Hello FreeIPA-devel list fellow beings! I would like to continue the discussion started in [1], and find its solution.
While using the Single-Sign-on authentication provided via an MIT Kerberos KDC there must not be any significant clock skew between server and clients so a time synchronization service is required. Red Hat Enterprise Linux is about to deprecate ntpd service and will support chronyd instead. This will happen in release 8 and by this time we should agree on some changes in IPA - whether to remove or replace the already used ntpd service. I would like to sum up this change in a design page but there should be an agreement first. IPA, as is, checks the system configuration and if there is an NTP service configured and running then it forces ntpd, meaning it disables any other NTP service. It also alters its configuration, and restarts the NTP service instance. We may now want to consider, as the time sync service change is required, to NOT configure a service that is not a part of the identity management such as NTP, and leave it to system/IPA administrators. IPA install script may only check wheter there is an NTP service running and if not, it would ask the administrator to configure it before the IPA installation. Upgrade of IPA might be more complicated because there will be the ntpd service entry in LDAP, and the service will be up and running. I would suggest that we do not remove any working ntpd service already configured but only disown it from IPA's LDAP tree. I will be glad for any input from you people and hopefully there will be an acceptable solution for this soon :) Thanks! [1] https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html -- Tibor Dudlák Identity management - FreeIPA Brno, TPB-C, 2C407 Red Hat
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org