Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 904162

Summary: "Unable to sync time with IPA NTP server" while installing ipa-client on IPv6-only network
Product: Red Hat Enterprise Linux 6 Reporter: Steeve Goveas <sgoveas>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-29 16:21:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipaclient-install.log
none
tcpdump from IPA server
none
No iptables rules
none
grep ntp from messages log none

Description Steeve Goveas 2013-01-25 16:07:20 UTC
Description of problem:
"Unable to sync time with IPA NTP server" while installing ipa-client

Version-Release number of selected component (if applicable):
ipa-client-3.0.0-23.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup IPA server
2. Install ipa-client on client machine
# ipa-client-install
3.
  
Actual results:
[root@ratchet ~]# ipa-client-install
Discovery was successful!
Hostname: ratchet.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: sideswipe.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.   <<<<<<<
Password for admin:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=TESTRELM.COM
Issuer: CN=Certificate Authority,O=TESTRELM.COM
Valid From: Thu Jan 24 10:42:30 2013 UTC
Valid Until: Mon Jan 24 10:42:30 2033 UTC

Enrolled in IPA realm TESTRELM.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.COM
trying https://sideswipe.testrelm.com/ipa/xml
Hostname (ratchet.testrelm.com) not found in DNS
DNS server record set to: ratchet.testrelm.com -> 2620:52:0:41ce:5054:ff:fea6:ec8
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'https://sideswipe.testrelm.com/ipa/xml'
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

# Time on master

[root@sideswipe ~]# date
Fri Jan 25 16:05:29 IST 2013


# Time on client

[root@ratchet ~]# date
Fri Jan 25 16:06:18 IST 2013

Time was synced manually before running the install. There is no Firewall running on both machines

Expected results:

Time is synced with IPA NTP server


Additional info:

Stopped NTP service and then tried ipa-client-install

[root@ratchet ~]# service ntpd stop
Shutting down ntpd:                                        [  OK  ]

[root@ratchet ~]# ipa-client-install 
Discovery was successful!
Hostname: ratchet.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: sideswipe.testrelm.com
BaseDN: dc=testrelm,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for admin: [root@ratchet ~]# 

[root@ratchet ~]# 
[root@ratchet ~]# service ntpd status
ntpd is stopped

[root@ratchet ~]# date
Fri Jan 25 17:38:21 IST 2013


[root@ratchet ~]# grep ntp /var/log/messages
Jan 25 17:37:12 ratchet ntpd[14099]: ntpd exiting on signal 15
Jan 25 17:37:23 ratchet ntpdate[14606]: ntpdate 4.2.4p8 Thu Jan 10 15:17:41 UTC 2013 (1)
Jan 25 17:37:23 ratchet ntpdate[14606]: no server suitable for synchronization found
Jan 25 17:37:23 ratchet ntpdate[14607]: ntpdate 4.2.4p8 Thu Jan 10 15:17:41 UTC 2013 (1)
Jan 25 17:37:23 ratchet ntpdate[14607]: no server suitable for synchronization found
Jan 25 17:37:24 ratchet ntpdate[14608]: ntpdate 4.2.4p8 Thu Jan 10 15:17:41 UTC 2013 (1)
Jan 25 17:37:24 ratchet ntpdate[14608]: no server suitable for synchronization found
Jan 25 17:37:24 ratchet ntpdate[14609]: ntpdate 4.2.4p8 Thu Jan 10 15:17:41 UTC 2013 (1)
Jan 25 17:37:24 ratchet ntpdate[14609]: no server suitable for synchronization found
Jan 25 17:37:24 ratchet ntpdate[14610]: ntpdate 4.2.4p8 Thu Jan 10 15:17:41 UTC 2013 (1)
Jan 25 17:37:24 ratchet ntpdate[14610]: no server suitable for synchronization found
Jan 25 17:37:24 ratchet ntpdate[14611]: ntpdate 4.2.4p8 Thu Jan 10 15:17:41 UTC 2013 (1)
Jan 25 17:37:24 ratchet ntpdate[14611]: no server suitable for synchronization found

