Chuck Lever wrote:
Hi-
First-time FreeIPA user here.
I've installed FreeIPA on Fedora 18 and have some Fedora 16 IPA clients.
ipa-server-install on Fedora 18 and ipa-client-install on Fedora 16 both
add the following stanza to /etc/ntp.conf:
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
This sets up an additional time source based on the local system's hardware
clock.
According to http://www.ntp.org/ntpfaq/NTP-s-refclk.htm
The LCL is no reference clock in reality; instead it simply refers to the
system time on the current machine. Therefore it should never be used, except
when the system time is synchronized by some means not visible by xntpd.
synchronized by some means not visible by xntpd means a GPS card or an atomic
clock, hardware which most systems do not have available. In my experience, including a
local time source on typical PC hardware is a recipe for inaccurate timekeeping. It can
be especially problematic in a virtual environment.
Including a local source might make sense for IPA servers, but only if the
source is externally synchronized. At first I thought maybe the ntp
configurator script had found some evidence of external synchronization on my
server hardware, but then the same stanza appeared on my IPA clients, both of
which are VMware Fusion guests.
It was meant as a fallback. It may not make sense to have that anymore,
on either the client or the server. It is probably worth revisiting,
this was added in 2007-ish when the world was very different.
As soon as the local clock source was added on my IPA server, its ntp clock
offset was skewed by a second and a half from the network servers it was
tracking, and it became worse until I removed the local source.
It seems to me that adding a local source automatically is a bad idea. Anyone
know why the IPA installers add this source?
Some VMs don't play very nice with ntp. Things seem to be better lately.
Our documentation still recommends against configuring ntpd on VMs
(though this can introduce other issues b/c we still attempt to sync the
time against a non-existent time server during client enrollment).
(I also note that ipa-client-install does not disable chronyd, but I've only
tried the client install script on Fedora 16).
It will in the next release.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users