> client install expects ntpd to be present
I'm not quite sure what you mean.
"freeipa-client --install" does indeed give NTP errors, but it still
proceeds. Here is a transcript of installing freeipa-client inside a
(privileged) 16.04 lxd container.
root@unifi:~# apt-get install freeipa-client sssd-tools
...
root@unifi:~# ipa-client-install --domain IPA.EXAMPLE.COM --mkhomedir -p admin
-W
Discovery was successful!
Client hostname: unifi.int.example.com
Realm: IPA.EXAMPLE.COM
DNS Domain: IPA.EXAMPLE.COM
IPA Server: lon-ipa-1.int.example.com
BaseDN: dc=ipa,dc=example,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Attempting to sync time using ntpd. Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check
that 123 UDP port is opened.
Password for ad...@ipa.example.com:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.EXAMPLE.COM
Issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
Valid From: Thu Oct 27 15:27:53 2016 UTC
Valid Until: Mon Oct 27 15:27:53 2036 UTC
Enrolled in IPA realm IPA.EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE.COM
trying https://lon-ipa-1.int.example.com/ipa/json
Forwarding 'ping' to json server 'https://lon-ipa-1.int.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server
'https://lon-ipa-1.int.example.com/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server
'https://lon-ipa-1.int.example.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring IPA.EXAMPLE.COM as NIS domain.
Client configuration complete.
root@unifi:~# id brian.candler
uid=1211000003(brian.candler) gid=1211000003(brian.candler)
groups=1211000003(brian.candler),1211000000(admins)
(Note that in my case the KDC itself is in a container, so there is no NTP
daemon running inside it for the client to talk to anyway)
So enrolment works. The problem is that installation of freeipa-client
inside the client container has forcibly installed and started ntpd,
which cannot possibly work:
root@unifi:~# dpkg-query -l ntp
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=======================-================-================-===================================================
ii ntp 1:4.2.8p4+dfsg-3 amd64 Network Time
Protocol daemon and utility programs
root@unifi:~# ps auxwww | grep ntpd
root 7649 0.0 0.0 103708 3820 ? Ss 10:49 0:00 /usr/sbin/ntpd
-p /var/run/ntpd.pid -u 113:117
root 7721 0.0 0.0 11284 944 ? S+ 10:53 0:00 grep
--color=auto ntpd
root@unifi:~# systemctl status ntp
● ntp.service - LSB: Start NTP daemon
Loaded: loaded (/etc/init.d/ntp; bad; vendor preset: enabled)
Active: active (running) since Sat 2017-01-14 10:49:18 UTC; 4min 23s ago
Docs: man:systemd-sysv-generator(8)
Process: 7629 ExecStop=/etc/init.d/ntp stop (code=exited, status=0/SUCCESS)
Process: 7639 ExecStart=/etc/init.d/ntp start (code=exited, status=0/SUCCESS)
Tasks: 1
Memory: 636.0K
CPU: 31ms
CGroup: /system.slice/ntp.service
└─7649 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 113:117
Jan 14 10:49:18 unifi ntpd[7649]: restrict ::: KOD does nothing without LIMITED.
Jan 14 10:49:18 unifi ntpd[7649]: Listen and drop on 0 v6wildcard [::]:123
Jan 14 10:49:18 unifi ntpd[7649]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Jan 14 10:49:18 unifi ntpd[7649]: Listen normally on 2 lo 127.0.0.1:123
Jan 14 10:49:18 unifi ntpd[7649]: Listen normally on 3 eth0 10.0.0.121:123
Jan 14 10:49:18 unifi ntpd[7649]: Listen normally on 4 lo [::1]:123
Jan 14 10:49:18 unifi ntpd[7649]: Listen normally on 5 eth0
[fe80::216:3eff:fe45:8115%71]:123
Jan 14 10:49:18 unifi ntpd[7649]: Listening on routing socket on fd #22 for
interface updates
Jan 14 10:49:18 unifi ntpd[7649]: start_kern_loop: ntp_loopfilter.c line 1126:
ntp_adjtime: Operation not permitted
Jan 14 10:49:18 unifi ntpd[7649]: set_freq: ntp_loopfilter.c line 1089:
ntp_adjtime: Operation not permitted
The workaround is to stop and disable it:
root@unifi:~# systemctl stop ntp
root@unifi:~# systemctl disable ntp
ntp.service is not a native service, redirecting to systemd-sysv-install
Executing /lib/systemd/systemd-sysv-install disable ntp
insserv: warning: current start runlevel(s) (empty) of script `ntp' overrides
LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (1 2 3 4 5) of script `ntp'
overrides LSB defaults (1).
