[Pkg-freeipa-devel] Bug#1008195: Joining a domain fails on chrony.service in all scenarios

Martin Pitt mpitt at debian.org
Thu Mar 24 08:41:32 GMT 2022 

Package: freeipa-client
Version: 4.9.8-1+b1

Despite several attempts to fix it [1][2], interaction with chrony is still
broken on current Debian testing.

freeipa-client Recommends: chrony, so it is installed by default. Trying to
join a domain on a clean system:

| # ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --principal admin -W
| This program will set up IPA client.
| Version 4.9.8
| 
| WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
| 
| Discovery was successful!
| Do you want to configure chrony with NTP server or pool address? [no]: yes
| Enter NTP source server addresses separated by comma, or press Enter to skip:
| Enter a NTP source pool address, or press Enter to skip:
| Client hostname: x0.cockpit.lan
| Realm: COCKPIT.LAN
| DNS Domain: cockpit.lan
| IPA Server: f0.cockpit.lan
| BaseDN: dc=cockpit,dc=lan
| 
| Continue to configure the system with these values? [no]: yes
| Synchronizing time
| No SRV records of NTP servers found and no NTP server or pool address was provided.
| Using default chrony configuration.
| CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 1: 'Failed to restart chrony.service: Unit chrony.service is masked.\n')
| The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

ipaclient-install.log doesn't really say anything different, it just has a
large traceback for essentially the same thing.

Now, the chrony package is indeed rather weird/broken:

| root at x0:~# find /etc/systemd -name '*chrony*' | xargs ls -l
| lrwxrwxrwx 1 root root  9 Mar 24 05:54 /etc/systemd/system/chrony.service -> /dev/null
| lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/chronyd.service -> /lib/systemd/system/chrony.service
| lrwxrwxrwx 1 root root 34 Mar 23 04:31 /etc/systemd/system/multi-user.target.wants/chrony.service -> /lib/systemd/system/chrony.service

| # systemctl status chrony chronyd
| Warning: The unit file, source configuration file or drop-ins of chronyd.service changed on disk. Run 'systemctl daemon-reload' to relo>
| ○ chrony.service
|      Loaded: masked (Reason: Unit chrony.service is masked.)
|      Active: inactive (dead)
| 
| ○ chronyd.service
|      Loaded: error (Reason: Unit chronyd.service failed to load properly, please adjust/correct and reload service manager: File exists)
|      Active: inactive (dead)

Again, this is unconfigured and out of the box -- the idea is that FreeIPA
sets up everything and configures NTP/chrony/etc. to listen to the FreeIPA
server.

Purging chrony doesn't really help, though:

| dpkg -P chrony
| # no '*chrony*' files in /etc any more

Exactly the same failure, and it still tries to configure chrony even though
it's not there any more:

| WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
| 
| Discovery was successful!
| Do you want to configure chrony with NTP server or pool address? [no]: yes
| Enter NTP source server addresses separated by comma, or press Enter to skip:
| Enter a NTP source pool address, or press Enter to skip:
| Client hostname: x0.cockpit.lan
| Realm: COCKPIT.LAN
| DNS Domain: cockpit.lan
| IPA Server: f0.cockpit.lan
| BaseDN: dc=cockpit,dc=lan
| 
| Continue to configure the system with these values? [no]: yes
| Synchronizing time
| No SRV records of NTP servers found and no NTP server or pool address was provided.
| Using default chrony configuration.
| CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service not found.\n')
| The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

And even if I say "no" to the NTP question:

| # ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --principal admin -W
| This program will set up IPA client.
| Version 4.9.8
| 
| WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
| 
| Discovery was successful!
| Do you want to configure chrony with NTP server or pool address? [no]:
| Client hostname: x0.cockpit.lan
| Realm: COCKPIT.LAN
| DNS Domain: cockpit.lan
| IPA Server: f0.cockpit.lan
| BaseDN: dc=cockpit,dc=lan
| 
| Continue to configure the system with these values? [no]: yes
| Synchronizing time
| No SRV records of NTP servers found and no NTP server or pool address was provided.
| Using default chrony configuration.
| CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service not found.\n')
| The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

There's probably two bugs -- chrony having a broken default config, and
ipa-client-install not being able to detect and handle it. But at this point
I'm not even sure what *should* happen.

Note: I'm testing this in the context of https://cockpit-project.org/, which
doesn't call ipa-client-install directly, but `realm join`. That calls
ipa-client-install with --force-ntpd, but the underlying bug reproduces with
the more direct ipa-client-install CLI as well in all combinations.

Thanks,

Martin

[1] https://bugs.debian.org/968428
[2] https://launchpad.net/bugs/1890786

More information about the Pkg-freeipa-devel mailing list