diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2011-10-05 17:25:09 +0300 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-10-06 05:16:41 -0400 |
commit | acb2c3106ad763a07eca6e0f6f6737c04f967bfe (patch) | |
tree | a011027b7bcb1b785869f34d5add1f36489f18ae | |
parent | f28ab8351f8972b5b5354dd98ba6508eab06dc31 (diff) | |
download | freeipa-acb2c3106ad763a07eca6e0f6f6737c04f967bfe.tar.gz freeipa-acb2c3106ad763a07eca6e0f6f6737c04f967bfe.tar.xz freeipa-acb2c3106ad763a07eca6e0f6f6737c04f967bfe.zip |
Before kinit, try to sync time with the NTP servers of the domain we are joining
When running ipa-client-install on a system whose clock is not in sync
with the master, kinit fails and enrollment is aborted. Manual checking
of current time at the master and adjusting on the client-to-be is then
needed.
The patch tries to fetch SRV records for NTP servers of the domain we aim
to join and runs ntpdate to get time synchronized. If no SRV records are
found, sync with IPA server itself. If that fails, warn that time might
be not in sync with KDC.
https://fedorahosted.org/freeipa/ticket/1773
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 15 | ||||
-rw-r--r-- | ipa-client/ipaclient/ipadiscovery.py | 21 | ||||
-rw-r--r-- | ipa-client/ipaclient/ntpconf.py | 22 |
3 files changed, 58 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 27104fc19..431878036 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -921,6 +921,21 @@ def install(options, env, fstore, statestore): nolog = tuple() # First test out the kerberos configuration try: + # Attempt to sync time with IPA server. + # We assume that NTP servers are discoverable through SRV records in the DNS + # If that fails, we try to sync directly with IPA server, assuming it runs NTP + print 'Synchronizing time with KDC...' + ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain)) + synced_ntp = False + if len(ntp_servers) > 0: + for s in ntp_servers: + synced_ntp = ipaclient.ntpconf.synconce_ntp(s) + if synced_ntp: + break + if not synced_ntp: + synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server) + if not synced_ntp: + print "Unable to sync time with IPA NTP server, assuming the time is in sync." (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name): diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 3e31cad37..cd5f81bd5 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -316,6 +316,27 @@ class IPADiscovery: return servers + def ipadnssearchntp(self, tdomain): + servers = "" + rserver = "" + + qname = "_ntp._udp."+tdomain + # terminate the name + if not qname.endswith("."): + qname += "." + results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV) + + for result in results: + if result.dns_type == ipapython.dnsclient.DNS_T_SRV: + rserver = result.rdata.server.rstrip(".") + if servers: + servers += "," + rserver + else: + servers = rserver + break + + return servers + def ipadnssearchkrb(self, tdomain): realm = None kdc = None diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py index 8e151089c..e71692f40 100644 --- a/ipa-client/ipaclient/ntpconf.py +++ b/ipa-client/ipaclient/ntpconf.py @@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore = None): # Restart ntpd ipaservices.knownservices.ntpd.restart() + +def synconce_ntp(server_fqdn): + """ + Syncs time with specified server using ntpdate. + Primarily designed to be used before Kerberos setup + to get time following the KDC time + + Returns True if sync was successful + """ + ntpdate="/usr/sbin/ntpdate" + result = False + if os.path.exists(ntpdate): + # retry several times -- logic follows /etc/init.d/ntpdate + # implementation + for retry in range(0,3): + try: + ipautil.run([ntpdate, "-U", "ntp", "-s", "-b", server_fqdn]) + result = True + break + except: + pass + return result |