diff options
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 15 | ||||
-rw-r--r-- | ipa-client/ipaclient/ipadiscovery.py | 21 | ||||
-rw-r--r-- | ipa-client/ipaclient/ntpconf.py | 22 |
3 files changed, 58 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 27104fc19..431878036 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -921,6 +921,21 @@ def install(options, env, fstore, statestore): nolog = tuple() # First test out the kerberos configuration try: + # Attempt to sync time with IPA server. + # We assume that NTP servers are discoverable through SRV records in the DNS + # If that fails, we try to sync directly with IPA server, assuming it runs NTP + print 'Synchronizing time with KDC...' + ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain)) + synced_ntp = False + if len(ntp_servers) > 0: + for s in ntp_servers: + synced_ntp = ipaclient.ntpconf.synconce_ntp(s) + if synced_ntp: + break + if not synced_ntp: + synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server) + if not synced_ntp: + print "Unable to sync time with IPA NTP server, assuming the time is in sync." (krb_fd, krb_name) = tempfile.mkstemp() os.close(krb_fd) if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name): diff --git a/ipa-client/ipaclient/ipadiscovery.py b/ipa-client/ipaclient/ipadiscovery.py index 3e31cad37..cd5f81bd5 100644 --- a/ipa-client/ipaclient/ipadiscovery.py +++ b/ipa-client/ipaclient/ipadiscovery.py @@ -316,6 +316,27 @@ class IPADiscovery: return servers + def ipadnssearchntp(self, tdomain): + servers = "" + rserver = "" + + qname = "_ntp._udp."+tdomain + # terminate the name + if not qname.endswith("."): + qname += "." + results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV) + + for result in results: + if result.dns_type == ipapython.dnsclient.DNS_T_SRV: + rserver = result.rdata.server.rstrip(".") + if servers: + servers += "," + rserver + else: + servers = rserver + break + + return servers + def ipadnssearchkrb(self, tdomain): realm = None kdc = None diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py index 8e151089c..e71692f40 100644 --- a/ipa-client/ipaclient/ntpconf.py +++ b/ipa-client/ipaclient/ntpconf.py @@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore = None): # Restart ntpd ipaservices.knownservices.ntpd.restart() + +def synconce_ntp(server_fqdn): + """ + Syncs time with specified server using ntpdate. + Primarily designed to be used before Kerberos setup + to get time following the KDC time + + Returns True if sync was successful + """ + ntpdate="/usr/sbin/ntpdate" + result = False + if os.path.exists(ntpdate): + # retry several times -- logic follows /etc/init.d/ntpdate + # implementation + for retry in range(0,3): + try: + ipautil.run([ntpdate, "-U", "ntp", "-s", "-b", server_fqdn]) + result = True + break + except: + pass + return result |