Updated patch to not run ntpdate if ntpd is running. Gabe
On Tue, Apr 29, 2014 at 8:16 AM, Gabe Alford <redhatri...@gmail.com> wrote: > Thanks Petr! > > Will rework patch to just skip ntpdate if ntpd is already running. > > > On Tue, Apr 29, 2014 at 12:59 AM, Petr Spacek <pspa...@redhat.com> wrote: > >> Hello Gabe! >> >> >> On 25.4.2014 16:28, Gabe Alford wrote: >> >>> Here is a patch for https://fedorahosted.org/ >>> freeipa/ticket/3735. >>> It seemed better to try to stop ntpd before running ntpdate rather than >>> not >>> running ntpdate if ntpd was already running. I believe this patch only >>> applies to the ipa-3-3 branch as ntpdate is not used anymore in the >>> master. >>> >> >> IMHO we should never stop ntpd if it is running. Plain ntpdate opens >> potential security hole because attacker can fake NTP answers and force the >> machine to rewind it's clock to the past. >> >> This opens potential for replay attacks/re-suing old compromised keys etc. >> >> -- >> Petr^2 Spacek >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> > >
From 735f86cfe09a92ed6b30d590b8fbe86dc748f9ce Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Tue, 29 Apr 2014 18:57:46 -0600 Subject: [PATCH] ipa-client-install skip running ntpdate if ntpd is running - ntpconf.py: don't run ntpdate if ntpd is running - ipa-client-install: don't display ntp sync error if ntpd is running https://fedorahosted.org/freeipa/ticket/3735 --- ipa-client/ipa-install/ipa-client-install | 2 +- ipa-client/ipaclient/ntpconf.py | 23 +++++++++++++---------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index afed54e5ddbf5ed985b637f20ac61d8ab1632364..9d1cfad4262769cef3337625d20a1ec43f50f0c0 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2102,7 +2102,7 @@ def install(options, env, fstore, statestore): break if not synced_ntp: synced_ntp = ipaclient.ntpconf.synconce_ntp(cli_server[0]) - if not synced_ntp: + if not synced_ntp and not ipaservices.knownservices.ntpd.is_running(): root_logger.warning("Unable to sync time with IPA NTP " + "server, assuming the time is in sync. Please check " + "that 123 UDP port is opened.") diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py index 8c4c6533a15aef9977c5eb0ae29cdd72b5529d77..49c2ee5795a1a9e97bdefa4337d84b4b1533012a 100644 --- a/ipa-client/ipaclient/ntpconf.py +++ b/ipa-client/ipaclient/ntpconf.py @@ -143,16 +143,19 @@ def synconce_ntp(server_fqdn): Returns True if sync was successful """ ntpdate="/usr/sbin/ntpdate" - if os.path.exists(ntpdate): - # retry several times -- logic follows /etc/init.d/ntpdate - # implementation - cmd = [ntpdate, "-U", "ntp", "-s", "-b", "-v", server_fqdn] - for retry in range(0, 3): - try: - ipautil.run(cmd) - return True - except: - pass + + if not ipaservices.knownservices.ntpd.is_running(): + if os.path.exists(ntpdate): + # retry several times -- logic follows /etc/init.d/ntpdate + # implementation + cmd = [ntpdate, "-U", "ntp", "-s", "-b", "-v", server_fqdn] + for retry in range(0, 3): + try: + ipautil.run(cmd) + return True + except: + pass + return False class NTPConfigurationError(Exception): -- 1.9.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel