[SERVER-46139] Report missing active ntpd/chrony when external auth is configured Created: 13/Feb/20 Updated: 13/Jan/21 Resolved: 28/Feb/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Trivial - P5 |
| Reporter: | Nic Cottrell | Assignee: | Spencer Jackson |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Sprint: | Security 2020-03-09 | ||||
| Participants: | |||||
| Description |
|
Although it's no longer as critical for replication lag (maxStaleness calculations etc) when hosts' clocks are out of sync there can still be problems with external auth particularly with Kerberos with fixed windows. Let's add a startup warning when neither ntpd nor chrony are detected, but only when some external auth mechanism like GSSAPI or PLAIN are enabled. |
| Comments |
| Comment by Spencer Jackson [ 28/Feb/20 ] |
|
While accurate clocks are important for Kerberos authentication, checking for the presence of an NTP daemon isn't something we can easily do. The set of daemons which may adjust the clock changes over time, as they fall in and out of favour, and checks for particular running processes could become stale. Implementing support for NTP in the server would be non-trivial and probably should be considered out of scope for a database. |