Before kinit, try to sync time with the NTP servers of the domain we are joining

When running ipa-client-install on a system whose clock is not in sync with the master, kinit fails and enrollment is aborted. Manual checking of current time at the master and adjusting on the client-to-be is then needed. The patch tries to fetch SRV records for NTP servers of the domain we aim to join and runs ntpdate to get time synchronized. If no SRV records are found, sync with IPA server itself. If that fails, warn that time might be not in sync with KDC. https://fedorahosted.org/freeipa/ticket/1773
2025-01-11 08:41:55 -06:00 · 2011-10-05 17:25:09 +03:00 · 2011-10-05 17:25:09 +03:00 · acb2c3106a
commit acb2c3106a
parent f28ab8351f
3 changed files with 58 additions and 0 deletions
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -921,6 +921,21 @@ def install(options, env, fstore, statestore):
        nolog = tuple()
        # First test out the kerberos configuration
        try:
+            # Attempt to sync time with IPA server.
+            # We assume that NTP servers are discoverable through SRV records in the DNS
+            # If that fails, we try to sync directly with IPA server, assuming it runs NTP
+            print 'Synchronizing time with KDC...'
+            ntp_servers = ipautil.parse_items(ds.ipadnssearchntp(cli_domain))
+            synced_ntp = False
+            if len(ntp_servers) > 0:
+                for s in ntp_servers:
+                   synced_ntp = ipaclient.ntpconf.synconce_ntp(s)
+                   if synced_ntp:
+                       break
+            if not synced_ntp:
+                synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server)
+            if not synced_ntp:
+                print "Unable to sync time with IPA NTP server, assuming the time is in sync."
            (krb_fd, krb_name) = tempfile.mkstemp()
            os.close(krb_fd)
            if configure_krb5_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, cli_kdc, dnsok, options, krb_name):
--- a/ipa-client/ipaclient/ipadiscovery.py
+++ b/ipa-client/ipaclient/ipadiscovery.py
@ -316,6 +316,27 @@ class IPADiscovery:

        return servers

+    def ipadnssearchntp(self, tdomain):
+        servers = ""
+        rserver = ""
+
+        qname = "_ntp._udp."+tdomain
+        # terminate the name
+        if not qname.endswith("."):
+            qname += "."
+        results = ipapython.dnsclient.query(qname, ipapython.dnsclient.DNS_C_IN, ipapython.dnsclient.DNS_T_SRV)
+
+        for result in results:
+            if result.dns_type == ipapython.dnsclient.DNS_T_SRV:
+                rserver = result.rdata.server.rstrip(".")
+                if servers:
+                    servers += "," + rserver
+                else:
+                    servers = rserver
+                break
+
+        return servers
+
    def ipadnssearchkrb(self, tdomain):
        realm = None
        kdc = None
--- a/ipa-client/ipaclient/ntpconf.py
+++ b/ipa-client/ipaclient/ntpconf.py
@ -132,3 +132,25 @@ def config_ntp(server_fqdn, fstore = None, sysstore = None):

    # Restart ntpd
    ipaservices.knownservices.ntpd.restart()
+
+def synconce_ntp(server_fqdn):
+    """
+    Syncs time with specified server using ntpdate.
+    Primarily designed to be used before Kerberos setup
+    to get time following the KDC time
+
+    Returns True if sync was successful
+    """
+    ntpdate="/usr/sbin/ntpdate"
+    result = False
+    if os.path.exists(ntpdate):
+        # retry several times -- logic follows /etc/init.d/ntpdate
+        # implementation
+        for retry in range(0,3):
+            try:
+                ipautil.run([ntpdate, "-U", "ntp", "-s", "-b", server_fqdn])
+                result = True
+                break
+            except:
+                pass
+    return result