Harald Dunkel via FreeIPA-users wrote:
On 01/15/2018 09:04 PM, Rob Crittenden via FreeIPA-users wrote:
>
> That's fine but it doesn't address the original problem: he doesn't want
> anything managing the clock on his system at all:
>
> "some ipa servers in my environment are not permitted to change
> the clock."
>
These are LXC containers without the appropriate capabilities to
change the clock or to access other hardware. The clock *is* in
sync, but this is out of reach for freeipa.
Sure, whatever. If you don't want/need to use NTP then installing with
-N will not configure the service at all. There is no IPA-provided tool
for removing it. I did provide a workaround.
Probably you agree that running ntpd is not sufficient for Kerberos.
You have to watch it using ntpq -p to verify that it is connected to
some peers and that the time is actually in sync with these peers.
Systems require administration.
I don't see any reason why ipactl refuses to start the other
services,
if ntpd failed to start. There is no indication that the clock is
*not* in sync within Kerberos' thresholds.
If any services fail to start then ipactl will shut down the rest. It's
all for one and one for all.
Understand that many of the choices in IPA are hard learned lessons. Not
configuring time results in severe headaches so we enable it by default.
For those advanced users who handle time differently we offer an option
to not enable the service. Everyone wins.
rob