[Freeipa-devel] [PATCH] Review: rga-0005 Fix order of synchronizing time when running ipa-client-install

Alexander Bokovoy abokovoy at redhat.com
Tue Mar 18 15:08:22 UTC 2014 

On Tue, 18 Mar 2014, Petr Viktorin wrote:
> AFAIK this patch was only posted to Trac, where it was kind of 
> forgotten. Let's move it to the mailing list.
> 
> It looks & works fine, ACK for those aspects. But Dmitri had some 
> concerns about the validity of the ticket itself:
> 
>> Unusual but not critical. In future this can be an OTP prompt rather than
>> password prompt and making sure time is correct on both sides might be
>> more critical. I do not see a big problem with a slight delay. Banks now
>> prompt people for user name on one page and then for password on another.
>> It is a common practice. I would think that decoupling the prompts and
>> getting people used to it is a benefit rather than a hassle. The trend
>> of prompting for user and password independently should continue.
>> We should make it more usable if there are usability concerns but IMO we
>> should not be trying to push people back to traditional notion of "user
>> name and password are always together". They are not.
> 
> It may be common practice but it doesn't really make sense to
> temporally split related actions if there's no need for it. It is
> annoying. In the banks case, the login pages follow one another, they
> don't insert some completely unrelated output in the middle of the
> login process.  If we want to teach new expectations to users,
> ipa-client-install is not the place to do it.
> The OTP case will work since with the patch, time is synced before
> both prompts.
> 
> The comment gives a good reason to move the ticket to Backlog, but 
> since we have a fix I'd like to push it.
I'm ok with moving time sync prior to the user prompt.

With newer Kerberos we also have means to defeat time issues as KDC and
services can get time difference accounted from the TGT.

I don't think there was any specific reason into splitting the sequence
up, just time sync was put immediately before the operation where
correct time mattered. So, there is no need to read in tea leaves too
much. ;)

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list