On 01/15/2018 09:04 PM, Rob Crittenden via FreeIPA-users wrote:


That's fine but it doesn't address the original problem: he doesn't want
anything managing the clock on his system at all:

"some ipa servers in my environment are not permitted to change
the clock."


These are LXC containers without the appropriate capabilities to
change the clock or to access other hardware. The clock *is* in
sync, but this is out of reach for freeipa.

Probably you agree that running ntpd is not sufficient for Kerberos.
You have to watch it using ntpq -p to verify that it is connected to
some peers and that the time is actually in sync with these peers.

I don't see any reason why ipactl refuses to start the other services,
if ntpd failed to start. There is no indication that the clock is
*not* in sync within Kerberos' thresholds.


Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to