RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1255102 - ipa-client-install does not synchronize time
Summary: ipa-client-install does not synchronize time
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-19 15:41 UTC by Xiyang Dong
Modified: 2015-08-20 18:24 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-20 18:24:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
client-install.log (59.21 KB, text/plain)
2015-08-19 15:41 UTC, Xiyang Dong
no flags Details

Description Xiyang Dong 2015-08-19 15:41:02 UTC
Created attachment 1064919 [details]
client-install.log

Description of problem:
when stop ntpd and set time a couple hours back ,ipa-client-install is Unable to sync time with NTP server and fails with Clock skew too great

Version-Release number of selected component (if applicable):
ipa-client-4.2.0-4.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1.stop ntpd, 
2.date --set='-2 hours'
3.ipa-client-install

Actual results:
client install fails

Expected results:
client install successful

Additional info:
[root@ibm-x3650m4-01-vm-14 ~]# service ntpd stop
Redirecting to /bin/systemctl stop  ntpd.service
[root@ibm-x3650m4-01-vm-14 ~]# date --set='-2 hours'
Wed Aug 19 09:09:20 EDT 2015
[root@ibm-x3650m4-01-vm-14 ~]# ipa-client-install -p admin -w Secret123 -U
Discovery was successful!
Client hostname: ibm-x3650m4-01-vm-14.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: hp-dl80gen9-01.testrelm.test
BaseDN: dc=testrelm,dc=test

Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Tue Aug 18 13:52:30 2015 UTC
    Valid Until: Sat Aug 18 13:52:30 2035 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://hp-dl80gen9-01.testrelm.test/ipa/json
Cannot connect to the server due to Kerberos error: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Clock skew too great', -1765328347)/. Trying with delegate=True
trying https://hp-dl80gen9-01.testrelm.test/ipa/json
Second connect with delegate=True also failed: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Clock skew too great', -1765328347)/
Cannot connect to the IPA server RPC interface: Kerberos error: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('Clock skew too great', -1765328347)/
Installation failed. Rolling back changes.
Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
nscd daemon is not installed, skip configuration
Client uninstall complete.

using --force-ntpd option doesn't change anything.

Comment 2 Petr Vobornik 2015-08-20 08:07:01 UTC
Xiyang, this is not the same situation/output as we discussed.

The attached log/output was run with --force-ntpd and we can see that there was an attempt to sync the time, but unfortunately it failed. However the discussed log was without --force-ntp and the sync was not even attempted.


Therefore there might be two issues:
1. sync failed (could be configuration issue, e.g. there are SRV records for ntp server but it can't be reached or is not even there)
2. sync was not attempted when run without --force-ntpd 

Could you attached ipaclient-install log both runs(with and without --force-ntpd option) but with --debug option (ntpd will be also run with -d (debug) option).

Comment 5 Petr Vobornik 2015-08-20 14:46:01 UTC
from:

2015-08-20T11:51:56Z DEBUG Starting external process
2015-08-20T11:51:56Z DEBUG args='/bin/systemctl' 'is-enabled' 'chronyd.service'
2015-08-20T11:51:56Z DEBUG Process finished, return code=1
2015-08-20T11:51:56Z DEBUG stdout=disabled

2015-08-20T11:51:56Z DEBUG stderr=
2015-08-20T11:51:56Z DEBUG Starting external process
2015-08-20T11:51:56Z DEBUG args='/bin/systemctl' 'is-active' 'chronyd.service'
2015-08-20T11:51:56Z DEBUG Process finished, return code=0
2015-08-20T11:51:56Z DEBUG stdout=active

we can see tha chrony is disabled. This is reported to stdout in message:

WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

and that's why it skipped time synchronization.

Could be fixed by(prior client install):
 systemctl stop chronyd.service

The --force-ntpd option in second run fixed the situation. But synchronization attempt:

`/usr/sbin/ntpd -qgc /tmp/tmpPGjhvZ -d` time-outs after 15s:
  transmit: at 1 10.16.76.41->10.16.76.32 mode 3 len 48
  auth_agekeys: at 1 keys 1 expired 0
  20 Aug 08:06:22 ntpd[30443]: ntpd exiting on signal 15

for both discovered servers.

The reason might be that 
- servers are not reachable (unlikely, with one was communicated)
- server's UDP port 123 is not opened
- ntp server is not running on the servers (which would mean that DNS recors are incorrect).

Therefore I think this is not a bug in ipa-client-install.  Please close the BZ if you agree.

Comment 6 Xiyang Dong 2015-08-20 18:24:57 UTC
Petr,
You are right, ntpd is not running on server side,
After it's on , client install went well.
I am closing the bz as not a bug.
Appreciate the efforts.


Note You need to log in before you can comment on or make changes to this bug.