Re: [Freeipa-users] Enabling ntp if not done during ipa-server-install

[Mark Heslin]

On 08/15/2014 03:51 PM, Simo Sorce wrote:

On Fri, 2014-08-15 at 20:46 +0200, Petr Viktorin wrote:

On 08/15/2014 08:11 PM, Lucas Yamanishi wrote:

On 08/15/2014 10:33 AM, Redmond, Stacy wrote:


I installed my ipa server with –no-ntp but find that I want to enable
it on my server, and all my replicas.  Is it possible to do post install?

Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP
isn’t integrated with FreeIPA as much as it’s a good idea to run it
along side FreeIPA/; Kerberos and other crypto operations depend on good
time-sync. All you need to do to [...]

Thanks for the instructions, Lucas.


Adding it may be easy, but users don't necessarily know that, so it
would make sense to provide an ipa-ntp-install command to take care of
all the details.
I filed a RFE for ipa-ntp-install:
https://fedorahosted.org/freeipa/ticket/4497

IIRC Ntpd also supports an interface (may require patching) to allow
signing packets (I remember vaguely samba AD has an interface for this).

Maybe we should open a ticket to make use of that too and really
formally integrate and configure ntpd to sign outgoing packets.

Simo.



I just wanted to add 2 points that may or may not apply to you:

 1. The RHEL7 IdM guide recommends *not* running NTP on an IdM server 
that is on a VM:


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#prereq-ntp

  It's not entirely clear to me whether this still holds true today 
or if it's an old documentation artifact.


2. For RHEL 7, the default time service is chronyd, not ntpd. From my 
readings it appears that chronyd
is primarily for "mobile" devices like laptops. If you're running 
IdM on a RHEL 7 server then I'd suggest
masking the chronyd service (systemctl mask chronyd) and enabling 
ntpd just as outlined

in the OSE-IdM reference architecture:

  https://access.redhat.com/articles/1155603

  See sections 2.2.5 Time Services (ntpd, chronyd) and 4.5 
Configure Time Service (NTP).


-m


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Enabling ntp if not done during ipa-server-install

[Simo Sorce]

On Fri, 2014-08-15 at 20:46 +0200, Petr Viktorin wrote:
> On 08/15/2014 08:11 PM, Lucas Yamanishi wrote:
> > On 08/15/2014 10:33 AM, Redmond, Stacy wrote:
> >
> >> I installed my ipa server with –no-ntp but find that I want to enable
> >> it on my server, and all my replicas.  Is it possible to do post install?
> 
> > Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP
> > isn’t integrated with FreeIPA as much as it’s a good idea to run it
> > along side FreeIPA/; Kerberos and other crypto operations depend on good
> > time-sync. All you need to do to [...]
> 
> Thanks for the instructions, Lucas.
> 
> 
> Adding it may be easy, but users don't necessarily know that, so it 
> would make sense to provide an ipa-ntp-install command to take care of 
> all the details.
> I filed a RFE for ipa-ntp-install: 
> https://fedorahosted.org/freeipa/ticket/4497

IIRC Ntpd also supports an interface (may require patching) to allow
signing packets (I remember vaguely samba AD has an interface for this).

Maybe we should open a ticket to make use of that too and really
formally integrate and configure ntpd to sign outgoing packets.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Enabling ntp if not done during ipa-server-install

[Petr Viktorin]

On 08/15/2014 08:11 PM, Lucas Yamanishi wrote:

On 08/15/2014 10:33 AM, Redmond, Stacy wrote:


I installed my ipa server with –no-ntp but find that I want to enable
it on my server, and all my replicas.  Is it possible to do post install?



Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP
isn’t integrated with FreeIPA as much as it’s a good idea to run it
along side FreeIPA/; Kerberos and other crypto operations depend on good
time-sync. All you need to do to [...]


Thanks for the instructions, Lucas.


Adding it may be easy, but users don't necessarily know that, so it 
would make sense to provide an ipa-ntp-install command to take care of 
all the details.
I filed a RFE for ipa-ntp-install: 
https://fedorahosted.org/freeipa/ticket/4497




--
Petr³

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Enabling ntp if not done during ipa-server-install

[Lucas Yamanishi]

On 08/15/2014 10:33 AM, Redmond, Stacy wrote:

> I installed my ipa server with –no-ntp but find that I want to enable
> it on my server, and all my replicas.  Is it possible to do post install?
>
>  
>
> *Stacy Redmond | *Unix/Linux System Administrator
>
> Build Engineering | Bluedof California
>
> 4203 Town Center Boulevard | El Dorado Hills, CA 95762
>
> *Desk:*916.350.7912 | *FAX:* 916.350.8943
>
> *Email:*Stacy redm...@blueshieldca.com 
>
>  
>
>  
>
> “This message (including any attachments) contains business
> proprietary/confidentialinformation intended for a specific individual
> and purpose and is protected by law. If you are not the intended
> recipient, you should delete this message and all attachments from
> your computer or email server. Any disclosure, copying, or
> distribution of this message, or the taking of any action based on it,
> without the express permission of the originator, is strictly prohibited.”
>
>  
>
>
>
Yes, you can do that. There’s no |ipa-ntp-install| command, because /NTP
isn’t integrated with FreeIPA as much as it’s a good idea to run it
along side FreeIPA/; Kerberos and other crypto operations depend on good
time-sync. All you need to do to replicate the default
|ipa-server-install| behavior (without —no-ntp) is enable inbound
connections to /ntpd/, add the other servers to its server list, and for
extra credit add an /SRV/ resource record for each server. (Does
anything actually uses the SRV records?)

/ntpd(8)/ should be installed, but make sure— it’s usually just called
/ntp/. You’ll then need to open UDP port 123 and configure the daemon
appropriately. Here’s an example |/etc/ntp.conf| file (it assumes there
are two other servers in the cluster, ipa2 and ipa3; edit as you see fit):

|# ntp.conf
#
# Keep ntpd from panicking in the event of a large clock skew
# when a VM guest is suspended and resumed.
# (disable this if running on a physical machine with a battery-backed RTC)
tinker panic 0

# Permit time synchronization with our time source, but do not'
# permit the source to query or modify the service on this system.'
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

# Servers
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org

server ipa2.example.com
server ipa3.example.com

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
# (disable this if running on a virtual machine)
server  127.127.1.0 # local clock
fudge   127.127.1.0 stratum 10

# Driftfile.
driftfile /var/lib/ntp/drift
|

Run this command to add an SRV RR for /ipa1.example.com/ (don’t forget
the trailing dot):

|ipa dnsrecord-add example.com _ntp._udp --srv-priority=0 --srv-weight=100 
--srv-port=123 --srv-target=ipa1.example.com.
|

​

--  
-
*question everything*learn something*answer nothing*

Lucas Yamanishi
--
Systems Administrator, ADNET Systems, Inc.
NASA Space and Earth Science Data Analysis (606.9)
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project