Bug 470945 - NFS4 with kerberos authetication fails because date has yet to be synced
NFS4 with kerberos authetication fails because date has yet to be synced
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ntp (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Lichvar
Martin Cermak
:
Depends On: 678352 704151
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-10 19:09 EST by Rob Garth
Modified: 2011-07-21 02:42 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Prior to this update, if the /usr directory was mounted on an NFS file system, the ntpd service could not be started before the netfs service. This update moves the NTP applications to the /sbin directory so the user may change the ntpd startup priority to start prior to the netfs service. Note that if you wish to mount NFS version 4 with Kerberos authentication, you should consider changing the ntpd startup priority to start prior to the netfs service. Otherwise authentication may fail due to the non-synchronized date.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 02:42:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Garth 2008-11-10 19:09:45 EST
Description of problem: On startup nfs4 mounts fail as ntpd has not started and time can be out. Kerberos requires a correct time stamp

How reproducible: Everytime the time is out

Steps to Reproduce:
1. Change time by mroe than 5 minutes
2. Restart box
3. Mount fails
4. After startup ntpd has synced, mount works
  
Actual results: Mount Fails


Expected results:Mount Succeeds


Additional info: Moving NTPD in startup wont help, as it doesn't alsys sync immediately. What is needed is an ntpdate to be run before nfs4 attempts to mount. I have grabbed the ntpdate startup script fro Fedora 10 and modified it.
Comment 1 Rob Garth 2008-11-11 07:37:16 EST
Sorry, changing the start priority of ntpd does help. I did not see that ntpd had an existing option to run ntpdate before it starts.

Other than network, ntpd has no requirements, why does it not start until S58. It has to start before netfs is nfs4 is to consistently work.
Comment 2 Rob Garth 2008-11-11 07:37:17 EST
Sorry, changing the start priority of ntpd does help. I did not see that ntpd had an existing option to run ntpdate before it starts.

Other than network, ntpd has no requirements, why does it not start until S58. It has to start before netfs is nfs4 is to consistently work.
Comment 3 Rob Garth 2008-11-11 07:37:17 EST
Sorry, changing the start priority of ntpd does help. I did not see that ntpd had an existing option to run ntpdate before it starts.

Other than network, ntpd has no requirements, why does it not start until S58. It has to start before netfs is nfs4 is to consistently work.
Comment 4 Miroslav Lichvar 2008-11-11 11:09:21 EST
Is /usr on nfs supported? ntpd and ntpdate would have to be moved to /sbin if the service had moved before netfs.

There seem to be other daemons in /usr started before netfs service.
Comment 5 Bill Nottingham 2008-11-11 11:16:22 EST
Discouraged but supported in RHEL 5.
Comment 7 RHEL Product and Program Management 2009-03-26 12:55:15 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 8 RHEL Product and Program Management 2009-11-06 13:50:51 EST
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 11 RHEL Product and Program Management 2010-08-09 14:40:32 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 13 RHEL Product and Program Management 2011-01-11 16:08:05 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 14 RHEL Product and Program Management 2011-01-11 18:13:38 EST
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 16 Miroslav Lichvar 2011-02-22 12:31:46 EST
selinux policy needs to be updated so /sbin/ntpdate and /sbin/ntpd have correct contexts, they are both moved from /usr/sbin to /sbin.
Comment 17 Miroslav Grepl 2011-02-23 11:37:55 EST
Ok, I am fixing it.
Comment 19 Miroslav Lichvar 2011-05-12 11:52:20 EDT
When ntp and selinux-policy* are updated in one rpm transaction, it seems that rpm doesn't load the new policy and the files moved to /sbin will have a wrong context. Possibly bug #505066.

We'll probably need to add a restorecon call to the init script.
Comment 23 Eva Kopalova 2011-06-30 08:42:41 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, if the /usr directory was mounted on an NFS file system, the ntpd service could not be started before the netfs service. This update moves the NTP applications to the /sbin directory so the user may change the ntpd startup priority to start prior to the netfs service. Note that if you wish to mount NFS version 4 with Kerberos authentication, you should consider changing the ntpd startup priority to start prior to the netfs service. Otherwise authentication may fail due to the non-synchronized date.
Comment 24 errata-xmlrpc 2011-07-21 02:42:11 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0980.html

Note You need to log in before you can comment on or make changes to this bug.