I’m currently trying to install a new (primary) AD DC in a Linux container. It seems to me that being in a container, the DC is easier to maintain and backup than on bare metal, and I prefer a container over a VM for performance reasons. If the container setup will prove to be too much of hassle, I’ll switch to a VM, though. The first issue I’m facing is time synchronization. An container cannot set its time independent of the main kernel, and for obvious reasons it cannot manipulate the kernel time. If I understand correctly, and do correct me if I’m wrong, it is not possible to run a Samba DC without running a time server. So it’s not possible to entirely disable ntpd in the container. Which would mean that on the DC, I need ntp to not act as a client but still to act as a time server for domain members. To achieve this, I changed /etc/ntp.conf to look as follows: # Local clock. Note that is not the "localhost" address! server 127.127.1.0 #fudge 127.127.1.0 stratum 10 fudge 127.127.1.0 stratum 0 # Where to retrieve the time from # server 0.pool.ntp.org iburst prefer # server 1.pool.ntp.org iburst prefer # server 2.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ # Access control # Default restriction: Allow clients only to query the time restrict default kod nomodify notrap nopeer mssntp # No restrictions for "localhost" restrict 127.0.0.1 # Enable the time sources to only provide time to this host # restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery # restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery # restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery tinker panic 0 However, ntpd is still trying to change/adjust the system time, leading to a couple of errors in the syslog: start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted I’d assume I could just ignore those but before continuing, I’d appreciate some comments from the team. Do you see any major issues in my approach, and what would you do differently? Thanks, Viktor
Mandi! Viktor Trojanovic via samba In chel di` si favelave...> I’d assume I could just ignore those but before continuing, I’d appreciate some comments from the team. Do you see any major issues in my approach, and what would you do differently?https://lists.samba.org/archive/samba/2018-November/219200.html Briefly: a) enable time management in container, or b) disable hwtime access in NTPD. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Tue, 8 Jan 2019 14:32:45 +0100 Viktor Trojanovic via samba <samba at lists.samba.org> wrote:> I’m currently trying to install a new (primary) AD DC in a Linux > container. It seems to me that being in a container, the DC is easier > to maintain and backup than on bare metal, and I prefer a container > over a VM for performance reasons. If the container setup will prove > to be too much of hassle, I’ll switch to a VM, though. > > The first issue I’m facing is time synchronization. An container > cannot set its time independent of the main kernel, and for obvious > reasons it cannot manipulate the kernel time. > > If I understand correctly, and do correct me if I’m wrong, it is not > possible to run a Samba DC without running a time server. So it’s not > possible to entirely disable ntpd in the container. > > Which would mean that on the DC, I need ntp to not act as a client > but still to act as a time server for domain members. > > To achieve this, I changed /etc/ntp.conf to look as follows: > > > # Local clock. Note that is not the "localhost" address! > server 127.127.1.0 > #fudge 127.127.1.0 stratum 10 > fudge 127.127.1.0 stratum 0 > > # Where to retrieve the time from > # server 0.pool.ntp.org iburst prefer > # server 1.pool.ntp.org iburst prefer > # server 2.pool.ntp.org iburst prefer > > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntp > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer mssntp > > # No restrictions for "localhost" > restrict 127.0.0.1 > > # Enable the time sources to only provide time to this host > # restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap > nopeer noquery # restrict 1.pool.ntp.org mask 255.255.255.255 > nomodify notrap nopeer noquery # restrict 2.pool.ntp.org mask > 255.255.255.255 nomodify notrap nopeer noquery tinker panic 0 > > However, ntpd is still trying to change/adjust the system time, > leading to a couple of errors in the syslog: > > start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation > not permitted set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: > Operation not permitted > > I’d assume I could just ignore those but before continuing, I’d > appreciate some comments from the team. Do you see any major issues > in my approach, and what would you do differently? > > Thanks, > ViktorHave you read this: https://wiki.samba.org/index.php/Time_Synchronisation A DC needs to use another time source. Rowland
