On 08/15/2014 03:51 PM, Simo Sorce wrote:
On Fri, 2014-08-15 at 20:46 +0200, Petr Viktorin wrote:
On 08/15/2014 08:11 PM, Lucas Yamanishi wrote:
On 08/15/2014 10:33 AM, Redmond, Stacy wrote:

I installed my ipa server with –no-ntp but find that I want to enable
it on my server, and all my replicas.  Is it possible to do post install?
Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP
isn’t integrated with FreeIPA as much as it’s a good idea to run it
along side FreeIPA/; Kerberos and other crypto operations depend on good
time-sync. All you need to do to [...]
Thanks for the instructions, Lucas.

Adding it may be easy, but users don't necessarily know that, so it
would make sense to provide an ipa-ntp-install command to take care of
all the details.
I filed a RFE for ipa-ntp-install:
IIRC Ntpd also supports an interface (may require patching) to allow
signing packets (I remember vaguely samba AD has an interface for this).

Maybe we should open a ticket to make use of that too and really
formally integrate and configure ntpd to sign outgoing packets.


I just wanted to add 2 points that may or may not apply to you:

1. The RHEL7 IdM guide recommends *not* running NTP on an IdM server that is on a VM:


It's not entirely clear to me whether this still holds true today or if it's an old documentation artifact.

2. For RHEL 7, the default time service is chronyd, not ntpd. From my readings it appears that chronyd is primarily for "mobile" devices like laptops. If you're running IdM on a RHEL 7 server then I'd suggest masking the chronyd service (systemctl mask chronyd) and enabling ntpd just as outlined
    in the OSE-IdM reference architecture:


See sections 2.2.5 Time Services (ntpd, chronyd) and 4.5 Configure Time Service (NTP).


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to