Hi Rob
I have fired up Apache Directory Studio, and have navigated the LDAP tree to the cn=NTP entry.
Should I be deleting the entire cn=NTP entry, with all attributes; or just the ipaConfigString "startOrder 45"?
thanks
Chris
----- Original message -----
From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Christopher Lamb <christopher.l...@ch.ibm.com>, Rob Crittenden <rcrit...@redhat.com>
Subject: [EXTERNAL] [Freeipa-users] Re: How to disable NTP on an ipa-server
Date: Thu, Oct 8, 2020 9:05 PM
Christopher Lamb via FreeIPA-users wrote:
> Hi All
>
> Last night we successfully upgraded our ipa server to OEL 7.9, and
> ipa-server-4.6.8-5.el7.
>
> However the ipa.service will not start, because it fails at the NTP Service.
>
> All other ipa components start if we use the --ignore-service-failures
> option.
>
> # ipactl start --ignore-service-failures
> Existing service file detected!
> Assuming stale, cleaning and proceeding
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting httpd Service
> Starting ntpd Service
> Failed to start ntpd Service
> Forced start, ignoring ntpd Service, continuing normal operation
> Starting pki-tomcatd Service
> Starting ipa-otpd Service
>
> I am ok with ntpd not starting, we have long since moved to chrony, and
> have ntpd disabled and masked.
>
> The question is, how do I configure our ipa-server to not use ntpd?
>
> I am aware that there are options for ntpd on installation, but am
> unsure how to do this for an existing server.
>
> https://www.freeipa.org/page/V4/ntpd_deprecation/chronyd_support
Masking the service won't help because it is managed by ipactl. It
determines the list of services by looking in
cn=masters,cn=ipa,cn=etc,$SUFFIX
A entry looks like:
dn: cn=NTP,cn=ipa.example.test,cn=masters,cn=ipa,cn=etc,dc=example,dc=tes
t
objectClass: nsContainer
objectClass: ipaConfigObject
objectClass: top
cn: NTP
ipaConfigString: startOrder 45
ipaConfigString: enabledService
ipactl only looks at the startOrder of ipaConfigString. You'll need to
delete this entry entirely.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org