> client install expects ntpd to be present

I'm not quite sure what you mean.

"freeipa-client --install" does indeed give NTP errors, but it still proceeds. Here is a transcript of installing freeipa-client inside a (privileged) 16.04 lxd container.


root@unifi:~# apt-get install freeipa-client sssd-tools 
...
root@unifi:~# ipa-client-install --domain IPA.EXAMPLE.COM --mkhomedir -p admin -W
Discovery was successful!
Client hostname: unifi.int.example.com
Realm: IPA.EXAMPLE.COM
DNS Domain: IPA.EXAMPLE.COM
IPA Server: lon-ipa-1.int.example.com
BaseDN: dc=ipa,dc=example,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Password for <email address hidden>:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=IPA.EXAMPLE.COM
    Valid From:  Thu Oct 27 15:27:53 2016 UTC
    Valid Until: Mon Oct 27 15:27:53 2036 UTC

Enrolled in IPA realm IPA.EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE.COM
trying https://lon-ipa-1.int.example.com/ipa/json
Forwarding 'ping' to json server 'https://lon-ipa-1.int.example.com/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://lon-ipa-1.int.example.com/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://lon-ipa-1.int.example.com/ipa/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring IPA.EXAMPLE.COM as NIS domain.
Client configuration complete.
root@unifi:~# id brian.candler
uid=1211000003(brian.candler) gid=1211000003(brian.candler) groups=1211000003(brian.candler),1211000000(admins)


(Note that in my case the KDC itself is in a container, so there is no NTP daemon running inside it for the client to talk to anyway)

So enrolment works. The problem is that installation of freeipa-client inside the client container has forcibly installed and started ntpd, which cannot possibly work:

root@unifi:~# dpkg-query -l ntp
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                    Version          Architecture     Description
+++-=======================-================-================-===================================================
ii  ntp                     1:4.2.8p4+dfsg-3 amd64            Network Time Protocol daemon and utility programs
root@unifi:~# ps auxwww | grep ntpd
root      7649  0.0  0.0 103708  3820 ?        Ss   10:49   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 113:117
root      7721  0.0  0.0  11284   944 ?        S+   10:53   0:00 grep --color=auto ntpd
root@unifi:~# systemctl status ntp
● ntp.service - LSB: Start NTP daemon
   Loaded: loaded (/etc/init.d/ntp; bad; vendor preset: enabled)
   Active: active (running) since Sat 2017-01-14 10:49:18 UTC; 4min 23s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 7629 ExecStop=/etc/init.d/ntp stop (code=exited, status=0/SUCCESS)
  Process: 7639 ExecStart=/etc/init.d/ntp start (code=exited, status=0/SUCCESS)
    Tasks: 1
   Memory: 636.0K
      CPU: 31ms
   CGroup: /system.slice/ntp.service
           └─7649 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 113:117

Jan 14 10:49:18 unifi ntpd[7649]: restrict ::: KOD does nothing without LIMITED.
Jan 14 10:49:18 unifi ntpd[7649]: Listen and drop on 0 v6wildcard [::]:123
Jan 14 10:49:18 unifi ntpd[7649]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Jan 14 10:49:18 unifi ntpd[7649]: Listen normally on 2 lo 127.0.0.1:123
Jan 14 10:49:18 unifi ntpd[7649]: Listen normally on 3 eth0 10.0.0.121:123
Jan 14 10:49:18 unifi ntpd[7649]: Listen normally on 4 lo [::1]:123
Jan 14 10:49:18 unifi ntpd[7649]: Listen normally on 5 eth0 [fe80::216:3eff:fe45:8115%71]:123
Jan 14 10:49:18 unifi ntpd[7649]: Listening on routing socket on fd #22 for interface updates
Jan 14 10:49:18 unifi ntpd[7649]: start_kern_loop: ntp_loopfilter.c line 1126: ntp_adjtime: Operation not permitted
Jan 14 10:49:18 unifi ntpd[7649]: set_freq: ntp_loopfilter.c line 1089: ntp_adjtime: Operation not permitted

The workaround is to stop and disable it:

root@unifi:~# systemctl stop ntp
root@unifi:~# systemctl disable ntp
ntp.service is not a native service, redirecting to systemd-sysv-install
Executing /lib/systemd/systemd-sysv-install disable ntp
insserv: warning: current start runlevel(s) (empty) of script `ntp' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (1 2 3 4 5) of script `ntp' overrides LSB defaults (1).


However, really I didn't want the ntp package installed in the first place. The hard dependency on freeipa-client forces it, and prevents its removal.