[Freeipa-devel] More on NTP

[Karl MacMillan]

After some additional discussion, we decided that just relying on the
public NTP servers was not ideal since time really must be synchronized
with the IPA server.

So I went back to start configuring ntp on the client and servers. A few
questions / comments:

Ideally we would use the key facility (or something else) since spoofing
the time server might give you an increased chance of a successful
replay attack. Very low priority, but wanted to record the suggestion.

Now for the actual problem - high availability. We can certainly jam
whatever master we happen to have found during configuration of the
client into ntp.conf, but it is going to be hard to configure it to see
all of the masters. Even if we configured it to look at all the masters
at configuration time it would, obviously, not pick up any new masters.

So - should I:

1) stop whining and just implement ntp config on the client.
2) do nothing, and make it the problem of the admins rather than
implementing a half solution.
3) make it optional and put something better on the v2 wish list.

I will configure the master as a NTP server regardless of what I do for
the client configuration.

Karl