Hi,
https://fedorahosted.org/freeipa/ticket/1773
--
/ Alexander Bokovoy
From 8b022ee7b1290cabd4e1a54971dc66420d73c1cc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Wed, 5 Oct 2011 15:02:58 +0300
Subject: [PATCH] Before kinit, try to sync time with the NTP servers of the
domain we are joining
When running ipa-client-install on a system whose clock is not in sync with the
master, kinit fails and enrollment is aborted. Manual checking of current time
at the master and adjusting on the client-to-be is then needed.
The patch tries to fetch SRV records for NTP servers of the domain we aim to
join
and runs ntpdate to get time synchronized. If no SRV records are found, sync
with IPA server itself.
If that fails, warn that time might be not in sync with KDC.
https://fedorahosted.org/freeipa/ticket/1773
---
ipa-client/ipa-install/ipa-client-install | 14 ++
ipa-client/ipaclient/ipadiscovery.py | 21 +
ipa-client/ipaclient/ntpconf.py | 22 ++
3 files changed, 57 insertions(+), 0 deletions(-)
diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index
70ef811cec5a9107cb110d7ffa2a191fb36ea997..3810caea3eee403d0f225d52e0e5c5b2b8489a78
100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -920,6 +920,20 @@ def install(options, env, fstore, statestore):
nolog = tuple()
# First test out the kerberos configuration
try:
+# Attempt to sync time with IPA server.
+# We assume that NTP servers are discoverable through SRV records
in the DNS
+# If that fails, we try to sync directly with IPA server, assuming
it runs NTP
+ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain))
+synced_ntp = False
+if len(ntp_servers) 0:
+for s in ntp_servers:
+ synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+ if synced_ntp:
+ break
+if not synced_ntp:
+synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server)
+if not synced_ntp:
+print Unable to sync time with IPA NTP server, assuming the
time is in sync.
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain,
cli_server, cli_kdc, dnsok, options, krb_name):
diff --git a/ipa-client/ipaclient/ipadiscovery.py
b/ipa-client/ipaclient/ipadiscovery.py
index
3e31cad37dc1883c01e0729e390c5e5c16e022bd..cd5f81bd5147929deca43e502c4f9b2bdb98f99c
100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -316,6 +316,27 @@ class IPADiscovery:
return servers
+def ipadnssearchntp(self, tdomain):
+servers =
+rserver =
+
+qname = _ntp._udp.+tdomain
+# terminate the name
+if not qname.endswith(.):
+qname += .
+results = ipapython.dnsclient.query(qname,
ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
+
+for result in results:
+if result.dns_type == ipapython.dnsclient.DNS_T_SRV:
+rserver = result.rdata.server.rstrip(.)
+if servers:
+servers += , + rserver
+else:
+servers = rserver
+break
+
+return servers
+
def ipadnssearchkrb(self, tdomain):
realm = None
kdc = None
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index
8e151089c81fe761dc57fc6e8fb7ff5ba30b98fa..e2d349b166d9fc47bfd48f4c8054e211904778e7
100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore =
None):
# Restart ntpd
ipaservices.knownservices.ntpd.restart()
+
+def synconce_ntp(server_fqdn):
+
+Syncs time with specified server using ntpdate.
+Primarily designed to be used before Kerberos setup
+to get time following the KDC time
+
+Returns True if sync was successful
+
+ntpdate=/usr/sbin/ntpdate
+result = False
+if os.path.exists(ntpdate):
+retries = 2
+for retry in range(0,3):
+try:
+(sout, serr, rcode) = ipautil.run([ntpdate, -U, ntp, -s,
-b, server_fqdn],capture_output=True)
+if rcode == 0:
+result = True
+break
+except:
+pass
+return result
--
1.7.6.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel