Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1211708

Summary: ipa-client-install gets stuck during NTP sync
Product: Red Hat Enterprise Linux 7 Reporter: Petra Kamenickova <pkamenickova>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: jpazdziora, mkosek, ppicka, pvoborni, rcritten, zemaitis.tomas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-0.1.alpha1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:03:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Evidence of verify none

Description Petra Kamenickova 2015-04-14 16:13:23 UTC 
Description of problem:
ipa-client-install gets stuck on

Synchronizing time with KDC...

message, if there is no ntp server.

Version-Release number of selected component (if applicable):
ipa-client-4.1.0-18.el7.x86_64

How reproducible:
Install ipa server with --no-ntp option and then try to enroll a client to this server.

Steps to Reproduce:
1. ipa-server-install --no-ntp
2. ipa-client-install

Actual results:
Synchronizing time with KDC...
and nothing more just blinking cursor

Expected results:

Timeout and appropriate message would be nice. Something like

Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Comment 2 Martin Bašti 2015-04-14 16:38:35 UTC 
Can you share /var/log/ipaclient-install.log please?

There is 15 sec timeout for each ntp server.
Comment 3 Petr Vobornik 2015-04-14 16:43:30 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4842
Comment 4 Petr Vobornik 2015-04-14 16:47:13 UTC 
The 15s time is not in ipa-client-4.1.0-18.

master:
    a58b77ca9cd3620201306258dd6bd05ea1c73c73 Timeout when performing time sync during client install 

ipa-4-1:
    80aeb445e2034776f08668bf04dfd711af477b25 Timeout when performing time sync during client install
Comment 5 Petra Kamenickova 2015-04-14 16:51:23 UTC 
(In reply to Martin Bašti from comment #2)
> Can you share /var/log/ipaclient-install.log please?
> 
> There is 15 sec timeout for each ntp server.

Oh, I'm so sorry. Forgot to add one step.

Run service chronyd stop before ipa-client-install.

A few last lines from the log:
2015-04-14T16:49:52Z DEBUG Process finished, return code=3
2015-04-14T16:49:52Z DEBUG stdout=
2015-04-14T16:49:52Z DEBUG stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

2015-04-14T16:49:52Z INFO Synchronizing time with KDC...
2015-04-14T16:49:52Z DEBUG Search DNS for SRV record of _ntp._udp.lab.eng.brq.redhat.com
2015-04-14T16:49:53Z DEBUG DNS record not found: NXDOMAIN
2015-04-14T16:49:53Z DEBUG Starting external process
2015-04-14T16:49:53Z DEBUG args='/usr/sbin/ntpd' '-qgc' '/tmp/tmp6FwPg1'
2015-04-14T16:50:38Z DEBUG Process interrupted
Comment 7 Tomas 2015-05-02 13:22:30 UTC 
Hi, this problem still persist. Can you please advise when bug will be fixed and pushed to with latest updates?

IPA server was installed with following options (no ntpd):

ipa-server-install \
-n domain.net \
-r DOMAIN.NET \
-a KBpass \
-p DMpass \
--ip-address=1.1.1.1 \
--hostname=ipa01.domain.net \
--no-ntp \
--no_hbac_allow \
--idstart=50000 \
--idmax=99999 \
--setup-dns \
--no-forwarders \
--reverse-zone=1.1.1.in-addr.arpa \
--zonemgr=admin \
--ssh-trust-dns \
--mkhomedir \
--unattended

When trying to enroll ipa-client:

ipa-client-install --enable-dns-updates --mkhomedir --no-ntp --ssh-trust-dns

I am getting:

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...


Is there any workaround?
Comment 8 Petr Vobornik 2015-05-04 07:58:30 UTC 
Fixes for this BZ and for ipa-client-install --no-ntp were not yet released in RHEL. 

Workaround for ipa-client-install --no-ntp is not a have working NTP server which is discoverable through DNS or to apply this patch:
https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=f0c1daf7a2a8c88f6d84d81d66c7e39f571e0894
Comment 9 Tomas 2015-05-04 21:22:53 UTC 
Your workaround still doesn't work, bug still persist.

Our setup:
1) IPA server running without NTPD servers (as per RHEL recommendations as these are virtual servers - for more details please see official RHEL 7 IDM PDF doc);
2) No other discoverable NTP servers on the network (switched access off temporary);
3) Ensuring that no access to any Network NTP service from client;
4) Executing IPA-CLIENT install with following:

ipa-client-install --enable-dns-updates --mkhomedir --no-ntp --ssh-trust-dns

and getting following same results:

Discovery was successful!
Hostname: myipaclient.domain.net
Realm: DOMAIN.NET
DNS Domain: domain.net
IPA Server: ipa01.domain.net
BaseDN: dc=domain,dc=net

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...

So problem still persist and this is really anoying as it was working on first RHEL 7 release, earlier version of IPA-CLIENT. We need to enroll hundreds of RHEL servers and trying to make them working manually is an effort.

Please advise about possible workarounds, upcoming fixed version dates. Thanks
Comment 10 Tomas 2015-05-04 21:32:33 UTC 
In addition to my previous comments, this is what is happening in ipa-client install debug logs:

2015-05-04T21:25:55Z DEBUG Search DNS for SRV record of _ntp._udp.domain.net
2015-05-04T21:25:55Z DEBUG DNS record not found: NXDOMAIN
2015-05-04T21:25:55Z DEBUG Starting external process
2015-05-04T21:25:55Z DEBUG args='/usr/sbin/ntpd' '-qgc' '/tmp/tmpCkyhb2'

Why is searching for ntp if I am passing options --no-ntp..
Comment 11 Petr Vobornik 2015-05-05 10:15:36 UTC 
It's searching for ntp because there is a bug which will be fixed by a patch in comment 8.

Wrt comment 9: Sorry, there was a typo. I meant the opposite: "to have a working NTP server". In other words, because ipa-client-install tries to sync the time no matter what, one should either allow it to happen, fix the bug(comment 8) or fool it in other way.
Comment 12 Tomas 2015-05-05 10:28:45 UTC 
1) I have same problem even if I am pointing to NTP server by adding option:
--ntp-server=xxx.xxx.xxx.xxx
2) How to apply in comment 8 given fix? It is fedora package, not RHEL..

We are talking here about RHEL production machines!
Comment 13 Martin Kosek 2015-05-05 10:46:34 UTC 
As far as I know, the only applicable workaround for your case would be to create _ntp._udp.IPA_DOMAIN DNS SRV records that would be pointing to a valid NTP server (it does not necessarily have to be a FreeIPA NTP server). ipa-client-install should then use this/these NTP server(s) for the one-time synchronization.

This is the workaround we propose. The proper fix is proposed for next RHEL minor version (7.2). If you want to request a more expedited fix (i.e. EUS/7.1 backport), please contact your Customer Service representative that will be able to discuss the available options with you.
Comment 14 Tomas 2015-05-05 11:33:45 UTC 
Great, thanks. Confirmed that proposed workaround:"create _ntp._udp.IPA_DOMAIN DNS SRV records that would be pointing to a valid NTP server" works as expected.
Comment 17 Pavel Picka 2015-09-14 09:52:50 UTC 
Created attachment 1073166 [details]
Evidence of verify
Comment 18 errata-xmlrpc 2015-11-19 12:03:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html
Comment 19 Jan Pazdziora (Red Hat) 2015-12-01 08:30:10 UTC 
(In reply to Pavel Picka from comment #17)
> Created attachment 1073166 [details]
> Evidence of verify

Was the part about --no-ntp tested?
Comment 20 Pavel Picka 2016-01-12 15:08:28 UTC 
Do you mean with server-install or with client-install?
Comment 21 Jan Pazdziora (Red Hat) 2016-01-12 18:00:37 UTC 
(In reply to Pavel Picka from comment #20)
> Do you mean with server-install or with client-install?

ipa-client-install --no-ntp.