Description of problem: I tried running ipa-client-install today and it failed with: Traceback (most recent call last): File "/sbin/ipa-client-install", line 2590, in <module> sys.exit(main()) File "/sbin/ipa-client-install", line 2571, in main rval = install(options, env, fstore, statestore) File "/sbin/ipa-client-install", line 2529, in install ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore) File "/usr/lib/python2.7/site-packages/ipaclient/ntpconf.py", line 135, in config_ntp ipaservices.knownservices.ntpd.restart() File "/usr/lib/python2.7/site-packages/ipapython/platform/base/systemd.py", line 131, in restart ipautil.run(["/bin/systemctl", "restart", self.service_instance(instance_name)], capture_output=capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 328, in run raise CalledProcessError(p.returncode, arg_string, stdout) subprocess.CalledProcessError: Command '/bin/systemctl restart ntpd.service' returned non-zero exit status 1 When looking at systemctl status ntpd, I see: ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled) Active: failed (Result: exit-code) since Tue 2014-01-07 07:18:55 EST; 8s ago Process: 4964 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=1/FAILURE) Jan 07 07:18:55 sgallagh520.linux.gallagherhome.com systemd[1]: Starting Network Time Service... Jan 07 07:18:55 sgallagh520.linux.gallagherhome.com ntpd[4964]: ntpd error: only one user option allowed Jan 07 07:18:55 sgallagh520.linux.gallagherhome.com ntpd[4964]: ntpd - NTP daemon program - Ver. 4.2.6p5 Jan 07 07:18:55 sgallagh520.linux.gallagherhome.com ntpd[4964]: Usage: ntpd [ -<flag> [<val>] | --<name>[{=| }<val>] ]... Jan 07 07:18:55 sgallagh520.linux.gallagherhome.com ntpd[4964]: Try 'ntpd --help' for more information. Jan 07 07:18:55 sgallagh520.linux.gallagherhome.com ntpd[4964]: exit 1 Jan 07 07:18:55 sgallagh520.linux.gallagherhome.com systemd[1]: ntpd.service: control process exited, code=exited status=1 Jan 07 07:18:55 sgallagh520.linux.gallagherhome.com systemd[1]: Failed to start Network Time Service. Jan 07 07:18:55 sgallagh520.linux.gallagherhome.com systemd[1]: Unit ntpd.service entered failed state. The systemd service file has: [Unit] Description=Network Time Service After=syslog.target ntpdate.service sntp.service [Service] Type=forking EnvironmentFile=-/etc/sysconfig/ntpd ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS PrivateTmp=true [Install] WantedBy=multi-user.target and the /etc/sysconfig/ntpd has: # Drop root to id 'ntp:ntp' by default. OPTIONS="-x -u ntp:ntp -p /var/run/ntpd.pid" # Set to 'yes' to sync hw clock after successful ntpdate SYNC_HWCLOCK=yes # Additional options for ntpdate NTPDATE_OPTIONS="" Though looking at rpmverify, it appears that: S.5....T. c /etc/sysconfig/ntpd Looking at the ipa-client-install source code, it looks like we're forcing the inclusion of the extra -u line into /etc/sysconfig/ntpd, which is rejected by the ntpd binary. Version-Release number of selected component (if applicable): freeipa-client-3.3.3-2.fc20.x86_64 ntp-4.2.6p5-18.fc20.x86_64 This appears to be related to https://bugzilla.redhat.com/show_bug.cgi?id=639101#c13
IMHO the issue is in ipa-client-install which should not depend on a patched/ hacked ntp package.
(In reply to Robert Scheck from comment #1) > IMHO the issue is in ipa-client-install which should not depend on a patched/ > hacked ntp package. Yes, I completely agree. I was referencing the old BZ because it contains useful history.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4094
(In reply to Stephen Gallagher from comment #2) > Yes, I completely agree. I was referencing the old BZ because it contains > useful history. Okay...I just wondered because I thought IPA would be fixed already for two years now as bug #639101 comment #12 mentions. Or maybe I misgot Dmitri.
I checked how ntpd is being run by default and it indeed already has hardcoded the "-u ntp:ntp" part. It seems we will just need to fix ipa-client-install to not add it again. I am thinking we may also need to deal with FreeIPA client F20->F21 updates and remove the "-u ntp:ntp" part for the already installed clients. Until this is fixed, ipa-client-install in rawhide needs to be run with "--no-ntp" to workaround the issue.
(In reply to Martin Kosek from comment #5) > Until this is fixed, ipa-client-install in rawhide needs to be run with > "--no-ntp" to workaround the issue. Just to point out, this isn't a Rawhide-only problem. It's broken for Fedora 20 stable as well.
*** Bug 1057236 has been marked as a duplicate of this bug. ***
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/923e9d8bedb6f564ef0969c8a7e8c4024a1280a8 ipa-3-3: https://fedorahosted.org/freeipa/changeset/a744b5e53beed526335baf6d19e3881b966e743a
Nitpit: # Drop root to id 'ntp:ntp' by default. OPTIONS="-x -p /var/run/ntpd.pid" The comment about dropping privs doesn't apply anymore.
Thanks Marius, that's a good observation. Fixed: master: https://fedorahosted.org/freeipa/changeset/e218f282a09be397f328731e0364937f903b0afd ipa-3-3: https://fedorahosted.org/freeipa/changeset/2fbb14d3c0cfec25948104b39e6f6df7f07c7749
*** Bug 1057686 has been marked as a duplicate of this bug. ***
Happens also in F20, see Bug #1057686
freeipa-3.3.4-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/freeipa-3.3.4-1.fc20
Package freeipa-3.3.4-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.3.4-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1666/freeipa-3.3.4-1.fc20 then log in and leave karma (feedback).
Package freeipa-3.3.4-2.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.3.4-2.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1666/freeipa-3.3.4-2.fc20 then log in and leave karma (feedback).
Package freeipa-3.3.4-3.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.3.4-3.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1666/freeipa-3.3.4-3.fc20 then log in and leave karma (feedback).
freeipa-3.3.4-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.