On 01/15/2018 09:04 PM, Rob Crittenden via FreeIPA-users wrote:
That's fine but it doesn't address the original problem: he doesn't want
anything managing the clock on his system at all:
"some ipa servers in my environment are not permitted to change
These are LXC containers without the appropriate capabilities to
change the clock or to access other hardware. The clock *is* in
sync, but this is out of reach for freeipa.
Probably you agree that running ntpd is not sufficient for Kerberos.
You have to watch it using ntpq -p to verify that it is connected to
some peers and that the time is actually in sync with these peers.
I don't see any reason why ipactl refuses to start the other services,
if ntpd failed to start. There is no indication that the clock is
*not* in sync within Kerberos' thresholds.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org