I've noticed if ntpd is already running on the client when you run the ipa-client-install, you will get that error. I'm guessing its using ntpdate IP ADDRESS to sync time, and cannot do so when the daemon is running.
*Steve * On Sat, Feb 8, 2014 at 8:34 AM, Mauricio Tavares <[email protected]>wrote: > Even though I already have a ntp server, I setup my newly > created freeipa kdc to do that too (it is a slave to my primary ntp). > > I then build a centos host to be the test client. Just to make sure it > can see and use auth's ntp, I tested with ntpdate: > > [root@centos64 ~]# ntpdate auth > 8 Feb 08:13:35 ntpdate[3251]: adjust time server 10.0.0.11 offset > -0.003097 sec > [root@centos64 ~]# > > so far so good, so how about running ipa-client-install? > > [root@centos64 ~]# hostname > centos64 > [root@centos64 ~]# ipa-client-install --hostname=`hostname -f` > Discovery was successful! > Hostname: centos64.in.domain.com > Realm: DOMAIN.COM > DNS Domain: domain.com > IPA Server: auth.in.domain.com > BaseDN: dc=domain,dc=com > > [so far so good!] > > Continue to configure the system with these values? [no]: yes > User authorized to enroll computers: admin > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Please check that 123 UDP port is opened. > Password for [email protected]: > > But, it had not problems using ntpdate against auth. to add insult to > injury, the log claims it is using ntpdate: > > 2014-02-08T13:14:31Z DEBUG args=/usr/sbin/ntpdate -U ntp -s -b -v > auth.in.domain.com > 2014-02-08T13:14:31Z DEBUG stdout= > 2014-02-08T13:14:31Z DEBUG stderr= > 2014-02-08T13:14:31Z WARNING Unable to sync time with IPA NTP server, > assuming the time is in sync. Please check that 123 UDP port is > opened. > > Could it be it is pissed because it was in sync to begin with? I mean, > if we run the exact command the log file claims to have run, > > [root@centos64 ~]# /usr/sbin/ntpdate -U ntp -s -b -v auth.in.domain.com| > echo $? > 0 > [root@centos64 ~]# > > We see it was successful. > > I am feeling rather clueless here... > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
