On 01/15/2018 09:04 PM, Rob Crittenden via FreeIPA-users wrote:
That's fine but it doesn't address the original problem: he doesn't want anything managing the clock on his system at all: "some ipa servers in my environment are not permitted to change the clock."
These are LXC containers without the appropriate capabilities to change the clock or to access other hardware. The clock *is* in sync, but this is out of reach for freeipa. Probably you agree that running ntpd is not sufficient for Kerberos. You have to watch it using ntpq -p to verify that it is connected to some peers and that the time is actually in sync with these peers. I don't see any reason why ipactl refuses to start the other services, if ntpd failed to start. There is no indication that the clock is *not* in sync within Kerberos' thresholds. Regards Harri _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org