On Tue, 12 Sep 2017 14:41:42 -0300 Flávio Silveira via samba <samba at lists.samba.org> wrote:> > Ok, I understand now, one question though: if realm is > AD.TECNOPON.COM.BR, does domain need to be AD?No, you can use anything you like, provided it is one word, 15 characters or less, without punctuation.> If I understand > correctly, realm is "full domain with subdomain" and domain is the > subdomain, yes? >No, the AD realm is the dns domain of the computer in uppercase, it being a subdomain does not come into it. From your example above, the dns domain would be: ad.tecnopon.com.br The realm would be: AD.TECNOPON.COM.BR Rowland
Em 12/09/2017 14:59, Rowland Penny via samba escreveu:> On Tue, 12 Sep 2017 14:41:42 -0300 > Flávio Silveira via samba <samba at lists.samba.org> wrote: > >> Ok, I understand now, one question though: if realm is >> AD.TECNOPON.COM.BR, does domain need to be AD? > No, you can use anything you like, provided it is one word, 15 > characters or less, without punctuation. > >> If I understand >> correctly, realm is "full domain with subdomain" and domain is the >> subdomain, yes? >> > No, the AD realm is the dns domain of the computer in uppercase, it > being a subdomain does not come into it. From your example above, the > dns domain would be: ad.tecnopon.com.br > The realm would be: AD.TECNOPON.COM.BR > > Rowland >Great! I've provisioned the domain and moved towards setting up Time Synchronisation by reading this: https://wiki.samba.org/index.php/Time_Synchronisation I've set the permissions accordingly: root at dc1:~# ls -ld /var/lib/samba/ntp_signd/ drwxr-x--- 2 root ntp 4096 Sep 12 16:43 /var/lib/samba/ntp_signd/ root at dc1:~# Now I'm working on editing ntp.conf. The tutorial gives a config example as below:> # Local clock. Note that is not the "localhost" address! > server 127.127.1.0 > fudge 127.127.1.0 stratum 10 > > # Where to retrieve the time from > server 0.pool.ntp.org iburst prefer > server 1.pool.ntp.org iburst prefer > server 2.pool.ntp.org iburst prefer > > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntp > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer mssntp > > # No restrictions for "localhost" > restrict 127.0.0.1 > > # Enable the time sources to only provide time to this host > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery > restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noqueryDebian ntp.conf default is:> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help > > driftfile /var/lib/ntp/ntp.drift > > # Enable this if you want statistics to be logged. > #statsdir /var/log/ntpstats/ > > statistics loopstats peerstats clockstats > filegen loopstats file loopstats type day enable > filegen peerstats file peerstats type day enable > filegen clockstats file clockstats type day enable > > > # You do need to talk to an NTP server or two (or three). > #server ntp.your-provider.example > > # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your > server will > # pick a different set every time it starts up. Please consider > joining the > # pool: <http://www.pool.ntp.org/join.html> > pool 0.debian.pool.ntp.org iburst > pool 1.debian.pool.ntp.org iburst > pool 2.debian.pool.ntp.org iburst > pool 3.debian.pool.ntp.org iburst > > > # Access control configuration; see > /usr/share/doc/ntp-doc/html/accopt.html for > # details. The web page > <http://support.ntp.org/bin/view/Support/AccessRestrictions> > # might also be helpful. > # > # Note that "restrict" applies to both servers and clients, so a > configuration > # that might be intended to block requests from certain clients could > also end > # up blocking replies from your own upstream servers. > > # By default, exchange time with everybody, but don't allow configuration. > restrict -4 default kod notrap nomodify nopeer noquery limited > restrict -6 default kod notrap nomodify nopeer noquery limited > > # Local users may interrogate the ntp server more closely. > restrict 127.0.0.1 > restrict ::1 > > # Needed for adding pool entries > restrict source notrap nomodify noquery > > # Clients from this (example!) subnet have unlimited access, but only if > # cryptographically authenticated. > #restrict 192.168.123.0 mask 255.255.255.0 notrust > > > # If you want to provide time to your local subnet, change the next line. > # (Again, the address is an example only.) > #broadcast 192.168.123.255 > > # If you want to listen to time broadcasts on your local subnet, > de-comment the > # next lines. Please do this only if you trust everybody on the network! > #disable auth > #broadcastclientGiving all that I'm guessing I can do something like this, right?