Print warning about NTP

After looking into setting up ntpd on the IPA servers I decided it was better just to warn admins. There are just too many valid setups for time synchronization for us to try to get this right. Additionally, just installing ntp and accepting the default config will result in a configuration that is perfectly valid for IPA. This patch checks if ntpd is running and suggests enabling it if it is not - for client and server. It also adds some suggested next steps to the server installation.
2025-02-25 18:55:28 -06:00 · 0001-01-01 00:00:00 +00:00 · 0001-01-01 00:00:00 +00:00 · 2703be51c8
commit 2703be51c8
parent f5cc36507b
2 changed files with 44 additions and 0 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -67,6 +67,14 @@ def logging_setup(options):
    console.setFormatter(formatter)
    logging.getLogger('').addHandler(console)

+def check_ntp():
+    ret_code = 1
+    p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
+                         stderr=subprocess.PIPE)
+    stdout, stderr = p.communicate()
+
+    return p.returncode
+
 def main():
    options = parse_options()
    logging_setup(options)
@ -200,6 +208,11 @@ def main():
    #Modify pam to add pam_krb5
    run(["/usr/sbin/authconfig", "--enablekrb5", "--update"])

+    # print warning about ntp
+    if check_ntp() != 0:
+        print "WARNING: Kerberos requires time synchronization between clients"
+        print "and servers for correct operation. You should consider enabling ntpd."
+
    return 0

 main()
--- a/ipa-server/ipa-install/ipa-server-install
+++ b/ipa-server/ipa-install/ipa-server-install
@ -372,6 +372,15 @@ def read_admin_password():
    admin_password = read_password("IPA admin")
    return admin_password

+def check_ntp():
+    ret_code = 1
+    p = subprocess.Popen(["/sbin/service", "ntpd", "status"], stdout=subprocess.PIPE,
+                         stderr=subprocess.PIPE)
+    stdout, stderr = p.communicate()
+
+    return p.returncode
+    
+
 def main():
    global ds
    ds = None
@ -584,6 +593,28 @@ def main():
    fd.write("realm=" + realm_name + "\n")
    fd.close()

+    print "=============================================================================="
+    print "Setup complete"
+    print ""
+    print "Next steps:"
+    print "\t1. You may need to open some network ports - specifically:"
+    print "\t\tTCP Ports:"
+    print "\t\t  * 80, 443, 8080: HTTP/HTTPS"
+    print "\t\t  * 389, 636: LDAP/LDAPS"
+    print "\t\t  * 464: kpasswd"
+    print "\t\tUDP Ports:"
+    print "\t\t  * 88, 750: kerberos"
+    print ""
+    print "\t2. You can now obtain a kerberos ticket using the command: 'kinit admin'."
+    print "\t   This ticket will allow you to use the IPA tools (e.g., ipa-adduser)"
+    print "\t   and the web user interface."
+
+    if check_ntp() != 0:
+        print "\t3. Kerberos requires time synchronization between clients"
+        print "\t   and servers for correct operation. You should consider enabling ntpd."
+
+
+
    return 0

 try: