Bug 975307 - WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
WARNING Unable to sync time with IPA NTP server, assuming the time is in sync...
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: freeipa (Show other bugs)
20
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
: 1063512 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-18 00:34 EDT by Dean Hunter
Modified: 2015-06-01 09:22 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-06-01 09:22:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dean Hunter 2013-06-18 00:34:36 EDT
Description of problem:

During ipa-client-install this warning is displayed:

WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.

The IPA NTP server is available and responding to other clients. ipa-client-install does configure and start ntpd which then works correctly.

This is not a big problem, more of an annoyance really, but it did cause me to stop and check that NTP was working.


Version-Release number of selected component (if applicable):

freeipa-client-3.1.5-1.fc18.x86_64


How reproducible:

This warning is only displayed where the ipa client is being rebuilt.


Steps to Reproduce:

1. ipa-client-install --uninstall
2. reboot
3. ipa-client-install \
     --domain hunter.org \
     --enable-dns-updates \
     --password adminpassword \
     --principal admin \
     --realm HUNTER.ORG \
     --ssh-trust-dns \
     --unattended


Actual results: from ipaclient-install.log

2013-06-18T03:34:10Z INFO Synchronizing time with KDC...
2013-06-18T03:34:10Z DEBUG Search DNS for SRV record of _ntp._udp.hunter.org
2013-06-18T03:34:10Z DEBUG DNS record found: 0 100 123 ipa.hunter.org.
2013-06-18T03:34:10Z DEBUG Starting external process
2013-06-18T03:34:10Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.hunter.org
2013-06-18T03:34:10Z DEBUG Process finished, return code=1
2013-06-18T03:34:10Z DEBUG stdout=
2013-06-18T03:34:10Z DEBUG stderr=
2013-06-18T03:34:10Z DEBUG Starting external process
2013-06-18T03:34:10Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.hunter.org
2013-06-18T03:34:10Z DEBUG Process finished, return code=1
2013-06-18T03:34:10Z DEBUG stdout=
2013-06-18T03:34:10Z DEBUG stderr=
2013-06-18T03:34:10Z DEBUG Starting external process
2013-06-18T03:34:10Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.hunter.org
2013-06-18T03:34:10Z DEBUG Process finished, return code=1
2013-06-18T03:34:10Z DEBUG stdout=
2013-06-18T03:34:10Z DEBUG stderr=
2013-06-18T03:34:10Z DEBUG Starting external process
2013-06-18T03:34:10Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.hunter.org
2013-06-18T03:34:10Z DEBUG Process finished, return code=1
2013-06-18T03:34:10Z DEBUG stdout=
2013-06-18T03:34:10Z DEBUG stderr=
2013-06-18T03:34:10Z DEBUG Starting external process
2013-06-18T03:34:10Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.hunter.org
2013-06-18T03:34:10Z DEBUG Process finished, return code=1
2013-06-18T03:34:10Z DEBUG stdout=
2013-06-18T03:34:10Z DEBUG stderr=
2013-06-18T03:34:10Z DEBUG Starting external process
2013-06-18T03:34:10Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v ipa.hunter.org
2013-06-18T03:34:10Z DEBUG Process finished, return code=1
2013-06-18T03:34:10Z DEBUG stdout=
2013-06-18T03:34:10Z DEBUG stderr=
2013-06-18T03:34:10Z WARNING Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.


Expected results:

This command:

  /usr/sbin/ntpdate -U ntp -s -b -v ipa.hunter.org

should be successful.


Additional info:

I believe the problem is that when the ipa client is uninstalled the ntpd.service is not stopped. If ntpd.service is running ntpdate will fail because it can not use the port. Inserting:

  systemctl stop ntpd.service

before:

  ipa-client-install \
    --domain hunter.org \
    --enable-dns-updates \
    --password adminpassword \
    --principal admin \
    --realm HUNTER.ORG \
    --ssh-trust-dns \
    --unattended

resolved the problem.
Comment 1 Martin Kosek 2013-06-18 06:51:22 EDT
You are right. When ntpd.service is enabled and IPA client fails to synchronize the time (even though this is probably redundant step as NTP is already set).

We already do time synchronization checks with chrony:

# service chronyd start
# ipa-client-install     
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
...

We need to extend the check for ntpd too and avoid doing the NTP sync. I will open an upstream ticket.
Comment 2 Martin Kosek 2013-06-18 06:52:54 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3735
Comment 3 Fedora End Of Life 2013-12-21 10:33:41 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 4 Martin Kosek 2014-01-02 08:25:05 EST
This issue is still valid for current Fedora version, changing the version field.
Comment 5 Martin Kosek 2014-02-11 04:16:36 EST
*** Bug 1063512 has been marked as a duplicate of this bug. ***
Comment 6 Martin Kosek 2014-02-11 04:18:21 EST
Note that Bug 1063512 contains an interesting proposal how to fix the code.
Comment 7 raubvogel 2014-02-13 12:28:02 EST
freeipa-3.3.4 uses ntpdate, so the proposed change works. However, the freeipa version obtained from the git repository ( git clone git://git.fedorahosted.org/git/freeipa.git) switched to ntpd. Provided the ntp server (the freeipa one) in the temporary config file works, 

ntpd -qgc /path/to/temp/config

should work:

[root@centos64 ~]# date
Thu Feb 13 10:17:59 EST 2014
[root@centos64 ~]# date +%T -s "6:13:13"
06:13:13
[root@centos64 ~]# date
Thu Feb 13 06:13:14 EST 2014
[root@centos64 ~]# ntpd -qgc /tmp/doobie
ntpd: time set +14696.921704s
[root@centos64 ~]# date
Thu Feb 13 10:18:42 EST 2014
[root@centos64 ~]#

Therefore, the proposed solution in https://bugzilla.redhat.com/show_bug.cgi?id=1063512 only affects freeipa-3.3.4 and earlier.
Comment 8 Fedora End Of Life 2015-05-29 05:07:43 EDT
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 9 Alexander Bokovoy 2015-06-01 09:22:13 EDT
Closing it in for Fedora 20 as there are number of fixes FreeIPA 4.2 upstream.

Note You need to log in before you can comment on or make changes to this bug.