[root@ratchet log]# cat ipaclient-install.log 
2013-01-25T12:07:18Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False}
2013-01-25T12:07:18Z DEBUG missing options might be asked for interactively later
2013-01-25T12:07:18Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
2013-01-25T12:07:18Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
2013-01-25T12:07:18Z DEBUG [IPA Discovery]
2013-01-25T12:07:18Z DEBUG Starting IPA discovery with domain=None, server=None, hostname=ratchet.testrelm.com
2013-01-25T12:07:18Z DEBUG Start searching for LDAP SRV record in "testrelm.com" (domain of the hostname) and its sub-domains
2013-01-25T12:07:18Z DEBUG Search DNS for SRV record of _ldap._tcp.testrelm.com.
2013-01-25T12:07:18Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.testrelm.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:sideswipe.testrelm.com.}
2013-01-25T12:07:18Z DEBUG [Kerberos realm search]
2013-01-25T12:07:18Z DEBUG Search DNS for TXT record of _kerberos.testrelm.com.
2013-01-25T12:07:18Z DEBUG DNS record found: DNSResult::name:_kerberos.testrelm.com.,type:16,class:1,rdata={data:TESTRELM.COM}
2013-01-25T12:07:18Z DEBUG Search DNS for SRV record of _kerberos._udp.testrelm.com.
2013-01-25T12:07:18Z DEBUG DNS record found: DNSResult::name:_kerberos._udp.testrelm.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:sideswipe.testrelm.com.}
2013-01-25T12:07:18Z DEBUG [LDAP server check]
2013-01-25T12:07:18Z DEBUG Verifying that sideswipe.testrelm.com (realm TESTRELM.COM) is an IPA server
2013-01-25T12:07:18Z DEBUG Init LDAP connection with: ldap://sideswipe.testrelm.com:389
2013-01-25T12:07:18Z DEBUG Search LDAP server for IPA base DN
2013-01-25T12:07:18Z DEBUG Check if naming context 'dc=testrelm,dc=com' is for IPA
2013-01-25T12:07:18Z DEBUG Naming context 'dc=testrelm,dc=com' is a valid IPA context
2013-01-25T12:07:18Z DEBUG Search for (objectClass=krbRealmContainer) in dc=testrelm,dc=com (sub)
2013-01-25T12:07:18Z DEBUG Found: cn=TESTRELM.COM,cn=kerberos,dc=testrelm,dc=com
2013-01-25T12:07:18Z DEBUG Discovery result: Success; server=sideswipe.testrelm.com, domain=testrelm.com, kdc=sideswipe.testrelm.com, basedn=dc=testrelm,dc=com
2013-01-25T12:07:18Z DEBUG will use discovered domain: testrelm.com
2013-01-25T12:07:18Z DEBUG Start searching for LDAP SRV record in "testrelm.com" (Validating DNS Discovery) and its sub-domains
2013-01-25T12:07:18Z DEBUG Search DNS for SRV record of _ldap._tcp.testrelm.com.
2013-01-25T12:07:18Z DEBUG DNS record found: DNSResult::name:_ldap._tcp.testrelm.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:sideswipe.testrelm.com.}
2013-01-25T12:07:18Z DEBUG DNS validated, enabling discovery
2013-01-25T12:07:18Z DEBUG will use discovered server: sideswipe.testrelm.com
2013-01-25T12:07:18Z INFO Discovery was successful!
2013-01-25T12:07:18Z DEBUG will use discovered realm: TESTRELM.COM
2013-01-25T12:07:18Z DEBUG will use discovered basedn: dc=testrelm,dc=com
2013-01-25T12:07:18Z INFO Hostname: ratchet.testrelm.com
2013-01-25T12:07:18Z DEBUG Hostname source: Machine's FQDN
2013-01-25T12:07:18Z INFO Realm: TESTRELM.COM
2013-01-25T12:07:18Z DEBUG Realm source: Discovered from LDAP DNS records in sideswipe.testrelm.com
2013-01-25T12:07:18Z INFO DNS Domain: testrelm.com
2013-01-25T12:07:18Z DEBUG DNS Domain source: Discovered LDAP SRV records from testrelm.com (domain of the hostname)
2013-01-25T12:07:18Z INFO IPA Server: sideswipe.testrelm.com
2013-01-25T12:07:18Z DEBUG IPA Server source: Discovered from LDAP DNS records in sideswipe.testrelm.com
2013-01-25T12:07:18Z INFO BaseDN: dc=testrelm,dc=com
2013-01-25T12:07:18Z DEBUG BaseDN source: From IPA server ldap://sideswipe.testrelm.com:389
2013-01-25T12:07:20Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r TESTRELM.COM
2013-01-25T12:07:20Z DEBUG stdout=
2013-01-25T12:07:20Z DEBUG stderr=realm not found

