[Freeipa-users] Enabling ntp if not done during ipa-server-install

2014-08-15 Thread Redmond, Stacy 
I installed my ipa server with -no-ntp but find that I want to enable it
on my server, and all my replicas.  Is it possible to do post install?

 

Stacy Redmond | Unix/Linux System Administrator

Build Engineering | Bluedof California 

4203 Town Center Boulevard | El Dorado Hills, CA 95762

Desk: 916.350.7912 | FAX: 916.350.8943

Email: Stacy redm...@blueshieldca.com mailto:st...@blueshieldca.com 

 

 

This message (including any attachments) contains business
proprietary/confidentialinformation intended for a specific individual
and purpose and is protected by law. If you are not the intended
recipient, you should delete this message and all attachments from your
computer or email server. Any disclosure, copying, or distribution of
this message, or the taking of any action based on it, without the
express permission of the originator, is strictly prohibited.

 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Enabling ntp if not done during ipa-server-install

2014-08-15 Thread Petr Viktorin 

On 08/15/2014 08:11 PM, Lucas Yamanishi wrote:

On 08/15/2014 10:33 AM, Redmond, Stacy wrote:


I installed my ipa server with –no-ntp but find that I want to enable
it on my server, and all my replicas.  Is it possible to do post install?



Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP
isn’t integrated with FreeIPA as much as it’s a good idea to run it
along side FreeIPA/; Kerberos and other crypto operations depend on good
time-sync. All you need to do to [...]


Thanks for the instructions, Lucas.


Adding it may be easy, but users don't necessarily know that, so it 
would make sense to provide an ipa-ntp-install command to take care of 
all the details.
I filed a RFE for ipa-ntp-install: 
https://fedorahosted.org/freeipa/ticket/4497




--
Petr³

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Enabling ntp if not done during ipa-server-install

2014-08-15 Thread Mark Heslin 

On 08/15/2014 03:51 PM, Simo Sorce wrote:

On Fri, 2014-08-15 at 20:46 +0200, Petr Viktorin wrote:

On 08/15/2014 08:11 PM, Lucas Yamanishi wrote:

On 08/15/2014 10:33 AM, Redmond, Stacy wrote:


I installed my ipa server with –no-ntp but find that I want to enable
it on my server, and all my replicas.  Is it possible to do post install?

Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP
isn’t integrated with FreeIPA as much as it’s a good idea to run it
along side FreeIPA/; Kerberos and other crypto operations depend on good
time-sync. All you need to do to [...]

Thanks for the instructions, Lucas.


Adding it may be easy, but users don't necessarily know that, so it
would make sense to provide an ipa-ntp-install command to take care of
all the details.
I filed a RFE for ipa-ntp-install:
https://fedorahosted.org/freeipa/ticket/4497

IIRC Ntpd also supports an interface (may require patching) to allow
signing packets (I remember vaguely samba AD has an interface for this).

Maybe we should open a ticket to make use of that too and really
formally integrate and configure ntpd to sign outgoing packets.

Simo.



I just wanted to add 2 points that may or may not apply to you:

 1. The RHEL7 IdM guide recommends *not* running NTP on an IdM server 
that is on a VM:


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#prereq-ntp

  It's not entirely clear to me whether this still holds true today 
or if it's an old documentation artifact.


2. For RHEL 7, the default time service is chronyd, not ntpd. From my 
readings it appears that chronyd
is primarily for mobile devices like laptops. If you're running 
IdM on a RHEL 7 server then I'd suggest
masking the chronyd service (systemctl mask chronyd) and enabling 
ntpd just as outlined

in the OSE-IdM reference architecture:

  https://access.redhat.com/articles/1155603

  See sections 2.2.5 Time Services (ntpd, chronyd) and 4.5 
Configure Time Service (NTP).


-m


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project