From: Rowland Penny via samba Sent: Dienstag, 8. Januar 2019 14:47 To: samba at lists.samba.org Subject: Re: [Samba] AD DC in a container: NTP On Tue, 8 Jan 2019 14:32:45 +0100 Viktor Trojanovic via samba <samba at lists.samba.org> wrote:> I’m currently trying to install a new (primary) AD DC in a Linux > container. It seems to me that being in a container, the DC is easier > to maintain and backup than on bare metal, and I prefer a container > over a VM for performance reasons. If the container setup will prove > to be too much of hassle, I’ll switch to a VM, though. > > The first issue I’m facing is time synchronization. An container > cannot set its time independent of the main kernel, and for obvious > reasons it cannot manipulate the kernel time. > > If I understand correctly, and do correct me if I’m wrong, it is not > possible to run a Samba DC without running a time server. So it’s not > possible to entirely disable ntpd in the container. > > Which would mean that on the DC, I need ntp to not act as a client > but still to act as a time server for domain members. > > To achieve this, I changed /etc/ntp.conf to look as follows: > > > # Local clock. Note that is not the "localhost" address! > server 127.127.1.0 > #fudge 127.127.1.0 stratum 10 > fudge 127.127.1.0 stratum 0 > > # Where to retrieve the time from > # server 0.pool.ntp.org iburst prefer > # server 1.pool.ntp.org iburst prefer > # server 2.pool.ntp.org iburst prefer > > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntp > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer mssntp > > # No restrictions for "localhost" > restrict 127.0.0.1 > > # Enable the time sources to only provide time to this host > # restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap > nopeer noquery # restrict 1.pool.ntp.org mask 255.255.255.255 > nomodify notrap nopeer noquery # restrict 2.pool.ntp.org mask > 255.255.255.255 nomodify notrap nopeer noquery tinker panic 0 > > However, ntpd is still trying to change/adjust the system time, > leading to a couple of errors in the syslog: > > start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation > not permitted set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: > Operation not permitted > > I’d assume I could just ignore those but before continuing, I’d > appreciate some comments from the team. Do you see any major issues > in my approach, and what would you do differently? > > Thanks, > ViktorHave you read this: https://wiki.samba.org/index.php/Time_Synchronisation A DC needs to use another time source. Rowland Hi Rowland, Yes, I read this, of course. The DC would in fact use another time source (the host that sets RTC will retrieve from NTP servers) but it would simply not query NTP by itself in order to do so.
Hi Marco, I could not find a way to enable time Management in an LXD container. Seems like it was/is possible with Docker but not with unprivileged LXD containers. And I’d anyway prefer to keep the container as lean as possible. As for disabling hwtime access in NTPD, could you elaborate what you mean? Seeing as how ntpd in the container has, in fact, no access to the hwtime, how would this improve my current situation? Thanks, Viktor From: Marco Gaiarin via samba Sent: Dienstag, 8. Januar 2019 14:47 To: samba at lists.samba.org Subject: Re: [Samba] AD DC in a container: NTP Mandi! Viktor Trojanovic via samba In chel di` si favelave...> I’d assume I could just ignore those but before continuing, I’d appreciate some comments from the team. Do you see any major issues in my approach, and what would you do differently?https://lists.samba.org/archive/samba/2018-November/219200.html Briefly: a) enable time management in container, or b) disable hwtime access in NTPD. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hai Viktor, I've seen some answers already and all are correct. What i would do different here, when running in a container.. apt-get remove --purge ntpd ;-) The hosts that are running AD DC containers these need all up to use the same time source. And you dont install ntpd, you still have the same time in you AD. NTPD is not obligated to setup AD DC's. Its obligated to have good time sources. The windows PC's get the time over the AD. AD DC gets time from the host. The host get the time from a time source. Member servers should be pointed to the same time source as the other hosts. See: https://docs.microsoft.com/nl-nl/windows-server/networking/windows-time-service/how-the-windows-time-service-works#domain-hierarchy-based-synchronization And think in that picture that the external NTP server is your host running NTPD. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Viktor Trojanovic via samba > Verzonden: dinsdag 8 januari 2019 14:33 > Aan: samba > Onderwerp: [Samba] AD DC in a container: NTP > > I’m currently trying to install a new (primary) AD DC in a > Linux container. It seems to me that being in a container, > the DC is easier to maintain and backup than on bare metal, > and I prefer a container over a VM for performance reasons. > If the container setup will prove to be too much of hassle, > I’ll switch to a VM, though. > > The first issue I’m facing is time synchronization. An > container cannot set its time independent of the main kernel, > and for obvious reasons it cannot manipulate the kernel time. > > If I understand correctly, and do correct me if I’m wrong, it > is not possible to run a Samba DC without running a time > server. So it’s not possible to entirely disable ntpd in the > container. > > Which would mean that on the DC, I need ntp to not act as a > client but still to act as a time server for domain members. > > To achieve this, I changed /etc/ntp.conf to look as follows: > > > # Local clock. Note that is not the "localhost" address! > server 127.127.1.0 > #fudge 127.127.1.0 stratum 