2013-01-25T12:07:23Z DEBUG will use principal provided as option: admin
2013-01-25T12:07:23Z INFO Synchronizing time with KDC...
2013-01-25T12:07:23Z DEBUG Search DNS for SRV record of _ntp._udp.testrelm.com.
2013-01-25T12:07:23Z DEBUG DNS record found: DNSResult::name:_ntp._udp.testrelm.com.,type:33,class:1,rdata={priority:0,port:123,weight:100,server:sideswipe.testrelm.com.}
2013-01-25T12:07:23Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v sideswipe.testrelm.com
2013-01-25T12:07:23Z DEBUG stdout=
2013-01-25T12:07:23Z DEBUG stderr=
2013-01-25T12:07:23Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v sideswipe.testrelm.com
2013-01-25T12:07:23Z DEBUG stdout=
2013-01-25T12:07:23Z DEBUG stderr=
2013-01-25T12:07:24Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v sideswipe.testrelm.com
2013-01-25T12:07:24Z DEBUG stdout=
2013-01-25T12:07:24Z DEBUG stderr=
2013-01-25T12:07:24Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v sideswipe.testrelm.com
2013-01-25T12:07:24Z DEBUG stdout=
2013-01-25T12:07:24Z DEBUG stderr=
2013-01-25T12:07:24Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v sideswipe.testrelm.com
2013-01-25T12:07:24Z DEBUG stdout=
2013-01-25T12:07:24Z DEBUG stderr=
2013-01-25T12:07:24Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v sideswipe.testrelm.com
2013-01-25T12:07:24Z DEBUG stdout=
2013-01-25T12:07:24Z DEBUG stderr=
2013-01-25T12:07:24Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
2013-01-25T12:07:24Z DEBUG Writing Kerberos configuration to /tmp/tmptpzgo3:
2013-01-25T12:07:24Z DEBUG #File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = TESTRELM.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  TESTRELM.COM = {
    kdc = sideswipe.testrelm.com:88
    master_kdc = sideswipe.testrelm.com:88
    admin_server = sideswipe.testrelm.com:749
    default_domain = testrelm.com
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .testrelm.com = TESTRELM.COM
  testrelm.com = TESTRELM.COM

[root@ratchet log]#

Comment 1 Steeve Goveas 2013-01-25 16:08:49 UTC
Created attachment 687526 [details]
ipaclient-install.log

Comment 2 Steeve Goveas 2013-01-25 16:09:38 UTC
Created attachment 687527 [details]
tcpdump from IPA server

Comment 3 Steeve Goveas 2013-01-25 16:11:02 UTC
Created attachment 687529 [details]
No iptables rules

Comment 4 Steeve Goveas 2013-01-25 16:11:48 UTC
Created attachment 687532 [details]
grep ntp from messages log

Comment 6 Martin Kosek 2013-01-28 09:30:17 UTC
I investigated the issue, at first we need to point out, that this happens only on IPv6 only network (it can be found out in logs you provided and I also know it because I helped you investigate it).

I managed to reproduce the issue too, in my case the issue was in a too high stratum of the ntpd server on IPA master machine. This was caused by an inability of the ntpd on IPA server to contact other time servers to sync with as they were available only via IPv4. I also found out that ntpd does not work very well when 127.0.0.1/8 is not present on `lo' interface. `ntpstat' does not work then.

Client investigation output:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# /usr/sbin/ntpdate -U ntp -b -v -d ipa.rhel64.ad.test
28 Jan 04:18:12 ntpdate[4312]: ntpdate 4.2.4p8 Thu Jan 10 15:17:41 UTC 2013 (1)
Looking for host ipa.rhel64.ad.test and service ntp
host found : ipa.rhel64.ad.test
transmit(2620:52:0:104c:21a:4aff:fe10:4edc)
receive(2620:52:0:104c:21a:4aff:fe10:4edc)
transmit(2620:52:0:104c:21a:4aff:fe10:4edc)
receive(2620:52:0:104c:21a:4aff:fe10:4edc)
transmit(2620:52:0:104c:21a:4aff:fe10:4edc)
receive(2620:52:0:104c:21a:4aff:fe10:4edc)
transmit(2620:52:0:104c:21a:4aff:fe10:4edc)
receive(2620:52:0:104c:21a:4aff:fe10:4edc)
transmit(2620:52:0:104c:21a:4aff:fe10:4edc)

>>>>>>>>>>>>>>>>>>>
2620:52:0:104c:21a:4aff:fe10:4edc: Server dropped: strata too high
server 2620:52:0:104c:21a:4aff:fe10:4edc, port 123
stratum 16, precision -22, leap 11, trust 000
        ^^
<<<<<<<<<<<<<<<<<<<
refid [2620:52:0:104c:21a:4aff:fe10:4edc], delay 0.02579, dispersion 0.00002
transmitted 4, in filter 4
reference time:    00000000.00000000  Thu, Feb  7 2036  1:28:16.000
originate timestamp: d4b0c0d4.ce683131  Mon, Jan 28 2013  4:18:12.806
transmit timestamp:  d4b0c0d4.c5fb928c  Mon, Jan 28 2013  4:18:12.773
filter delay:  0.02615  0.02580  0.02580  0.02579 
         0.00000  0.00000  0.00000  0.00000 
filter offset: 0.032957 0.032797 0.032788 0.032799
         0.000000 0.000000 0.000000 0.000000
delay 0.02579, dispersion 0.00002
offset 0.032799

28 Jan 04:18:12 ntpdate[4312]: no server suitable for synchronization found


You can try this command yourself to find the real synchronization failure. (-d puts the synchronization in debug mode).

