Christopher Lamb via FreeIPA-users wrote:
Hi All Last night we successfully upgraded our ipa server to OEL 7.9, and ipa-server-4.6.8-5.el7. However the ipa.service will not start, because it fails at the NTP Service. All other ipa components start if we use the --ignore-service-failures option. # ipactl start --ignore-service-failures Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting httpd Service Starting ntpd Service Failed to start ntpd Service Forced start, ignoring ntpd Service, continuing normal operation Starting pki-tomcatd Service Starting ipa-otpd Service I am ok with ntpd not starting, we have long since moved to chrony, and have ntpd disabled and masked. The question is, how do I configure our ipa-server to not use ntpd? I am aware that there are options for ntpd on installation, but am unsure how to do this for an existing server. https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support
Masking the service won't help because it is managed by ipactl. It determines the list of services by looking in cn=masters,cn=ipa,cn=etc,$SUFFIX
A entry looks like:
dn: cn=NTP,cn=ipa.example.test,cn=masters,cn=ipa,cn=etc,dc=example,dc=tes t objectClass: nsContainer objectClass: ipaConfigObject objectClass: top cn: NTP ipaConfigString: startOrder 45 ipaConfigString: enabledService
ipactl only looks at the startOrder of ipaConfigString. You'll need to delete this entry entirely.
rob
Christopher Lamb wrote:
Hi Rob I have fired up Apache Directory Studio, and have navigated the LDAP tree to the cn=NTP entry. Should I be deleting the entire cn=NTP entry, with all attributes; or just the ipaConfigString "startOrder 45"?
You can set ipaConfigString to something like disabledService if you want to keep it around. I looked again and ipactl looks for enabledService and hiddenService so something not matching should get skipped by ipactl.
But when looking at the server roles NTP may show up which might be confusing.
If you are really worried you can do an ldapsearch and save the content into a file to make it easy to add back.
rob
thanks Chris
----- Original message ----- From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Christopher Lamb <christopher.lamb@ch.ibm.com>, Rob Crittenden <rcritten@redhat.com> Subject: [EXTERNAL] [Freeipa-users] Re: How to disable NTP on an ipa-server Date: Thu, Oct 8, 2020 9:05 PM Christopher Lamb via FreeIPA-users wrote: > Hi All > > Last night we successfully upgraded our ipa server to OEL 7.9, and > ipa-server-4.6.8-5.el7. > > However the ipa.service will not start, because it fails at the NTP Service. > > All other ipa components start if we use the --ignore-service-failures > option. > > # ipactl start --ignore-service-failures > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting httpd Service > Starting ntpd Service > Failed to start ntpd Service > Forced start, ignoring ntpd Service, continuing normal operation > Starting pki-tomcatd Service > Starting ipa-otpd Service > > I am ok with ntpd not starting, we have long since moved to chrony, and > have ntpd disabled and masked. > > The question is, how do I configure our ipa-server to not use ntpd? > > I am aware that there are options for ntpd on installation, but am > unsure how to do this for an existing server. > > https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support Masking the service won't help because it is managed by ipactl. It determines the list of services by looking in cn=masters,cn=ipa,cn=etc,$SUFFIX A entry looks like: dn: cn=NTP,cn=ipa.example.test,cn=masters,cn=ipa,cn=etc,dc=example,dc=tes t objectClass: nsContainer objectClass: ipaConfigObject objectClass: top cn: NTP ipaConfigString: startOrder 45 ipaConfigString: enabledService ipactl only looks at the startOrder of ipaConfigString. You'll need to delete this entry entirely. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org