On ke, 30 marras 2016, Rob Crittenden wrote:
David Kupka wrote:
On 29/11/16 18:10, Alexander Bokovoy wrote:
Still, bug reports and users' complaints is the only external measure we
have. There are close to nothing in complaints about NTP functionality,
other than requests to support chronyd and a better discover of existing
NTP setups. I don't think that requires dramatic action like removal of
NTP support at all.

As Petr already pointed out, since Fedora 16 chronyd is enabled by
default and ipa-client-install doesn't configure time synchronization
when chronyd is enabled.

I believe that majority of users haven't used '--force-ntpd' and since
it still worked they haven't filed any ticket.

IMO in this case no bug reports means no users rather than no bugs or

Unfortunately, this is just my guess and AFAIK we don't have any data
from users showing how they use FreeIPA.

For argument's sake, let's say NTP configuration in the client is
dropped and managed by the OS or other administrators.

What implication does this have for configuring NTP server on masters?
Would that be stopped as well? What about existing installs?
Here is the problem: in Kerberos realm services must have time
synchronized with KDC. The patches from StefW which added ability to
record a time skew between the Kerberos client and KDC do not apply to
Kerberos client - Kerberos service communication.

Given that IPA clients can host Kerberos services (at the very least,
SSH is such a service), this practically means they need to have a time
source that is synchronized with the KDC(s) they are talking to.

To me this means we should not really remove NTP configuration but
instead expand ntpd support to cover chronyd as well.

I don't believe there is a precedence for removing a service from IPA.
Neither do I.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to