On 10/12/21 10:18, Rowland Penny via samba wrote:> On Tue, 2021-10-12 at 09:42 -0500, Patrick Goetz via samba wrote:
>>
>> On 10/12/21 04:27, Rowland Penny via samba wrote:
>>> On Tue, 2021-10-12 at 11:14 +0200, L.P.H. van Belle via samba
>>> wrote:
>>>> Ow yes, this can work fine.
>>>>
>>>> AD-DC, time is given to the pc's over the AD. (not NTP
>>>> directly)..
>>>> sure you can configure that, but i didnt.
>>>>
>>>> Members, systemd-timedated used the AD-DC its NTP to sync.
>>>> Standalones ( i have 1, ) same.
>>>>
>>>> The members dont need SNTP to sync time, only the AD-DC
<=>
>>>> Windows
>>>> And you can even overrule that, but im not doing that.
>>>>
>>>> timedatectl show-timesync
>>>> SystemNTPServers="192.168.1.1 192.168.1.2"
>>>>
>>>
>>> I repeat, your clients are not using the DC's directly for
time,
>>> you
>>> might be okay with this, but I am not, but hey, they are your
>>> clients :
>>> -)
>>>
>>
>> I'm not sure why this matters if the drift is less than the
>> allowable
>> kerberos time difference.
>
> It is this: People can and will do things their own way. I cannot know
> or remember how they do things their way, I have a bad enough time
> remembering the recommended way :-)
>
That's fair. I have a dozen or so Ubuntu workstations at work bound to
an AD domain, and haven't bothered to configure systemd-timedated on
them, either:
cnsit at armadillo:~$ timedatectl show-timesync
FallbackNTPServers=ntp.ubuntu.com
ServerName=ntp.ubuntu.com
ServerAddress=91.189.89.198
RootDistanceMaxUSec=5s
PollIntervalMinUSec=32s
PollIntervalMaxUSec=34min 8s
PollIntervalUSec=34min 8s
NTPMessage={ Leap=0, Version=4, Mode=4, Stratum=2, Precision=-23,
RootDelay=1.113ms, RootDispersion=40.023ms, Reference=11FD227B,
OriginateTimestamp=Tue 2021-10-12 10:08:51 CDT, ReceiveTimestamp=Tue
2021-10-12 10:08:51 CDT, TransmitTimestamp=Tue 2021-10-12 10:08:51 CDT,
DestinationTimestamp=Tue 2021-10-12 10:08:51 CDT, Ignored=no
PacketCount=541, Jitter=2.738ms }
It just hasn't ever been a problem. The time differences are too close
for Kerberos to care. Yes, I probably *should* configure this, but I'm
a member of the old school "If it ain't broke, don't fix it"
club. One
usually ends up there after a number of years of systems engineer
experience. After one too many times of fixing something that was
working and consequently breaking it; then wondering what the hell were
you thinking not leaving well enough alone.
> Just because I say don't do it that way, doesn't mean it will
> definitely not work (it possibly will), but it is just not the Samba
> recommended way of doing things and I cannot test everything (so I know
> it does work, or not). If anyone feels that something does work and can
> prove it, then register for the wiki and edit it to add that
> information.
>
Did not know mere mortals could sign up for Wiki editing. Will do so, if
only to fix some vaguely annoying typos I've run in to.
> Rowland
>
>
>