However, really I didn't want the ntp package installed in the first place. The
hard dependency on freeipa-client forces it, and prevents its removal.
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1630911
Title:
freeipa-client has a hard dependency on "ntp" which is not wanted in
lxd environment
Status in freeipa package in Ubuntu:
New
Bug description:
[Note: the package is called "freeipa-client" but launchpad only lets
me select "freeipa"]
The "freeipa-client" package has a hard dependency on "ntp".
However: when running Ubuntu inside an lxd container, ntpd cannot run:
the host is responsible for setting the clock, not the container.
Hence I want to "apt-get remove ntp" from inside the container. But if
I do so, this forcibly removes the "freeipa-client" package as well,
because of the dependency. This in turn leaves a whole heap of
dangling packages - see below - which are vulnerable to being
accidentally removed.
Proposal: change to "Recommends: ntp" instead of "Depends: ntp"
-------------------------------------------------------------------------------
# apt-get remove ntp
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer
required:
bind9utils certmonger cracklib-runtime freeipa-common ieee-data iproute
libavahi-client3 libavahi-common-data libavahi-common3 libbasicobjects0
libc-ares2 libcollection4 libcrack2 libcups2 libcurl3 libcurl3-nss libdhash1
libfreetype6 libini-config5 libipa-hbac0 libjbig0 libjpeg-turbo8 libjpeg8
liblcms2-2 libldb1 libnfsidmap2 libnl-3-200 libnl-route-3-200 libnspr4
libnss-sss libnss3 libnss3-nssdb libnss3-tools libopts25 libpam-pwquality
libpam-sss libpath-utils1 libpwquality-common libpwquality1 libref-array1
libsmbclient libsss-idmap0 libsss-nss-idmap0 libsss-sudo libtdb1 libtevent0
libtiff5 libwebp5 libwebpmux1 libxmlrpc-core-c3 libxslt1.1 oddjob
oddjob-mkhomedir python-bs4 python-cffi python-cffi-backend python-chardet
python-cryptography python-dbus python-decorator python-dnspython
python-enum34 python-gi python-gssapi python-html5lib python-idna
python-imaging python-ipaclient python-ipaddress python-ipalib
python-jwcrypto python-ldap python-libipa-hbac python-lxml python-memcache
python-netaddr python-nss python-pil python-pkg-resources python-ply
python-pyasn1 python-pycparser python-qrcode python-setuptools python-six
python-sss python-talloc python-usb python-yubico samba-libs sssd sssd-ad
sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap
sssd-proxy
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
freeipa-client ntp
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 2002 kB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: freeipa-client 4.3.1-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-34.53-generic 4.4.15
Uname: Linux 4.4.0-34-generic x86_64
NonfreeKernelModules: nfsd auth_rpcgss nfs_acl lockd grace sunrpc
ip6table_filter ip6_tables xt_conntrack ufs msdos xfs binfmt_misc veth
ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack isofs xt_CHECKSUM iptable_mangle
xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables zfs zunicode zcommon
znvpair spl zavl ppdev xen_fbfront syscopyarea sysfillrect sysimgblt
fb_sys_fops serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa
ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul
crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd
psmouse floppy
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
Date: Thu Oct 6 09:05:52 2016
Ec2AMI: ami-c06b1eb3
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: eu-west-1a
Ec2InstanceType: t2.medium
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
SourcePackage: freeipa
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1630911/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
