On Wed, 2018-01-24 at 16:25 +0100, Tibor Dudlák via FreeIPA-devel
wrote:
Hello FreeIPA-devel list fellow beings!
I would like to continue the discussion started in [1], and find its
solution.
While using the Single-Sign-on authentication provided via an MIT Kerberos
KDC there must not be any significant clock skew between server and
clients so a time synchronization service is required.
Red Hat Enterprise Linux is about to deprecate ntpd service and will
support chronyd instead. This will happen in release 8 and by this time we
should agree on some changes in IPA - whether to remove or replace the already
used ntpd service. I would like to sum up this change in a design page but
there should be an agreement first.
IPA, as is, checks the system configuration and if there is an NTP service
configured and running then it forces ntpd, meaning it disables any other
NTP service. It also alters its configuration, and restarts the NTP service
instance.
We may now want to consider, as the time sync service change is required,
to NOT configure a service that is not a part of the identity management
such as NTP, and leave it to system/IPA administrators.
Let me explain why we do this:
As you noted above kerberos will fail to work properly if clocks drift
too much, so we wanted to provide a simple way to keep the whole domain
in sync. We also had plans to keep the domain in sync *securely* as an
attacker could create Denial pf Service attacks by subtly drifting
different machines clocks.
ntpd was the only one that offered hooks to sign NTP packets (which
were used by Samba only at the time and required compile time changes
when we started) using kerberos keys, so the original plan was to
eventually get there. Unfortunately we never prioritized this work.
So given the above we initially decided to make IPA servers also ntp
servers and configure client to use IPA server as time sources.
This is just to give an overview of the reasons behind choosing ntpd
specifically and why it was overriding ntp config on servers/clients
IPA install script may only check wheter there is an NTP service
running
and if not, it would ask the administrator to configure it before the IPA
installation.
I do not think we need this strictly for the first server, these days
time keeping is more important in general and servers tend to be
already kept in sync, either via virt devices, or ntp.
however what we may want to do is, instead, to check the time
synchronization on clients (and therefore future ipa replicas, as ipa
client install is always done fist now), by dissecting a kerberos reply
from the server that carries the server time (I think this information
is actually stored in the ccache after a successful kinit, so we could
just inspect the ccache as well).
If we detect a drift bigger than X (where X < 5 min), we could fail the
install and ask the admin to check the client and server time are
synchronized.
Upgrade of IPA might be more complicated because there will be the
ntpd
service entry in LDAP, and the service will be up and running. I would
suggest that we do not remove any working ntpd service already configured
but only disown it from IPA's LDAP tree.
Why would we need to disown it ?
I think it is ok to proposed that in new installs (even in an existing
domain) new servers will stop configuring ntp by default, but I see no
reason to touch existing servers.
however I think we should *retain* the option to install and configure
ntpd, it is very convenient for tests and custom installs/pocs, where
you want to minimize the amount of prepping to do, and want something
that "just works".
If ntpd is dropped from a distribution I would assume we'll use the
platform portability code to replace ntpd with whatever other
NTP/timesync server/client is appropriate for the platform when the
option to install NTP is requested.
HTH,
Simo.
I will be glad for any input from you people and hopefully there will
be an
acceptable solution for this soon :)
Thanks!
[1]
https://www.redhat.com/archives/freeipa-devel/2016-November/msg00807.html
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-leave(a)lists.fedorahosted.org
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc