be
synced.
We may keep NTP on IPA server side configured, but I'm voting
for removing it from clients and document+endorse people to
use DHCP (anyway distros have always enabled some time
synchronization so it should naturally work without even in
small deployments)
If NTP is still configured on the IPA server, this may be less of
an issue. Not everyone has/is/will be using ansible. Also in
secure environments, DHCP
is not allowed/used at all.
Also NTP is somehow incompatible with containers, usually
containers have time synchronized from host, and by default
IPA client container don't do NTP configuration.
Isn't that what the --no-ntp option in the client is for anyway?
Let deprecate it in 4.5
Martin^2
On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta
<jchol...@redhat.com <mailto:jchol...@redhat.com>> wrote:
On 22.11.2016 13:06, Petr Spacek wrote:
On 22.11.2016 12:15, David Kupka wrote:
Hello everyone!
Is it worth to keep configuring NTP in
FreeIPA?
In usual environment there're no special
requirements for time
synchronization
and the distribution default (be it ntpd,
chrony or anything else) will
just
work. Any tampering with the
configuration can't make it any better.
In environment with special requirements
(network disconnected from
public
internet, nodes disconnected from
topology for longer time, ...) time
synchronization must be taken care of
accordingly by system
administrator and
FreeIPA simply can't help here.
Also there are problems and weird
behavior with the current FreeIPA
installers:
* ipa-client-install replaces all servers
in /etc/ntp.conf with the ones
specified by user or resolved from DNS.
If none were provided nor
resolved the
FreeIPA server specified/resolved during
installation it used. This
leads in
just single server in the configuration
and no time synchronization when
this
server is down/decommissioned.
* ipa-client-install replaces the NTP
configuration. If there was any
parts
previously edited by system administrator
it's lost.
* ipa-server-install adds
{0-4}.$PLATFORM.pool.ntp.org
<http://PLATFORM.pool.ntp.org> to
/etc/ntp.conf.
What's the point in doing that? These
servers're already in the
configuration
file installed with ntp package.
I have NTP-related WIP patches that solve
some of the issues but in
general I
would prefer to remove the whole thing
together with documenting "Please
make
sure that time on all FreeIPA servers and
clients is synchronized. On
most
distributions this was already done
during system installation."
Can we mark NTP options deprecated in 4.5
and remove them and stop
touching
any time syncing service in 4.6?
Considering that default config is just fine
for normal cases, and given
how
poorly integrated it is into FreeIPA, I agree
with David. FreeIPA should
get
out of configuration management business.
+1
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel
mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
<https://www.redhat.com/mailman/listinfo/freeipa-devel>
Contribute to FreeIPA:
http://www.freeipa.org/page/Contribute/Code
<http://www.freeipa.org/page/Contribute/Code>
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
