Re: [Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining the domain

2011-10-06 Thread Rob Crittenden 

Alexander Bokovoy wrote:

On Wed, 05 Oct 2011, Rob Crittenden wrote:

I ended up not using raiseonerr=False as all I needed is a way to
break out of the loop on success so that will come sequentially if
there is no exception.

Patch attached.


This works but there is a noticeable pause on my system when ntpdate
is being run. I think it would be handy to output a message saying
that the date is being updated.

I'll add the message.


Is it necessary to sync the date when a one-time password is being
used? It doesn't hurt but it does pause a second or three.

If I understand correctly, our use of OTP term for hosts is different
from what current IETF draft on OTP preauth with kerberos assumes.

At least, according to IETF draft on OTP preauth with kerberos,
http://tools.ietf.org/html/draft-ietf-krb-wg-otp-preauth-19#section-2.4
client has to submit next key if clocks have drifted which implies you
cannot re-use the same OTP next time. To me this looks like in OTP
case clocks synchronization is very important. In our OTP case it does
not matter except for an artificial delay...

I've added the message.


I modified the commit message a bit to prevent wrapping.

Pushed to master and ipa-2-1

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0019 Sync time with NTP before joining the domain

2011-10-05 Thread Alexander Bokovoy 
Hi,

https://fedorahosted.org/freeipa/ticket/1773

-- 
/ Alexander Bokovoy
From 8b022ee7b1290cabd4e1a54971dc66420d73c1cc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Wed, 5 Oct 2011 15:02:58 +0300
Subject: [PATCH] Before kinit, try to sync time with the NTP servers of the
 domain we are joining

When running ipa-client-install on a system whose clock is not in sync with the
master, kinit fails and enrollment is aborted. Manual checking of current time
at the master and adjusting on the client-to-be is then needed.

The patch tries to fetch SRV records for NTP servers of the domain we aim to 
join
and runs ntpdate to get time synchronized. If no SRV records are found, sync 
with IPA server itself.
If that fails, warn that time might be not in sync with KDC.

https://fedorahosted.org/freeipa/ticket/1773
---
 ipa-client/ipa-install/ipa-client-install |   14 ++
 ipa-client/ipaclient/ipadiscovery.py  |   21 +
 ipa-client/ipaclient/ntpconf.py   |   22 ++
 3 files changed, 57 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
70ef811cec5a9107cb110d7ffa2a191fb36ea997..3810caea3eee403d0f225d52e0e5c5b2b8489a78
 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -920,6 +920,20 @@ def install(options, env, fstore, statestore):
 nolog = tuple()
 # First test out the kerberos configuration
 try:
+# Attempt to sync time with IPA server.
+# We assume that NTP servers are discoverable through SRV records 
in the DNS
+# If that fails, we try to sync directly with IPA server, assuming 
it runs NTP
+ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain))
+synced_ntp = False
+if len(ntp_servers)  0:
+for s in ntp_servers:
+   synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+   if synced_ntp:
+   break
+if not synced_ntp:
+synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server)
+if not synced_ntp:
+print Unable to sync time with IPA NTP server, assuming the 
time is in sync.
 (krb_fd, krb_name) = tempfile.mkstemp()
 os.close(krb_fd)
 if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, 
cli_server, cli_kdc, dnsok, options, krb_name):
diff --git a/ipa-client/ipaclient/ipadiscovery.py 
b/ipa-client/ipaclient/ipadiscovery.py
index 
3e31cad37dc1883c01e0729e390c5e5c16e022bd..cd5f81bd5147929deca43e502c4f9b2bdb98f99c
 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -316,6 +316,27 @@ class IPADiscovery:
 
 return servers
 
+def ipadnssearchntp(self, tdomain):
+servers = 
+rserver = 
+
+qname = _ntp._udp.+tdomain
+# terminate the name
+if not qname.endswith(.):
+qname += .
+results = ipapython.dnsclient.query(qname, 
ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
+
+for result in results:
+if result.dns_type == ipapython.dnsclient.DNS_T_SRV:
+rserver = result.rdata.server.rstrip(.)
+if servers:
+servers += , + rserver
+else:
+servers = rserver
+break
+
+return servers
+
 def ipadnssearchkrb(self, tdomain):
 realm = None
 kdc = None
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 
8e151089c81fe761dc57fc6e8fb7ff5ba30b98fa..e2d349b166d9fc47bfd48f4c8054e211904778e7
 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore = 
None):
 
 # Restart ntpd
 ipaservices.knownservices.ntpd.restart()
+
+def synconce_ntp(server_fqdn):
+
+Syncs time with specified server using ntpdate.
+Primarily designed to be used before Kerberos setup
+to get time following the KDC time
+
+Returns True if sync was successful
+
+ntpdate=/usr/sbin/ntpdate
+result = False
+if os.path.exists(ntpdate):
+retries = 2
+for retry in range(0,3):
+try:
+(sout, serr, rcode) = ipautil.run([ntpdate, -U, ntp, -s, 
-b, server_fqdn],capture_output=True)
+if rcode == 0:
+result = True
+break
+except:
+pass
+return result
-- 
1.7.6.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel