Bug 736617 - ipa-client-install mishandles ntp service configuration
Summary: ipa-client-install mishandles ntp service configuration
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Alexander Bokovoy
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-08 09:22 UTC by Marko Myllynen
Modified: 2015-01-04 23:50 UTC (History)
5 users (show)

Fixed In Version: ipa-2.1.2-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: ipa-client-install does not configure /usr/sbin/ntpdate to use a correct NTP servers in /etc/ntp/step-tickers. Additionally, the the ipa-client-install does not store the state of the ntpd service before installation Consequence: When IPA client is installed, ntpdate may use incorrect servers to synchronize with. When the IPA client is uninstalled, ntpd may be set to incorrect state. Fix: ipa-client-install configures /usr/sbin/ntpdate to use the IPA NTP server for synchronization. When IPA client is uninstalled, both ntpdate configuration and ntpd status is restored Result: ntpdate run on IPA client machine synchronizes with correct NTP server and ntpdate and ntpd configuration is correctly restored after uninstallation
Clone Of:
Environment:
Last Closed: 2011-12-06 18:30:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Marko Myllynen 2011-09-08 09:22:42 UTC
Description of problem:
After running ipa-client-install on a system when ntpdate has already been configured using /etc/ntp/step-tickers, both ntpd and ntpdate are enabled after enrollment. This means that during system boot first ntpdate is run (using the non-IPA servers from step-tickers) and the ntpd is started which is using the configuration from ntp.conf with IPA settings.

Also, after running ipa-client-install --uninstall, ntpd is left enabled even though it was not enabled before enrolling the system.

Version-Release number of selected component (if applicable):
RHEL 6.1 / IPA 2.1

Comment 2 Martin Kosek 2011-09-08 09:28:56 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1770

Comment 5 Namita Soman 2011-10-17 17:34:34 UTC
Verified using ipa-client-2.1.2-2.el6.x86_64

before installing:
# service ntpd status
ntpd is stopped

# cat /etc/ntp/step-tickers 
# List of servers used for initial synchronization.
clock.corp.redhat.com
clock2.corp.redhat.com
clock.redhat.com
clock2.redhat.com


after installing:
# service ntpd status
ntpd (pid  25162) is running...

# cat /etc/ntp/step-tickers 
# Use IPA-provided NTP server for initial time
rhel62-server1.testrelm

after uninstalling:
ntpd is stopped, and step-tickers is restored back

Comment 6 Martin Kosek 2011-11-01 12:50:29 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: ipa-client-install does not configure /usr/sbin/ntpdate to use a correct NTP servers in /etc/ntp/step-tickers. Additionally, the the ipa-client-install does not store the state of the ntpd service before installation
Consequence: When IPA client is installed, ntpdate may use incorrect servers to synchronize with. When the IPA client is uninstalled, ntpd may be set to incorrect state.
Fix: ipa-client-install configures /usr/sbin/ntpdate to use the IPA NTP server for synchronization. When IPA client is uninstalled, both ntpdate configuration and ntpd status is restored
Result: ntpdate run on IPA client machine synchronizes with correct NTP server and ntpdate and ntpd configuration is correctly restored after uninstallation

Comment 7 errata-xmlrpc 2011-12-06 18:30:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.