|
Bugzilla – Full Text Bug Listing |
| Summary: | yast2 samba-client needs to adjust time prior to joining AD domain | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 10.2 | Reporter: | Guenther Deschner <gd> |
| Component: | YaST2 | Assignee: | Katarina Machalkova <kmachalkova> |
| Status: | RESOLVED FIXED | QA Contact: | Jiri Srain <jsrain> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | joe, jsuchome, ke, ralf, samba-maintainers |
| Version: | Beta 1 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | Development | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
adjust clockskew for kerberos spnego session setup
patch for /usr/share/YaST2/modules/SambaAD.pm picture of failed join attempt new pot file |
||
|
Description
Guenther Deschner
2006-10-27 12:02:53 UTC
Created attachment 102810 [details]
adjust clockskew for kerberos spnego session setup
Jeremy, we could fake the correct time for the kerberos session setup in "net" in the same way we do for the spnego LDAP bind (by taking the ads->auth.time_offset). Just don't like to modify some many callers...
Of course this will bite us for the sled10 sp1 as well. Created attachment 102811 [details]
patch for /usr/share/YaST2/modules/SambaAD.pm
Could you patch your SambaAD.pm and use yast2-samba-client to test the patch?
Created attachment 102821 [details]
picture of failed join attempt
Just for visualisation...
Yep, patch works fine. Thanks! OK, I'm going to sumbit the patch after the other current samba-client issues (bug 214641) are solved. Good, could you also take care of syncing the time to the hwclock afterwards? Otherwise after the reboot the time is lost again. Well, I'm bit unsure about this. Do you think users expect that the time changes without noticing them? Such change is currently done in yast2-country module, where is dedicated dialog for changing time or in yast2-ntp-client which - obviously - configures NTP client. Shouldn't we rather introduce a checkbox to the yast2-samba-client dialog, saying [x] Adjust system time to server or something like that? Isn't it just wrong approach to use 'net' for this, shouldn't user have configure NTP? If I would really to write it here (by "hwclock --systohc"), I assume only when join succeeds, is that correct? Very good point. Sure. You could also call "ntpdate $MYDC" prior to the join of course. The point of setting the time before the join (using net or ntpdate) is just about to make the join happen at all :) Then once sucessfully joined to AD, having offered a checkbox [x] Adjust system time from authentication domain controller would be just perfect! Is that still doable? The only point that worries me a bit is to have that DC ip statically in /etc/ntp.conf afterwards where we can't update it easily. BTW: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/w2kstart.mspx points out that this (use of ntp) is exactly what Windows clients do. So we should as well. Hmm, I was actually thinking about forcing (or guiding) user to configure his NTP configuration himself (using yast2-ntp-client), not to do that from samba-client configuration. Katarina, could you comment? > Then once sucessfully joined to AD, having offered a checkbox > [x] Adjust system time from authentication domain controller > would be just perfect! After the join is done, yast2-samba-client module finishes, so it woudn'd have a sense to show new checkbox at that time. I see 2 possibilities: - showing the checkbox from the beginning (and adjusting the time even before the join only if the checkbox is checked) - adjust the time before join just like in case of comment #3, and after the join succeed, ask for adaptation of time in a popup. And yet another question is: is this all relevant only for Active Directory domains? (In reply to comment #10) > And yet another question is: is this all relevant only for Active Directory > domains? Yes, fixing the time difference is only required when using Kerberos authentication (and thus only when talking to Active Directory). Another possibility would be to only include the "NTP Configuration..." button to the dialog which would run yast2-ntp-client. Exactly this way it is done in yast2-kerberos-client. (User would need to run it before he tries to join - or after the first unsuccessfull attempt to do so, reacting to error popup shown in comment #4.) Running NTP client after the first unsuccesfull attempt to join (or before the join - depending on how likely is that join will not succeed due to wrongly adjusted time) seems a reasonable solution to me. Only the basic dialog with domain controller as pre-defined server could be displayed (I suppose that DC hostname is known at this time). Well, the problem is that we are byond the text freeze. The possibilities are:
- new text for checkbox "Adjust system time from authentication domain controller", plus new help text
- use the same push button label ("&NTP Configuration...") as already is present in yast2-kerberos-client (so it would need just to merge it from different textdomain). We could even use the same help text from kerberos ("To synchronize your time with an NTP server, configure your computer
as an NTP client. Access the configuration with <b>NTP Configuration</b>.")
Karl, could you comment what is possible now and/or what would you prefer?
I'd prefer reusing existing translations. Once done, attach the new pot file, please. Created attachment 103041 [details]
new pot file
Karl, new pot is attached. New texts (present in kerberos.pot) are: #. button label (run YaST client for NTP) #: src/dialogs.ycp:110 msgid "&NTP Configuration..." #. Samba membership dialog - additional help for possible NTP configuration #: src/helps.ycp:87 msgid "" "<p>\n" "To synchronize your time with an NTP server, configure your computer\n" "as an NTP client. Access the configuration with <b>NTP Configuration</b>.\n" "</p>\n" To yast2-samba-client-2.14.2 (openSUSE 10.2) and yast2-samba-client-2.13.27 (SLES10-SP1) I've done the version with the button, offering the possibility to run yast2-ntp-client (just like in yast2-kerberos-client). The disadvantage of this solution is that user has to enter the name of server manualy. For 10.2, we cannot have new texts, but maybe for SLES10-SP1 I could do the solution with checkbox (which would call ntp-client as well, but with the ADS already detected). Closing the bug for now, Guenther please reopen if you wish better solution for SP1. Weel, there's other possibility to make NTP configuration more user friendly without adding new texts. Let's leave it with current situation, and when yast2-ntp-client dialog is opened, the address with ADC would be displayed as prepared for adding to ntp configuration.
Katarina, NTP configuration is called with
WFM::CallFunction ("ntp-client", []);
For this, we need only some special command line parameter containing the address (and not invoking command-line mode).
(Let's say WFM::CallFunction ("ntp-client", [ "from_samba", "ber.suse.de" ])).
Reopening for better fix (on ntp-client's side) fixed in yast2-samba-client-2.14.3 and 2.13.2.13.28 ... and in yast2-ntp-client 2.14.1 and 2.13.14 |