Rob
 
Thanks for looking again.
 
Being a developer myself, my first move was to make an ldif of the entry before touching it!
 
I will try changing enabledService to disabledService and see what happens...
 
Cheers
 
Chris
 
----- Original message -----
From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
To: Christopher Lamb <christopher.lamb@ch.ibm.com>, freeipa-users@lists.fedorahosted.org
Cc: Rob Crittenden <rcritten@redhat.com>
Subject: [EXTERNAL] [Freeipa-users] Re: How to disable NTP on an ipa-server
Date: Fri, Oct 9, 2020 5:39 PM
 
Christopher Lamb wrote:
> Hi Rob
>  
> I have fired up Apache Directory Studio, and have navigated the LDAP
> tree to the cn=NTP entry.
>  
> Should I be deleting the entire cn=NTP entry, with all attributes; or
> just the ipaConfigString "startOrder 45"?

You can set ipaConfigString to something like disabledService if you
want to keep it around. I looked again and ipactl looks for
enabledService and hiddenService so something not matching should get
skipped by ipactl.

But when looking at the server roles NTP may show up which might be
confusing.

If you are really worried you can do an ldapsearch and save the content
into a file to make it easy to add back.

rob

>  
> thanks
>  
> Chris
>
>     ----- Original message -----
>     From: Rob Crittenden via FreeIPA-users
>     <freeipa-users@lists.fedorahosted.org>
>     To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
>     Cc: Christopher Lamb <christopher.lamb@ch.ibm.com>, Rob Crittenden
>     <rcritten@redhat.com>
>     Subject: [EXTERNAL] [Freeipa-users] Re: How to disable NTP on an
>     ipa-server
>     Date: Thu, Oct 8, 2020 9:05 PM
>      
>     Christopher Lamb via FreeIPA-users wrote:
>     > Hi All
>     >  
>     > Last night we successfully upgraded our ipa server to OEL 7.9, and
>     > ipa-server-4.6.8-5.el7.
>     >  
>     > However the ipa.service will not start, because it fails at the
>     NTP Service.
>     >  
>     > All other ipa components start if we use the --ignore-service-failures
>     > option.
>     >  
>     > # ipactl start --ignore-service-failures
>     > Existing service file detected!
>     > Assuming stale, cleaning and proceeding
>     > Starting Directory Service
>     > Starting krb5kdc Service
>     > Starting kadmin Service
>     > Starting httpd Service
>     > Starting ntpd Service
>     > Failed to start ntpd Service
>     > Forced start, ignoring ntpd Service, continuing normal operation
>     > Starting pki-tomcatd Service
>     > Starting ipa-otpd Service
>     >  
>     > I am ok with ntpd not starting, we have long since moved to
>     chrony, and
>     > have ntpd disabled and masked.
>     >  
>     > The question is, how do I configure our ipa-server to not use ntpd?
>     >  
>     > I am aware that there are options for ntpd on installation, but am
>     > unsure how to do this for an existing server.
>     >  
>     > https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support  
>
>     Masking the service won't help because it is managed by ipactl. It
>     determines the list of services by looking in
>     cn=masters,cn=ipa,cn=etc,$SUFFIX
>
>     A entry looks like:
>
>     dn:
>     cn=NTP,cn=ipa.example.test,cn=masters,cn=ipa,cn=etc,dc=example,dc=tes
>      t
>     objectClass: nsContainer
>     objectClass: ipaConfigObject
>     objectClass: top
>     cn: NTP
>     ipaConfigString: startOrder 45
>     ipaConfigString: enabledService
>
>     ipactl only looks at the startOrder of ipaConfigString. You'll need to
>     delete this entry entirely.
>
>     rob
>     _______________________________________________
>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     To unsubscribe send an email to
>     freeipa-users-leave@lists.fedorahosted.org
>     Fedora Code of Conduct:
>     https://docs.fedoraproject.org/en-US/project/code-of-conduct/  
>     List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  
>     List Archives:
>     https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org  
>      
>
>  
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines 
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org