Server investigation output:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:1a:4a:10:4e:dc brd ff:ff:ff:ff:ff:ff
    inet6 2620:52:0:104c:21a:4aff:fe10:4edc/64 scope global dynamic 
       valid_lft 2591982sec preferred_lft 604782sec
    inet6 fec0:0:a10:4c00:21a:4aff:fe10:4edc/64 scope site dynamic 
       valid_lft 2591982sec preferred_lft 604782sec
    inet6 fed0:babe:baab:0:21a:4aff:fe10:4edc/64 scope site dynamic 
       valid_lft 86382sec preferred_lft 14382sec
    inet6 fe80::21a:4aff:fe10:4edc/64 scope link 
       valid_lft forever preferred_lft forever

# ntpstat 
On connect: Network is unreachable
unable to connect to socket

# ntpq
ntpq> peers
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 LOCAL(0)        .LOCL.          10 -    9   64   77    0.000    0.000   0.000
 10.5.27.10      .INIT.          16 -    -   64    0    0.000    0.000   0.000
 10.11.160.238   .INIT.          16 -    -   64    0    0.000    0.000   0.000
 10.16.255.1     .INIT.          16 -    -   64    0    0.000    0.000   0.000
 10.5.26.10      .INIT.          16 -    -   64    0    0.000    0.000   0.000
ntpq> ^D


However, in my case when I waited several minutes, the server gave up synchronizing with unavailable IPv4 peers and client ntp synchronization then worked:

/usr/sbin/ntpdate -U ntp -b -v -d ipa.rhel64.ad.test
28 Jan 04:27:09 ntpdate[4341]: ntpdate 4.2.4p8 Thu Jan 10 15:17:41 UTC 2013 (1)
Looking for host ipa.rhel64.ad.test and service ntp
host found : ipa.rhel64.ad.test
transmit(2620:52:0:104c:21a:4aff:fe10:4edc)
receive(2620:52:0:104c:21a:4aff:fe10:4edc)
transmit(2620:52:0:104c:21a:4aff:fe10:4edc)
receive(2620:52:0:104c:21a:4aff:fe10:4edc)
transmit(2620:52:0:104c:21a:4aff:fe10:4edc)
receive(2620:52:0:104c:21a:4aff:fe10:4edc)
transmit(2620:52:0:104c:21a:4aff:fe10:4edc)
receive(2620:52:0:104c:21a:4aff:fe10:4edc)
transmit(2620:52:0:104c:21a:4aff:fe10:4edc)
server 2620:52:0:104c:21a:4aff:fe10:4edc, port 123
<<<<<<<<<<<<<<
stratum 11, precision -22, leap 00, trust 000
refid [2620:52:0:104c:21a:4aff:fe10:4edc], delay 0.02580, dispersion 0.00005
transmitted 4, in filter 4
>>>>>>>>>>>>>>
reference time:    d4b0c2dc.05cd1168  Mon, Jan 28 2013  4:26:52.022
originate timestamp: d4b0c2ed.76d326ac  Mon, Jan 28 2013  4:27:09.464
transmit timestamp:  d4b0c2ed.73c8145e  Mon, Jan 28 2013  4:27:09.452
filter delay:  0.02686  0.02582  0.02582  0.02580 
         0.00000  0.00000  0.00000  0.00000 
filter offset: 0.012215 0.011760 0.011756 0.011759
         0.000000 0.000000 0.000000 0.000000
delay 0.02580, dispersion 0.00005
offset 0.011759

28 Jan 04:27:09 ntpdate[4341]: step time server 2620:52:0:104c:21a:4aff:fe10:4edc offset 0.011759 sec


Anyway, if this is the case also for your environment, I do not think this is an IPA issue, but rather a wrong network configuration.

Comment 7 Martin Kosek 2013-01-29 07:58:17 UTC
Steeve, do you agree with closing this bug report or do you have any additional comments or findings?

Comment 8 Steeve Goveas 2013-01-29 16:06:24 UTC
Yes, agreed. It was the same case for my environment.

Thanks Martin.

Comment 9 Martin Kosek 2013-01-29 16:21:09 UTC
Closing the bug.