10 > fudge 127.127.1.0 stratum 0 > > # Where to retrieve the time from > # server 0.pool.ntp.org iburst prefer > # server 1.pool.ntp.org iburst prefer > # server 2.pool.ntp.org iburst prefer > > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntp > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer mssntp > > # No restrictions for "localhost" > restrict 127.0.0.1 > > # Enable the time sources to only provide time to this host > # restrict 0.pool.ntp.org mask 255.255.255.255 nomodify > notrap nopeer noquery > # restrict 1.pool.ntp.org mask 255.255.255.255 nomodify > notrap nopeer noquery > # restrict 2.pool.ntp.org mask 255.255.255.255 nomodify > notrap nopeer noquery > tinker panic 0 > > However, ntpd is still trying to change/adjust the system > time, leading to a couple of errors in the syslog: > > start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: > Operation not permitted > set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation > not permitted > > I’d assume I could just ignore those but before continuing, > I’d appreciate some comments from the team. Do you see any > major issues in my approach, and what would you do differently? > > Thanks, > Viktor > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Louis, In general, this sounds like the solution I was looking for. But I’m still a bit unclear about the practical implementation. So, the DC can be setup without ntpd as it will work based on the system clock which, in turn, is actually being updated by the container host using NTP. Which means we’ve got the DC itself covered. But if ntpd is not installed, then how can the DC serve time to other hosts? How can “Windows PC’s get time over the AD” if the AD DC isn’t offering a time service? I’m also not sure about what you mean when you say that member servers should be pointed to the same source as the “other hosts”. Which other hosts? Viktor From: L.P.H. van Belle via samba Sent: Dienstag, 8. Januar 2019 14:58 To: samba at lists.samba.org Subject: Re: [Samba] AD DC in a container: NTP Hai Viktor, I've seen some answers already and all are correct. What i would do different here, when running in a container.. apt-get remove --purge ntpd ;-) The hosts that are running AD DC containers these need all up to use the same time source. And you dont install ntpd, you still have the same time in you AD. NTPD is not obligated to setup AD DC's. Its obligated to have good time sources. The windows PC's get the time over the AD. AD DC gets time from the host. The host get the time from a time source. Member servers should be pointed to the same time source as the other hosts. See: https://docs.microsoft.com/nl-nl/windows-server/networking/windows-time-service/how-the-windows-time-service-works#domain-hierarchy-based-synchronization And think in that picture that the external NTP server is your host running NTPD. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Viktor Trojanovic via samba > Verzonden: dinsdag 8 januari 2019 14:33 > Aan: samba > Onderwerp: [Samba] AD DC in a container: NTP > > I’m currently trying to install a new (primary) AD DC in a > Linux container. It seems to me that being in a container, > the DC is easier to maintain and backup than on bare metal, > and I prefer a container over a VM for performance reasons. > If the container setup will prove to be too much of hassle, > I’ll switch to a VM, though. > > The first issue I’m facing is time synchronization. An > container cannot set its time independent of the main kernel, > and for obvious reasons it cannot manipulate the kernel time. > > If I understand correctly, and do correct me if I’m wrong, it > is not possible to run a Samba DC without running a time > server. So it’s not possible to entirely disable ntpd in the > container. > > Which would mean that on the DC, I need ntp to not act as a > client but still to act as a time server for domain members. > > To achieve this, I changed /etc/ntp.conf to look as follows: > > > # Local clock. Note that is not the "localhost" address! > server 127.127.1.0 > #fudge 127.127.1.0 stratum 10 > fudge 127.127.1.0 stratum 0 > > # Where to retrieve the time from > # server 0.pool.ntp.org iburst prefer > # server 1.pool.ntp.org iburst prefer > # server 2.pool.ntp.org iburst prefer > > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntp > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer mssntp > > # No restrictions for "localhost" > restrict 127.0.0.1 > > # Enable the time sources to only provide time to this host > # restrict 0.pool.ntp.org mask 255.255.255.255 nomodify > notrap nopeer noquery > # restrict 1.pool.ntp.org mask 255.255.255.255 nomodify > notrap nopeer noquery > # restrict 2.pool.ntp.org mask 255.255.255.255 nomodify > notrap nopeer noquery > tinker panic 0 > > However, ntpd is still trying to change/adjust the system > time, leading to a couple of errors in the syslog: > > start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: > Operation not permitted > set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation > not permitted > > I’d assume I could just ignore those but before continuing, > I’d appreciate some comments from the team. Do you see any > major issues in my approach, and what would you do differently? > > Thanks, > Viktor > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
