Hello All.
There are several good NTP servers/clients. And different Linux
distributions
use them (not only ntpd or chronyd). But FreeIPA chose ntpd strictly. It
is a
bottleneck for a platform porting. Perhaps, FreeIPA should allow to select
administrator which one to use and should support it (like install and
work).
Thank you.
24.01.2018 18:57, Simo Sorce via FreeIPA-devel пишет:
> On Wed, 2018-01-24 at 16:25 +0100, Tibor Dudlák via FreeIPA-devel
> wrote:
>> Hello FreeIPA-devel list fellow beings!
>>
>> I would like to continue the discussion started in [1], and find its
>> solution.
>>
>> While using the Single-Sign-on authentication provided via an MIT Kerberos
>> KDC there must not be any significant clock skew between server and
>> clients so a time synchronization service is required.
>>
>> Red Hat Enterprise Linux is about to deprecate ntpd service and will
>> support chronyd instead. This will happen in release 8 and by this time we
>> should agree on some changes in IPA - whether to remove or replace the
>> already
>> used ntpd service. I would like to sum up this change in a design page but
>> there should be an agreement first.
>>
>> IPA, as is, checks the system configuration and if there is an NTP service
>> configured and running then it forces ntpd, meaning it disables any other
>> NTP service. It also alters its configuration, and restarts the NTP service
>> instance.
>>
>> We may now want to consider, as the time sync service change is required,
>> to NOT configure a service that is not a part of the identity management
>> such as NTP, and leave it to system/IPA administrators.
> Let me explain why we do this:
> As you noted above kerberos will fail to work properly if clocks drift
> too much, so we wanted to provide a simple way to keep the whole domain
> in sync. We also had plans to keep the domain in sync *securely* as an
> attacker could create Denial pf Service attacks by subtly drifting
> different machines clocks.
>
> ntpd was the only one that offered hooks to sign NTP packets (which
> were used by Samba only at the time and required compile time changes
> when we started) using kerberos keys, so the original plan was to
> eventually get there. Unfortunately we never prioritized this work.
>
> So given the above we initially decided to make IPA servers also ntp
> servers and configure client to use IPA server as time sources.
>
> This is just to give an overview of the reasons behind choosing ntpd
> specifically and why it was overriding ntp config on servers/clients
>
>> IPA install script may only check wheter there is an NTP service running
>> and if not, it would ask the administrator to configure it before the IPA
>> installation.
> I do not think we need this strictly for the first server, these days
> time keeping is more important in general and servers tend to be
> already kept in sync, either via virt devices, or ntp.
> however what we may want to do is, instead, to check the time
> synchronization on clients (and therefore future ipa replicas, as ipa
> client install is always done fist now), by dissecting a kerberos reply
> from the server that carries the server time (I think this information
> is actually stored in the ccache after a successful kinit, so we could
> just inspect the ccache as well).
>
> If we detect a drift bigger than X (where X < 5 min), we could fail the
> install and ask the admin to check the client and server time are
> synchronized.
>
>> Upgrade of IPA might be more complicated because there will be the ntpd
>> service entry in LDAP, and the service will be up and running. I would
>> suggest that we do not remove any working ntpd service already configured
>> but only disown it from IPA's LDAP tree.
> Why would we need to disown it ?
> I think it is ok to proposed that in new installs (even in an existing
> domain) new servers will stop configuring ntp by default, but I see no
> reason to touch existing servers.
>
> however I think we should *retain* the option to install and configure
> ntpd, it is very convenient for tests and custom installs/pocs, where
> you want to minimize the amount of prepping to do, and want something
> that "just works".
>
> If ntpd is dropped from a distribution I would assume we'll use the
> platform portability code to replace ntpd with whatever other
> NTP/timesync server/client is appropriate for the platform when the
> option to install NTP is requested.
>
> HTH,
> Simo.
>
>> I will be glad for any input from you people and hopefully there will be an
>> acceptable solution for this soon :)
>>
>> Thanks!
>>
>> [1]
>> https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html
>>
>> ___
>> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
___
FreeIPA-devel mailing list --