Hello All.
There are several good NTP servers/clients. And different Linux
distributions
use them (not only ntpd or chronyd). But FreeIPA chose ntpd strictly. It
is a
bottleneck for a platform porting. Perhaps, FreeIPA should allow to select
administrator which one to use and should support it (like install and
work).
Thank you.
24.01.2018 18:57, Simo Sorce via FreeIPA-devel пишет:
On Wed, 2018-01-24 at 16:25 +0100, Tibor Dudlák via FreeIPA-devel
wrote:
> Hello FreeIPA-devel list fellow beings!
>
> I would like to continue the discussion started in [1], and find its
> solution.
>
> While using the Single-Sign-on authentication provided via an MIT Kerberos
> KDC there must not be any significant clock skew between server and
> clients so a time synchronization service is required.
>
> Red Hat Enterprise Linux is about to deprecate ntpd service and will
> support chronyd instead. This will happen in release 8 and by this time we
> should agree on some changes in IPA - whether to remove or replace the already
> used ntpd service. I would like to sum up this change in a design page but
> there should be an agreement first.
>
> IPA, as is, checks the system configuration and if there is an NTP service
> configured and running then it forces ntpd, meaning it disables any other
> NTP service. It also alters its configuration, and restarts the NTP service
> instance.
>
> We may now want to consider, as the time sync service change is required,
> to NOT configure a service that is not a part of the identity management
> such as NTP, and leave it to system/IPA administrators.
Let me explain why we do this:
As you noted above kerberos will fail to work properly if clocks drift
too much, so we wanted to provide a simple way to keep the whole domain
in sync. We also had plans to keep the domain in sync *securely* as an
attacker could create Denial pf Service attacks by subtly drifting
different machines clocks.
ntpd was the only one that offered hooks to sign NTP packets (which
were used by Samba only at the time and required compile time changes
when we started) using kerberos keys, so the original plan was to
eventually get there. Unfortunately we never prioritized this work.
So given the above we initially decided to make IPA servers also ntp
servers and configure client to use IPA server as time sources.
This is just to give an overview of the reasons behind choosing ntpd
specifically and why it was overriding ntp config on servers/clients
> IPA install script may only check wheter there is an NTP service running
> and if not, it would ask the administrator to configure it before the IPA
> installation.
I do not think we need this strictly for the first server, these days
time keeping is more important in general and servers tend to be
already kept in sync, either via virt devices, or ntp.
however what we may want to do is, instead, to check the time
synchronization on clients (and therefore future ipa replicas, as ipa
client install is always done fist now), by dissecting a kerberos reply
from the server that carries the server time (I think this information
is actually stored in the ccache after a successful kinit, so we could
just inspect the ccache as well).
If we detect a drift bigger than X (where X < 5 min), we could fail the
install and ask the admin to check the client and server time are
synchronized.
> Upgrade of IPA might be more complicated because there will be the ntpd
> service entry in LDAP, and the service will be up and running. I would
> suggest that we do not remove any working ntpd service already configured
> but only disown it from IPA's LDAP tree.
Why would we need to disown it ?
I think it is ok to proposed that in new installs (even in an existing
domain) new servers will stop configuring ntp by default, but I see no
reason to touch existing servers.
however I think we should *retain* the option to install and configure
ntpd, it is very convenient for tests and custom installs/pocs, where
you want to minimize the amount of prepping to do, and want something
that "just works".
If ntpd is dropped from a distribution I would assume we'll use the
platform portability code to replace ntpd with whatever other
NTP/timesync server/client is appropriate for the platform when the
option to install NTP is requested.
HTH,
Simo.
> I will be glad for any input from you people and hopefully there will be an
> acceptable solution for this soon :)
>
> Thanks!
>
> [1]
>
https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html
>
> _______________________________________________
> FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-devel-leave(a)lists.fedorahosted.org