What Marco and Robert already did say. This is what i mean ( and Robert ). Marco's option to disable though kernel is also an option. Maybe a bit cryptic but like this. HOST - CONTAINER - SambaDC- samba-AD distibuting time to PC's. || ||| HOST_its_NTP_Service => get Internet time |||| OTHERHOSTS NTP Client - COINTAINER - SambaMember - Point ntp to HOST_its_NTP_Service OTHERHOST-Random-linux server. - Point ntp client to HOST_its_NTP_Service Only thing here what i dont know, .. Rowland, can you tell this? Does samba "need" the ntp_sigd socket to provide the time over AD? Because imo not, if you setup a server with a hardware time clock to sync with, then there is alo no ntp running. (preffered yes, but not oblicated) But i dont know how thats programmed in samba. Greetz, Louis Van: Viktor Trojanovic [mailto:viktor at troja.ch] Verzonden: dinsdag 8 januari 2019 19:30 Aan: L.P.H. van Belle; samba at lists.samba.org Onderwerp: RE: [Samba] AD DC in a container: NTP Hi Louis, In general, this sounds like the solution I was looking for. But I’m still a bit unclear about the practical implementation. So, the DC can be setup without ntpd as it will work based on the system clock which, in turn, is actually being updated by the container host using NTP. Which means we’ve got the DC itself covered. But if ntpd is not installed, then how can the DC serve time to other hosts? How can “Windows PC’s get time over the AD” if the AD DC isn’t offering a time service? I’m also not sure about what you mean when you say that member servers should be pointed to the same source as the “other hosts”. Which other hosts? The hosts where the cointainers are running in?. somehere in your network there should a an ntp server. Simply said, point all hosts the a ntp server, exact the hosts-in-cointainers Viktor From: L.P.H. van Belle via samba Sent: Dienstag, 8. Januar 2019 14:58 To: samba at lists.samba.org Subject: Re: [Samba] AD DC in a container: NTP Hai Viktor, I've seen some answers already and all are correct. What i would do different here, when running in a container.. apt-get remove --purge ntpd ;-) The hosts that are running AD DC containers these need all up to use the same time source. And you dont install ntpd, you still have the same time in you AD. NTPD is not obligated to setup AD DC's. Its obligated to have good time sources. The windows PC's get the time over the AD. AD DC gets time from the host. The host get the time from a time source. Member servers should be pointed to the same time source as the other hosts. See: https://docs.microsoft.com/nl-nl/windows-server/networking/windows-time-service/how-the-windows-time-service-works#domain-hierarchy-based-synchronization And think in that picture that the external NTP server is your host running NTPD. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens> Viktor Trojanovic via samba> Verzonden: dinsdag 8 januari 2019 14:33> Aan: samba> Onderwerp: [Samba] AD DC in a container: NTP>> I’m currently trying to install a new (primary) AD DC in a> Linux container. It seems to me that being in a container,> the DC is easier to maintain and backup than on bare metal,> and I prefer a container over a VM for performance reasons.> If the container setup will prove to be too much of hassle,> I’ll switch to a VM, though.>> The first issue I’m facing is time synchronization. An> container cannot set its time independent of the main kernel,> and for obvious reasons it cannot manipulate the kernel time.>> If I understand correctly, and do correct me if I’m wrong, it> is not possible to run a Samba DC without running a time> server. So it’s not possible to entirely disable ntpd in the> container.>> Which would mean that on the DC, I need ntp to not act as a> client but still to act as a time server for domain members.>> To achieve this, I changed /etc/ntp.conf to look as follows:>>> # Local clock. Note that is not the "localhost" address!> server 127.127.1.0> #fudge 127.127.1.0 stratum 10> fudge 127.127.1.0 stratum 0>> # Where to retrieve the time from> # server 0.pool.ntp.org iburst prefer> # server 1.pool.ntp.org iburst prefer> # server 2.pool.ntp.org iburst prefer>> driftfile /var/lib/ntp/ntp.drift> logfile /var/log/ntp> ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/>> # Access control> # Default restriction: Allow clients only to query the time> restrict default kod nomodify notrap nopeer mssntp>> # No restrictions for "localhost"> restrict 127.0.0.1>> # Enable the time sources to only provide time to this host> # restrict 0.pool.ntp.org mask 255.255.255.255 nomodify> notrap nopeer noquery> # restrict 1.pool.ntp.org mask 255.255.255.255 nomodify> notrap nopeer noquery> # restrict 2.pool.ntp.org mask 255.255.255.255 nomodify> notrap nopeer noquery> tinker panic 0>> However, ntpd is still trying to change/adjust the system> time, leading to a couple of errors in the syslog:>> start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime:> Operation not permitted> set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation> not permitted>> I’d assume I could just ignore those but before continuing,> I’d appreciate some comments from the team. Do you see any> major issues in my approach, and what would you do differently?>> Thanks,> Viktor> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba>-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba