network time default, f23

Miroslav Lichvar mlichvar at
Tue Sep 1 09:31:43 UTC 2015

On Mon, Aug 31, 2015 at 03:28:31PM -0400, Simo Sorce wrote:
> Server's still need to be synchronized with the KDC though, which is why
> FreeIPA will keep serving ntpd by default, as it is an infrastructure
> component built principally for "servers".
> Keep in mind we do not configure NTPD to advertise itself as stratum 0
> or anything, we keep ntpd still pulling the clock from upstream servers.
> In this regard FreeIPA's ntpd also acts like a proxy so that less
> traffic is sent to upstream ntp servers.

It seems the ipa-server-install script configures ntpd with the LOCAL
driver, so it can serve time even when it's not synchronized. That
can be done with chronyd too (using the local stratum directive).

> > Right now, that means we use the traditional ntpd daemon, because
> > that's what upstream FreeIPA is using. This *does* mean that without
> > upstream work, even if we ship with timesyncd or chronyd for default
> > behavior (pointing at, when a domain is
> > joined it will swap that out for ntpd anyway. If we have strong
> > reasons for why our chosen default is a better solution, we need to
> > work with FreeIPA upstream to make that at least an option.
> Indeed, patches (or at least tickets with convincing explanations) are
> very welcome.

I found a ticket for the client part. Should I file one for the server?

BTW, there was recently a request to add an option to use servers from
DNS SRV records (#1234406) and that is implemented in the latest
chrony packages.

If it doesn't work for you or other things are needed before FreeIPA
can fully support chronyd as an NTP server and client, please let me

Miroslav Lichvar

More information about the server mailing list