summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2011-10-05 17:25:09 +0300
committerRob Crittenden <rcritten@redhat.com>2011-10-06 05:16:41 -0400
commitacb2c3106ad763a07eca6e0f6f6737c04f967bfe (patch)
treea011027b7bcb1b785869f34d5add1f36489f18ae
parentf28ab8351f8972b5b5354dd98ba6508eab06dc31 (diff)
downloadfreeipa-acb2c3106ad763a07eca6e0f6f6737c04f967bfe.tar.gz
freeipa-acb2c3106ad763a07eca6e0f6f6737c04f967bfe.tar.xz
freeipa-acb2c3106ad763a07eca6e0f6f6737c04f967bfe.zip
Before kinit, try to sync time with the NTP servers of the domain we are joining
When running ipa-client-install on a system whose clock is not in sync with the master, kinit fails and enrollment is aborted. Manual checking of current time at the master and adjusting on the client-to-be is then needed. The patch tries to fetch SRV records for NTP servers of the domain we aim to join and runs ntpdate to get time synchronized. If no SRV records are found, sync with IPA server itself. If that fails, warn that time might be not in sync with KDC. https://fedorahosted.org/freeipa/ticket/1773
-rwxr-xr-xipa-client/ipa-install/ipa-client-install15
-rw-r--r--ipa-client/ipaclient/ipadiscovery.py21
-rw-r--r--ipa-client/ipaclient/ntpconf.py22
3 files changed, 58 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 27104fc19..431878036 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -921,6 +921,21 @@ def install(options, env, fstore, statestore):
nolog = tuple()
# First test out the kerberos configuration
try:
+ # Attempt to sync time with IPA server.
+ # We assume that NTP servers are discoverable through SRV records in the DNS
+ # If that fails, we try to sync directly with IPA server, assuming it runs NTP
+ print 'Synchronizing time with KDC...'
+ ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain))
+ synced_ntp = False
+ if len(ntp_servers) > 0:
+ for s in ntp_servers:
+ synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+ if synced_ntp:
+ break
+ if not synced_ntp:
+ synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server)
+ if not synced_ntp:
+ print "Unable to sync time with IPA NTP server, assuming the time is in sync."
(krb_fd, krb_name) = tempfile.mkstemp()
os.close(krb_fd)
if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py
index 3e31cad37..cd5f81bd5 100644
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@@ -316,6 +316,27 @@ class IPADiscovery:
return servers
+ def ipadnssearchntp(self, tdomain):
+ servers = ""
+ rserver = ""
+
+ qname = "_ntp._udp."+tdomain
+ # terminate the name
+ if not qname.endswith("."):
+ qname += "."
+ results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
+
+ for result in results:
+ if result.dns_type == ipapython.dnsclient.DNS_T_SRV:
+ rserver = result.rdata.server.rstrip(".")
+ if servers:
+ servers += "," + rserver
+ else:
+ servers = rserver
+ break
+
+ return servers
+
def ipadnssearchkrb(self, tdomain):
realm = None
kdc = None
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
index 8e151089c..e71692f40 100644
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore = None):
# Restart ntpd
ipaservices.knownservices.ntpd.restart()
+
+def synconce_ntp(server_fqdn):
+ """
+ Syncs time with specified server using ntpdate.
+ Primarily designed to be used before Kerberos setup
+ to get time following the KDC time
+
+ Returns True if sync was successful
+ """
+ ntpdate="/usr/sbin/ntpdate"
+ result = False
+ if os.path.exists(ntpdate):
+ # retry several times -- logic follows /etc/init.d/ntpdate
+ # implementation
+ for retry in range(0,3):
+ try:
+ ipautil.run([ntpdate, "-U", "ntp", "-s", "-b", server_fqdn])
+ result = True
+ break
+ except:
+ pass
+ return result