Bug 1255102

Summary: ipa-client-install does not synchronize time
Product: Red Hat Enterprise Linux 7 Reporter: Xiyang Dong <xdong>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: pvoborni, rcritten, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-20 18:24:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
client-install.log none

Description Xiyang Dong 2015-08-19 15:41:02 UTC 
Created attachment 1064919 [details]
client-install.log

Description of problem:
when stop ntpd and set time a couple hours back ,ipa-client-install is Unable to sync time with NTP server and fails with Clock skew too great

Version-Release number of selected component (if applicable):
ipa-client-4.2.0-4.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1.stop ntpd, 
2.date --set='-2 hours'
3.ipa-client-install

Actual results:
client install fails

Expected results:
client install successful

Additional info:
[root@ibm-x3650m4-01-vm-14 ~]# service ntpd stop
Redirecting to /bin/systemctl stop  ntpd.service
[root@ibm-x3650m4-01-vm-14 ~]# date --set='-2 hours'
Wed Aug 19 09:09:20 EDT 2015
[root@ibm-x3650m4-01-vm-14 ~]# ipa-client-install -p admin -w Secret123 -U
Discovery was successful!
Client hostname: ibm-x3650m4-01-vm-14.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: hp-dl80gen9-01.testrelm.test
BaseDN: dc=testrelm,dc=test

Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Tue Aug 18 13:52:30 2015 UTC
    Valid Until: Sat Aug 18 13:52:30 2035 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://hp-dl80gen9-01.testrelm.test/ipa/json
Cannot connect to the server due to Kerberos error: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Clock skew too great', -1765328347)/. Trying with delegate=True
trying https://hp-dl80gen9-01.testrelm.test/ipa/json
Second connect with delegate=True also failed: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Clock skew too great', -1765328347)/
Cannot connect to the IPA server RPC interface: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Clock skew too great', -1765328347)/
Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
Client uninstall complete.

using --force-ntpd option doesn't change anything.
Comment 2 Petr Vobornik 2015-08-20 08:07:01 UTC 
Xiyang, this is not the same situation/output as we discussed.

The attached log/output was run with --force-ntpd and we can see that there was an attempt to sync the time, but unfortunately it failed. However the discussed log was without --force-ntp and the sync was not even attempted.


Therefore there might be two issues:
1. sync failed (could be configuration issue, e.g. there are SRV records for ntp server but it can't be reached or is not even there)
2. sync was not attempted when run without --force-ntpd 

Could you attached ipaclient-install log both runs(with and without --force-ntpd option) but with --debug option (ntpd will be also run with -d (debug) option).
Comment 5 Petr Vobornik 2015-08-20 14:46:01 UTC 
from:

2015-08-20T11:51:56Z DEBUG Starting external process
2015-08-20T11:51:56Z DEBUG args='/bin/systemctl' 'is-enabled' 'chronyd.service'
2015-08-20T11:51:56Z DEBUG Process finished, return code=1
2015-08-20T11:51:56Z DEBUG stdout=disabled

2015-08-20T11:51:56Z DEBUG stderr=
2015-08-20T11:51:56Z DEBUG Starting external process
2015-08-20T11:51:56Z DEBUG args='/bin/systemctl' 'is-active' 'chronyd.service'
2015-08-20T11:51:56Z DEBUG Process finished, return code=0
2015-08-20T11:51:56Z DEBUG stdout=active

we can see tha chrony is disabled. This is reported to stdout in message:

WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

and that's why it skipped time synchronization.

Could be fixed by(prior client install):
 systemctl stop chronyd.service

The --force-ntpd option in second run fixed the situation. But synchronization attempt:

`/usr/sbin/ntpd -qgc /tmp/tmpPGjhvZ -d` time-outs after 15s:
  transmit: at 1 10.16.76.41->10.16.76.32 mode 3 len 48
  auth_agekeys: at 1 keys 1 expired 0
  20 Aug 08:06:22 ntpd[30443]: ntpd exiting on signal 15

for both discovered servers.

The reason might be that 
- servers are not reachable (unlikely, with one was communicated)
- server's UDP port 123 is not opened
- ntp server is not running on the servers (which would mean that DNS recors are incorrect).

Therefore I think this is not a bug in ipa-client-install.  Please close the BZ if you agree.
Comment 6 Xiyang Dong 2015-08-20 18:24:57 UTC 
Petr,
You are right, ntpd is not running on server side,
After it's on , client install went well.
I am closing the bz as not a bug.
Appreciate the efforts.