9 files changed, 213 insertions, 16 deletions

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 0e89a66b5..3e3597dca 100644
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -30,6 +30,7 @@ import logging
 from optparse import OptionParser
 import ipaclient.ipadiscovery
 import ipaclient.ipachangeconf
+import ipaclient.ntpconf
 from ipa.ipautil import run
 
 def parse_options():
@@ -43,6 +44,8 @@ def parse_options():
                       default=False, help="print debugging information")
     parser.add_option("-U", "--unattended", dest="unattended",
                       help="unattended installation never prompts the user")
+    parser.add_option("-N", "--no-ntp", action="store_false",
+                      help="do not configure ntp", default=True, dest="conf_ntp")
 
     options, args = parser.parse_args()
 
@@ -67,14 +70,6 @@ def logging_setup(options):
     console.setFormatter(formatter)
     logging.getLogger('').addHandler(console)
 
-def check_ntp():
-    ret_code = 1
-    p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
-                         stderr=subprocess.PIPE)
-    stdout, stderr = p.communicate()
-
-    return p.returncode
-
 def main():
     options = parse_options()
     logging_setup(options)
@@ -208,10 +203,8 @@ def main():
     #Modify pam to add pam_krb5
     run(["/usr/sbin/authconfig", "--enablekrb5", "--update"])
 
-    # print warning about ntp
-    if check_ntp() != 0:
-        print "WARNING: Kerberos requires time synchronization between clients"
-        print "and servers for correct operation. You should consider enabling ntpd."
+    if options.conf_ntp:
+        ipaclient.ntpconf.config_ntp(ds.getServerName())
 
     return 0
 
diff --git a/ipa-client/ipaclient/Makefile.am b/ipa-client/ipaclient/Makefile.am
index c40085854..038238926 100644
--- a/ipa-client/ipaclient/Makefile.am
+++ b/ipa-client/ipaclient/Makefile.am
@@ -6,6 +6,7 @@ app_PYTHON = 			\
 	dnsclient.py		\
 	ipachangeconf.py	\
 	ipadiscovery.py		\
+	ntpconf.py		\
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py
new file mode 100644
index 000000000..6ee19f0b5
--- /dev/null
+++ b/ipa-client/ipaclient/ntpconf.py
@@ -0,0 +1,89 @@
+# Authors: Karl MacMillan <kmacmillan@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+from ipa.ipautil import *
+import shutil
+
+ntp_conf = """# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
+
+# Permit all access over the loopback interface.  This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
+restrict 127.0.0.1 
+restrict -6 ::1
+
+# Hosts on local network are less restricted.
+#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
+
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+server $SERVER
+
+#broadcast 192.168.1.255 key 42		# broadcast server
+#broadcastclient			# broadcast client
+#broadcast 224.0.1.1 key 42		# multicast server
+#multicastclient 224.0.1.1		# multicast client
+#manycastserver 239.255.254.254		# manycast server
+#manycastclient 239.255.254.254 key 42	# manycast client
+
+# Undisciplined Local Clock. This is a fake driver intended for backup
+# and when no outside source of synchronized time is available. 
+server	127.127.1.0	# local clock
+#fudge	127.127.1.0 stratum 10	
+
+# Drift file.  Put this in a directory which the daemon can write to.
+# No symbolic links allowed, either, since the daemon updates the file
+# by creating a temporary in the same directory and then rename()'ing
+# it to the file.
+driftfile /var/lib/ntp/drift
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography. 
+keys /etc/ntp/keys
+
+# Specify the key identifiers which are trusted.
+#trustedkey 4 8 42
+
+# Specify the key identifier to use with the ntpdc utility.
+#requestkey 8
+
+# Specify the key identifier to use with the ntpq utility.
+#controlkey 8
+"""
+
+def config_ntp(server_fqdn):
+    sub_dict = { }
+    sub_dict["SERVER"] = server_fqdn
+    
+    nc = template_str(ntp_conf, sub_dict)
+    
+    shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave")
+    
+    fd = open("/etc/ntp.conf", "w")
+    fd.write(nc)
+    fd.close()
+
+    # Set the ntpd to start on boot
+    run(["/sbin/chkconfig", "ntpd", "on"])
+    
+    # Restart ntpd
+    run(["/sbin/service", "ntpd", "restart"])
diff --git a/ipa-server/ipa-install/ipa-server-install b/ipa-server/ipa-install/ipa-server-install
index 5a2642dbd..06297d492 100644
--- a/ipa-server/ipa-install/ipa-server-install
+++ b/ipa-server/ipa-install/ipa-server-install
@@ -41,10 +41,13 @@ import shutil
 import glob
 import traceback
 from optparse import OptionParser
+
 import ipaserver.dsinstance
 import ipaserver.krbinstance
 import ipaserver.bindinstance
 import ipaserver.httpinstance
+import ipaserver.ntpinstance
+
 from ipa.ipautil import run
 
 def parse_options():
@@ -542,6 +545,10 @@ def main():
     ds.restart()
     krb.restart()
 
+    # Configure ntpd
+    ntp = ipaserver.ntpinstance.NTPInstance()
+    ntp.create_instance()
+
     try:
         selinux=0
         try:
@@ -588,6 +595,12 @@ def main():
 