> # Local clock. Note that is not the "localhost" address! > server 127.127.1.0 > fudge 127.127.1.0 stratum 10 > > # Where to retrieve the time from > server 0.br.pool.ntp.org iburst prefer > server 1.br.pool.ntp.org iburst prefer > server 2.br.pool.ntp.org iburst prefer > server 3.br.pool.ntp.org iburst prefer > > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntpstats > ntpsigndsocket /var/lib/samba/ntp_signd/ > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer mssntp > > # No restrictions for "localhost" > restrict 127.0.0.1 > > # Enable the time sources to only provide time to this host > restrict 0.br.pool.ntp.org mask 255.255.255.255 nomodify notrap > nopeer noquery > restrict 1.br.pool.ntp.org mask 255.255.255.255 nomodify notrap > nopeer noquery > restrict 2.br.pool.ntp.org mask 255.255.255.255 nomodify notrap > nopeer noquery > restrict 3.br.pool.ntp.org mask 255.255.255.255 nomodify notrap > nopeer noqueryDoes this looks correct? Can I ignore Debian's ntp.conf file completely? Thank you
Hai, Flavio, Yes, it looks good, but i suggest, if you setting up a new DC on debian.. Go here: https://github.com/thctlo/samba4/tree/master/howtos And read the file: stretch-base-2-samba-minimal-ad.txt This should works also for debian Jessie, if it errors only remove the words " limited" from the line restrict. Now, review the code below, you need to make a few small changes. Like the ntp server and interface names. #For ntp and an unmodified ntp.conf. # backup the original debian file. cp /etc/ntp.conf{,.org-debian} # Disable the pool servers. sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org iburst/g' /etc/ntp.conf sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org iburst/g' /etc/ntp.conf sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org iburst/g' /etc/ntp.conf sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org iburst/g' /etc/ntp.conf # Enable a good NTP (stratum 1) server. # This line, change ntp1.nl.net to a close stable ntp server. # found here : http://support.ntp.org/bin/view/Servers/StratumOneTimeServers sed -i 's/#server ntp.your-provider.example/server ntp1.nl.net/g' /etc/ntp.conf cat << EOF >> /etc/ntp.conf # Enable the interaced you need. *( you need to change eth0 to your interface name) # Optional, define which interface ntp could/should use interface listen lo interface listen eth0 #interface ignore wildcard interface ignore ipv6 # EOF systemctl restart ntp # create the ntp_signd folder if not exists. if [ ! -d /var/lib/samba/ntp_signd/ ]; then mkdir -p /var/lib/samba/ntp_signd/ chmod 750 /var/lib/samba/ntp_signd chown root:ntp /var/lib/samba/ntp_signd Fi # check name group if [ "$(stat -c "%G" /var/lib/samba/ntp_signd/)" != "ntp" ]; then echo "Error incorrect group detected on /var/lib/samba/ntp_signd/, correcting now." chgrp ntp /var/lib/samba/ntp_signd Fi # check owner/group rights. if [ "$(stat -c "%a" /var/lib/samba/ntp_signd/)" -ne 750 ]; then echo "Error incorrect group rights detected on /var/lib/samba/ntp_signd/, correcting now." chmod 750 /var/lib/samba/ntp_signd else echo "folder : /var/lib/samba/ntp_signd already exists with correct rights (750)" fi # add the folder location to ntp.conf cat << EOF >> /etc/ntp.conf # ###### Needed for Samba 4 ####### in the restrict -4 or -6 added mssntp at the end # Location of the samba ntp_signed directory ntpsigndsocket /var/lib/samba/ntp_signd # EOF sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf systemctl restart ntp systemctl status ntp And your done. Your welkom, ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Flávio Silveira via samba > Verzonden: woensdag 13 september 2017 15:17 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] File server questions > > > > Em 12/09/2017 14:59, Rowland Penny via samba escreveu: > > On Tue, 12 Sep 2017 14:41:42 -0300 > > Flávio Silveira via samba <samba at lists.samba.org> wrote: > > > >> Ok, I understand now, one question though: if realm is > >> AD.TECNOPON.COM.BR, does domain need to be AD? > > No, you can use anything you like, provided it is one word, 15 > > characters or less, without punctuation. > > > >> If I understand > >> correctly, realm is "full domain with subdomain" and domain is the > >> subdomain, yes? > >> > > No, the AD realm is the dns domain of the computer in uppercase, it > > being a subdomain does not come into it. From your example > above, the > > dns domain would be: ad.tecnopon.com.br The realm would be: > > AD.TECNOPON.COM.BR > > > > Rowland > > > > Great! I've provisioned the domain and moved towards setting > up Time Synchronisation by reading this: > https://wiki.samba.org/index.php/Time_Synchronisation > > I've set the permissions accordingly: > > root at dc1:~# ls -ld /var/lib/samba/ntp_signd/ > drwxr-x--- 2 root ntp 4096 Sep 12 16:43 > /var/lib/samba/ntp_signd/ root at dc1:~# > > Now I'm working on editing ntp.conf. > > The tutorial gives a config example as below: > > > # Local clock. Note that is not the "localhost" address! > > server 127.127.1.0 > > fudge 127.127.1.0 stratum 10 > > > > # Where to retrieve the time from > > server 0.pool.ntp.org iburst prefer > > server 1.pool.ntp.org iburst prefer > > server 2.pool.ntp.org iburst prefer > > > > driftfile /var/lib/ntp/ntp.drift > > logfile /var/log/ntp > > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ > > > > # Access control > > # Default restriction: Allow clients only to query the time > restrict > > default kod nomodify notrap nopeer mssntp > > > > # No restrictions for "localhost" > > restrict 127.0.0.1 > > > > # Enable the time sources to only provide time to this host > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify > notrap nopeer noquery > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify > notrap nopeer noquery > > restrict 2.pool.ntp.org mask 255.255.255.255 nomodify > notrap nopeer noquery > > Debian ntp.conf default is: > > > # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help > > > > driftfile /var/lib/ntp/ntp.drift > > > > # Enable this if you want statistics to be logged. > > #statsdir /var/log/ntpstats/ > > > > statistics loopstats peerstats clockstats filegen loopstats file > > loopstats type day enable filegen peerstats file peerstats type day > > enable filegen clockstats file clockstats type day enable > > > > > > # You do need to talk to an NTP server or two (or three). > > #server ntp.your-provider.example > > > > # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your > > server will # pick a different set every time it starts up. Please > > consider joining the # pool: <http://www.pool.ntp.org/join.html> > > pool 0.debian.pool.ntp.org iburst > > pool 1.debian.pool.ntp.org iburst > > pool 2.debian.pool.ntp.org iburst > > pool 3.debian.pool.ntp.org iburst > > > > > > # Access control configuration; see > > /usr/share/doc/ntp-doc/html/accopt.html for # details. The > web page > > <http://support.ntp.org/bin/view/Support/AccessRestrictions> > > # might also be helpful. > > # > > # Note that "restrict" applies to both servers and clients, so a > > configuration # that might be intended to block requests > from certain > > clients could also end # up blocking replies from your own upstream > > servers. > > > > # By default, exchange time with everybody, but don't allow > configuration. > > restrict -4 default kod notrap nomodify nopeer noquery limited > > restrict -6 default kod notrap nomodify nopeer noquery limited > > > > # Local users may interrogate the ntp server more closely. > > restrict 127.0.0.1 > > restrict ::1 > > > > # Needed for adding pool entries > > restrict source notrap nomodify noquery > > > > # Clients from this (example!) subnet have unlimited > access, but only > > if # cryptographically authenticated. > > #restrict 192.168.123.0 mask 255.255.255.0 notrust > > > > > > # If you want to provide time to your local subnet, change > the next line. > > # (Again, the address is an example only.) #broadcast > 192.168.123.255 > > > > # If you want to listen to time broadcasts on your local subnet, > > de-comment the # next lines. Please do this only if you trust > > everybody on the network! > > #disable auth > > #broadcastclient > > Giving all that I'm guessing I can do something like this, right? > > > # Local clock. Note that is not the "localhost" address! > > server 127.127.1.0 > > fudge 127.127.1.0 stratum 10 > > > > # Where to retrieve the time from > > server 0.br.pool.ntp.org iburst prefer server > 1.br.pool.ntp.org iburst > > prefer server 2.br.pool.ntp.org iburst prefer server > 3.br.pool.ntp.org > > iburst prefer > > > > driftfile /var/lib/ntp/ntp.drift logfile > > /var/log/ntpstats ntpsigndsocket /var/lib/samba/ntp_signd/ > > > > # Access control > > # Default restriction: Allow clients only to query the time > restrict > > default kod nomodify notrap nopeer mssntp > > > > # No restrictions for "localhost" > > restrict 127.0.0.1 > > > > # Enable the time sources to only provide time to this host > restrict > > 0.br.