On 08/15/2014 10:33 AM, Redmond, Stacy wrote: > I installed my ipa server with –no-ntp but find that I want to enable > it on my server, and all my replicas. Is it possible to do post install? > > > > *Stacy Redmond | *Unix/Linux System Administrator > > Build Engineering | Bluedof California > > 4203 Town Center Boulevard | El Dorado Hills, CA 95762 > > *Desk:*916.350.7912 | *FAX:* 916.350.8943 > > *Email:*Stacy [email protected] <mailto:[email protected]> > > > > > > “This message (including any attachments) contains business > proprietary/confidentialinformation intended for a specific individual > and purpose and is protected by law. If you are not the intended > recipient, you should delete this message and all attachments from > your computer or email server. Any disclosure, copying, or > distribution of this message, or the taking of any action based on it, > without the express permission of the originator, is strictly prohibited.” > > > > > Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP isn’t integrated with FreeIPA as much as it’s a good idea to run it along side FreeIPA/; Kerberos and other crypto operations depend on good time-sync. All you need to do to replicate the default |ipa-server-install| behavior (without —no-ntp) is enable inbound connections to /ntpd/, add the other servers to its server list, and for extra credit add an /SRV/ resource record for each server. (Does anything actually uses the SRV records?)
/ntpd(8)/ should be installed, but make sure— it’s usually just called /ntp/. You’ll then need to open UDP port 123 and configure the daemon appropriately. Here’s an example |/etc/ntp.conf| file (it assumes there are two other servers in the cluster, ipa2 and ipa3; edit as you see fit): |# ntp.conf # # Keep ntpd from panicking in the event of a large clock skew # when a VM guest is suspended and resumed. # (disable this if running on a physical machine with a battery-backed RTC) tinker panic 0 # Permit time synchronization with our time source, but do not' # permit the source to query or modify the service on this system.' restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 # Servers server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org server 3.pool.ntp.org server ipa2.example.com server ipa3.example.com # Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. # (disable this if running on a virtual machine) server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10 # Driftfile. driftfile /var/lib/ntp/drift | Run this command to add an SRV RR for /ipa1.example.com/ (don’t forget the trailing dot): |ipa dnsrecord-add example.com _ntp._udp --srv-priority=0 --srv-weight=100 --srv-port=123 --srv-target=ipa1.example.com. | -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