         # Start Kpasswd
         run(["/sbin/service", "ipa-kpasswd", "start"])
+
+        # Set the ntpd to start on boot
+        run(["/sbin/chkconfig", "ntpd", "on"])
+
+        # Restart ntpd
+        run(["/sbin/service", "ntpd", "restart"])
     except subprocess.CalledProcessError, e:
         print "Installation failed:", e
         return 1
@@ -610,9 +623,10 @@ def main():
     print "\t\tTCP Ports:"
     print "\t\t  * 80, 443, 8080: HTTP/HTTPS"
     print "\t\t  * 389, 636: LDAP/LDAPS"
-    print "\t\t  * 464: kpasswd"
+    print "\t\t  * 88, 464: kerberos"
     print "\t\tUDP Ports:"
-    print "\t\t  * 88, 750: kerberos"
+    print "\t\t  * 88, 464: kerberos"
+    print "\t\t  * 123: ntp"
     print ""
     print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'."
     print "\t   This ticket will allow you to use the IPA tools (e.g., ipa-adduser)"
diff --git a/ipa-server/ipa-install/share/Makefile.am b/ipa-server/ipa-install/share/Makefile.am
index 5a7fda3fa..50d81c3ad 100644
--- a/ipa-server/ipa-install/share/Makefile.am
+++ b/ipa-server/ipa-install/share/Makefile.am
@@ -16,6 +16,7 @@ app_DATA =			\
 	krb5.ini.template	\
 	krb.con.template	\
 	krbrealm.con.template	\
+	ntp.conf.server.template \
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/ipa-server/ipa-install/share/ntp.conf.server.template b/ipa-server/ipa-install/share/ntp.conf.server.template
new file mode 100644
index 000000000..09149dfc7
--- /dev/null
+++ b/ipa-server/ipa-install/share/ntp.conf.server.template
@@ -0,0 +1,50 @@
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict default kod nomodify notrap
+restrict -6 default kod nomodify notrap
+
+# Permit all access over the loopback interface.  This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
+restrict 127.0.0.1 
+restrict -6 ::1
+
+# Hosts on local network are less restricted.
+#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
+
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+server $SERVERA
+server $SERVERB
+server $SERVERC
+
+#broadcast 192.168.1.255 key 42		# broadcast server
+#broadcastclient			# broadcast client
+#broadcast 224.0.1.1 key 42		# multicast server
+#multicastclient 224.0.1.1		# multicast client
+#manycastserver 239.255.254.254		# manycast server
+#manycastclient 239.255.254.254 key 42	# manycast client
+
+# Undisciplined Local Clock. This is a fake driver intended for backup
+# and when no outside source of synchronized time is available. 
+server	127.127.1.0	# local clock
+#fudge	127.127.1.0 stratum 10	
+
+# Drift file.  Put this in a directory which the daemon can write to.
+# No symbolic links allowed, either, since the daemon updates the file
+# by creating a temporary in the same directory and then rename()'ing
+# it to the file.
+driftfile /var/lib/ntp/drift
+
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography. 
+keys /etc/ntp/keys
+
+# Specify the key identifiers which are trusted.
+#trustedkey 4 8 42
+
+# Specify the key identifier to use with the ntpdc utility.
+#requestkey 8
+
+# Specify the key identifier to use with the ntpq utility.
+#controlkey 8
diff --git a/ipa-server/ipaserver/Makefile.am b/ipa-server/ipaserver/Makefile.am
index bba297dd5..b4469b20b 100644
--- a/ipa-server/ipaserver/Makefile.am
+++ b/ipa-server/ipaserver/Makefile.am
@@ -8,6 +8,7 @@ app_PYTHON = 			\
 	ipaldap.py		\
 	krbinstance.py		\
 	httpinstance.py		\
+	ntpinstance.py		\
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/ipa-server/ipaserver/dsinstance.py b/ipa-server/ipaserver/dsinstance.py
index 5ef4a4028..2b4d8f357 100644
--- a/ipa-server/ipaserver/dsinstance.py
+++ b/ipa-server/ipaserver/dsinstance.py
@@ -26,8 +26,6 @@ import logging
 import pwd
 from ipa.ipautil import *
 
-
-SHARE_DIR = "/usr/share/ipa/"
 SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"
 
diff --git a/ipa-server/ipaserver/ntpinstance.py b/ipa-server/ipaserver/ntpinstance.py
new file mode 100644
index 000000000..2667a2026
--- /dev/null
+++ b/ipa-server/ipaserver/ntpinstance.py
@@ -0,0 +1,50 @@
+# Authors: Karl MacMillan <kmacmillan@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 or later
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+from ipa.ipautil import *
+import shutil
+
+class NTPInstance:
+    def create_instance(self):
+        # The template sets the config to point towards ntp.pool.org, but
+        # they request that software not point towards the default pool.
+        # We use the OS variable to point it towards either the rhel
+        # or fedora pools. Other distros should be added in the future
+        # or we can get our own pool.
+        os = ""
+        if file_exists("/etc/fedora-release"):
+            os = "fedora."
+        elif file_exists("/etc/redhat-release"):
+            os = "rhel."
+
+        sub_dict = { }
+        sub_dict["SERVERA"] = "0.%spool.ntp.org" % os
+        sub_dict["SERVERB"] = "1.%spool.ntp.org" % os
+        sub_dict["SERVERC"] = "2.%spool.ntp.org" % os
+
+        ntp_conf = template_file(SHARE_DIR + "ntp.conf.server.template", sub_dict)
+
+        shutil.copy("/etc/ntp.conf", "/etc/ntp.conf.ipasave")
+
+        fd = open("/etc/ntp.conf", "w")
+        fd.write(ntp_conf)
+        fd.close()
+
+        # we might consider setting the date manually using ntpd -qg in case
+        # the current time is very far off.