Package: freeipa-client Version: 4.9.8-1+b1 Despite several attempts to fix it [1][2], interaction with chrony is still broken on current Debian testing.
freeipa-client Recommends: chrony, so it is installed by default. Trying to join a domain on a clean system: | # ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --principal admin -W | This program will set up IPA client. | Version 4.9.8 | | WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd | | Discovery was successful! | Do you want to configure chrony with NTP server or pool address? [no]: yes | Enter NTP source server addresses separated by comma, or press Enter to skip: | Enter a NTP source pool address, or press Enter to skip: | Client hostname: x0.cockpit.lan | Realm: COCKPIT.LAN | DNS Domain: cockpit.lan | IPA Server: f0.cockpit.lan | BaseDN: dc=cockpit,dc=lan | | Continue to configure the system with these values? [no]: yes | Synchronizing time | No SRV records of NTP servers found and no NTP server or pool address was provided. | Using default chrony configuration. | CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 1: 'Failed to restart chrony.service: Unit chrony.service is masked.\n') | The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ipaclient-install.log doesn't really say anything different, it just has a large traceback for essentially the same thing. Now, the chrony package is indeed rather weird/broken: | root@x0:~# find /etc/systemd -name '*chrony*' | xargs ls -l | lrwxrwxrwx 1 root root 9 Mar 24 05:54 /etc/systemd/system/chrony.service -> /dev/null | lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/chronyd.service -> /lib/systemd/system/chrony.service | lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/multi-user.target.wants/chrony.service -> /lib/systemd/system/chrony.service | # systemctl status chrony chronyd | Warning: The unit file, source configuration file or drop-ins of chronyd.service changed on disk. Run 'systemctl daemon-reload' to relo> | ○ chrony.service | Loaded: masked (Reason: Unit chrony.service is masked.) | Active: inactive (dead) | | ○ chronyd.service | Loaded: error (Reason: Unit chronyd.service failed to load properly, please adjust/correct and reload service manager: File exists) | Active: inactive (dead) Again, this is unconfigured and out of the box -- the idea is that FreeIPA sets up everything and configures NTP/chrony/etc. to listen to the FreeIPA server. Purging chrony doesn't really help, though: | dpkg -P chrony | # no '*chrony*' files in /etc any more Exactly the same failure, and it still tries to configure chrony even though it's not there any more: | WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd | | Discovery was successful! | Do you want to configure chrony with NTP server or pool address? [no]: yes | Enter NTP source server addresses separated by comma, or press Enter to skip: | Enter a NTP source pool address, or press Enter to skip: | Client hostname: x0.cockpit.lan | Realm: COCKPIT.LAN | DNS Domain: cockpit.lan | IPA Server: f0.cockpit.lan | BaseDN: dc=cockpit,dc=lan | | Continue to configure the system with these values? [no]: yes | Synchronizing time | No SRV records of NTP servers found and no NTP server or pool address was provided. | Using default chrony configuration. | CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service not found.\n') | The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information And even if I say "no" to the NTP question: | # ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --principal admin -W | This program will set up IPA client. | Version 4.9.8 | | WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd | | Discovery was successful! | Do you want to configure chrony with NTP server or pool address? [no]: | Client hostname: x0.cockpit.lan | Realm: COCKPIT.LAN | DNS Domain: cockpit.lan | IPA Server: f0.cockpit.lan | BaseDN: dc=cockpit,dc=lan | | Continue to configure the system with these values? [no]: yes | Synchronizing time | No SRV records of NTP servers found and no NTP server or pool address was provided. | Using default chrony configuration. | CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service not found.\n') | The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information There's probably two bugs -- chrony having a broken default config, and ipa-client-install not being able to detect and handle it. But at this point I'm not even sure what *should* happen. Note: I'm testing this in the context of https://cockpit-project.org/, which doesn't call ipa-client-install directly, but `realm join`. That calls ipa-client-install with --force-ntpd, but the underlying bug reproduces with the more direct ipa-client-install CLI as well in all combinations. Thanks, Martin [1] https://bugs.debian.org/968428 [2] https://launchpad.net/bugs/1890786