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer > > noquery restrict 1.br.pool.ntp.org mask 255.255.255.255 > nomodify > > notrap nopeer noquery restrict 2.br.pool.ntp.org mask > > 255.255.255.255 nomodify notrap nopeer noquery restrict > > 3.br.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer > > noquery > > Does this looks correct? Can I ignore Debian's ntp.conf file > completely? > > Thank you > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Em 13/09/2017 10:36, L.P.H. van Belle via samba escreveu:> Hai, Flavio, > > Yes, it looks good, but i suggest, if you setting up a new DC on debian.. > Go here: https://github.com/thctlo/samba4/tree/master/howtos > And read the file: stretch-base-2-samba-minimal-ad.txt > > This should works also for debian Jessie, if it errors only remove the words " limited" from the line restrict. > > Now, review the code below, you need to make a few small changes. > Like the ntp server and interface names. > > #For ntp and an unmodified ntp.conf. > # backup the original debian file. > cp /etc/ntp.conf{,.org-debian} > > # Disable the pool servers. > sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org iburst/g' /etc/ntp.conf > sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org iburst/g' /etc/ntp.conf > sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org iburst/g' /etc/ntp.conf > sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org iburst/g' /etc/ntp.conf > > > # Enable a good NTP (stratum 1) server. > # This line, change ntp1.nl.net to a close stable ntp server. > # found here : http://support.ntp.org/bin/view/Servers/StratumOneTimeServers > sed -i 's/#server ntp.your-provider.example/server ntp1.nl.net/g' /etc/ntp.conf > > cat << EOF >> /etc/ntp.conf > # Enable the interaced you need. *( you need to change eth0 to your interface name) > # Optional, define which interface ntp could/should use > interface listen lo > interface listen eth0 > #interface ignore wildcard > interface ignore ipv6 > # > EOF > systemctl restart ntp > > # create the ntp_signd folder if not exists. > if [ ! -d /var/lib/samba/ntp_signd/ ]; then > mkdir -p /var/lib/samba/ntp_signd/ > chmod 750 /var/lib/samba/ntp_signd > chown root:ntp /var/lib/samba/ntp_signd > Fi > # check name group > if [ "$(stat -c "%G" /var/lib/samba/ntp_signd/)" != "ntp" ]; then > echo "Error incorrect group detected on /var/lib/samba/ntp_signd/, correcting now." > chgrp ntp /var/lib/samba/ntp_signd > Fi > # check owner/group rights. > if [ "$(stat -c "%a" /var/lib/samba/ntp_signd/)" -ne 750 ]; then > echo "Error incorrect group rights detected on /var/lib/samba/ntp_signd/, correcting now." > chmod 750 /var/lib/samba/ntp_signd > else > echo "folder : /var/lib/samba/ntp_signd already exists with correct rights (750)" > fi > > > # add the folder location to ntp.conf > cat << EOF >> /etc/ntp.conf > # > ###### Needed for Samba 4 ####### in the restrict -4 or -6 added mssntp at the end > # Location of the samba ntp_signed directory > ntpsigndsocket /var/lib/samba/ntp_signd > # > EOF > > sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf > sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf > systemctl restart ntp > systemctl status ntp > > And your done. > > Your welkom, ;-) > > > Greetz, > > Louis >Thank for your reply Louis! I've been reading your howtos, but I didn't know how to execute them, so I decided to create a new file as below:> # Local clock. Note that is not the "localhost" address! > server 127.127.1.0 > fudge 127.127.1.0 stratum 10 > > # Where to retrieve the time from > server a.st1.ntp.br iburst prefer > server b.st1.ntp.br iburst prefer > server c.st1.ntp.br iburst prefer > server d.st1.ntp.br iburst prefer > > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntpstats > ntpsigndsocket /var/lib/samba/ntp_signd/ > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer mssntp > > # No restrictions for "localhost" > restrict 127.0.0.1 > > # Enable the time sources to only provide time to this host > restrict a.st1.ntp.br mask 255.255.255.255 nomodify notrap nopeer > noquery > restrict b.st1.ntp.br mask 255.255.255.255 nomodify notrap nopeer > noquery > restrict c.st1.ntp.br mask 255.255.255.255 nomodify notrap nopeer > noquery > restrict d.st1.ntp.br mask 255.255.255.255 nomodify notrap nopeer > noquery > > # Interfaces ntp daemon should listen > > interface listen lo > interface listen enp2s0 > > # Ignore IPv6 wildcard > > interface ignore ipv6As you can see, my "Access control" line doesn't have "noquery" and "limited", but I don't know much about ntp, so I don't know if I should add or not. Your lines also have -4 and -6, which seems to be related to IPv4 and IPv6, if I plan to use IPv4 only, can I stick with "default"? Thanks
