I've noticed if ntpd is already running on the client when you run the
ipa-client-install, you will get that error. I'm guessing its using ntpdate
IP ADDRESS to sync time, and cannot do so when the daemon is running.


*Steve *


On Sat, Feb 8, 2014 at 8:34 AM, Mauricio Tavares <raubvo...@gmail.com>wrote:

>       Even though I already have a ntp server, I setup my newly
> created freeipa kdc to do that too (it is a slave to my primary ntp).
>
> I then build a centos host to be the test client. Just to make sure it
> can see and use auth's ntp, I tested with ntpdate:
>
> [root@centos64 ~]# ntpdate auth
>  8 Feb 08:13:35 ntpdate[3251]: adjust time server 10.0.0.11 offset
> -0.003097 sec
> [root@centos64 ~]#
>
> so far so good, so how about running ipa-client-install?
>
> [root@centos64 ~]# hostname
> centos64
> [root@centos64 ~]# ipa-client-install --hostname=`hostname -f`
> Discovery was successful!
> Hostname: centos64.in.domain.com
> Realm: DOMAIN.COM
> DNS Domain: domain.com
> IPA Server: auth.in.domain.com
> BaseDN: dc=domain,dc=com
>
> [so far so good!]
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> Please check that 123 UDP port is opened.
> Password for ad...@domain.com:
>
> But, it had not problems using ntpdate against auth.  to add insult to
> injury, the log claims it is using ntpdate:
>
> 2014-02-08T13:14:31Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v
> auth.in.domain.com
> 2014-02-08T13:14:31Z DEBUG stdout=
> 2014-02-08T13:14:31Z DEBUG stderr=
> 2014-02-08T13:14:31Z WARNING Unable to sync time with IPA NTP server,
> assuming the time is in sync. Please check that 123 UDP port is
> opened.
>
> Could it be it is pissed because it was in sync to begin with? I mean,
> if we run the exact command the log file claims to have run,
>
> [root@centos64 ~]# /usr/sbin/ntpdate -U ntp -s -b -v auth.in.domain.com|
> echo $?
> 0
> [root@centos64 ~]#
>
> We see it was successful.
>
> I am feeling rather clueless here...
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to