Hai Flavio,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Flávio Silveira via samba > Verzonden: woensdag 13 september 2017 16:19 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] File server questions > > > > Em 13/09/2017 10:36, L.P.H. van Belle via samba escreveu: > > Hai, Flavio, > > > > Yes, it looks good, but i suggest, if you setting up a new > DC on debian.. > > Go here: https://github.com/thctlo/samba4/tree/master/howtos > > And read the file: stretch-base-2-samba-minimal-ad.txt > > > > > > Thank for your reply Louis! > > I've been reading your howtos, but I didn't know how to > execute them, so > I decided to create a new file as below:These are not executable yet. Thats why the are in .txt files. You can use it as guidance.> > > # Local clock. Note that is not the "localhost" address! > > server 127.127.1.0 > > fudge 127.127.1.0 stratum 10 > > > > # Where to retrieve the time from > > server a.st1.ntp.br iburst prefer > > server b.st1.ntp.br iburst prefer > > server c.st1.ntp.br iburst prefer > > server d.st1.ntp.br iburst prefer > > > > driftfile /var/lib/ntp/ntp.drift > > logfile /var/log/ntpstats > > ntpsigndsocket /var/lib/samba/ntp_signd/ > > > > # Access control > > # Default restriction: Allow clients only to query the time > > restrict default kod nomodify notrap nopeer mssntp > > > > # No restrictions for "localhost" > > restrict 127.0.0.1 > > > > # Enable the time sources to only provide time to this host > > restrict a.st1.ntp.br mask 255.255.255.255 nomodify > notrap nopeer > > noquery > > restrict b.st1.ntp.br mask 255.255.255.255 nomodify > notrap nopeer > > noquery > > restrict c.st1.ntp.br mask 255.255.255.255 nomodify > notrap nopeer > > noquery > > restrict d.st1.ntp.br mask 255.255.255.255 nomodify > notrap nopeer > > noquery > > > > # Interfaces ntp daemon should listen > > > > interface listen lo > > interface listen enp2s0 > > > > # Ignore IPv6 wildcard > > > > interface ignore ipv6 > > As you can see, my "Access control" line doesn't have "noquery" and > "limited", but I don't know much about ntp, so I don't know > if I should add or not. > > Your lines also have -4 and -6, which seems to be related to IPv4 and > IPv6, if I plan to use IPv4 only, can I stick with "default"? > > Thanks > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >I suggest, use the interface ignore ipv6 ( you already did set it ) for the ipv6 ipnumbers, except localhost-ipv6. ( ::1 ) The other defaults are good to start with, then when everything is running correct, only then go optimize the config. And only one thing at a time, or you end up in a mess.. Just a tip. So below is a copy past of a original jessie ntp.conf ( from before my upgrade to stretch) And for you, i changed it to your setup. See what i did and compair it to yours. ####### NTP Begin ( Debian Jessie version ) # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). #server ntp.your-provider.example server a.st1.ntp.br server b.st1.ntp.br server c.st1.ntp.br # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: <http://www.pool.ntp.org/join.html> #pool 0.debian.pool.ntp.org iburst #pool 1.debian.pool.ntp.org iburst #pool 2.debian.pool.ntp.org iburst #pool 3.debian.pool.ntp.org iburst # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery mssntp restrict -6 default kod notrap nomodify nopeer noquery mssntp # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Needed for adding pool entries restrict source notrap nomodify noquery # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. #restrict 192.168.123.0 mask 255.255.255.0 notrust # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) #broadcast 192.168.123.255 # If you want to listen to time broadcasts on your local subnet, de-comment the # next lines. Please do this only if you trust everybody on the network! #disable auth #broadcastclient interface listen lo interface listen enp2s0 #interface ignore wildcard interface ignore ipv6 ###### Needed for Samba 4 ###### # in the restrict -4 or -6 added mssntp at the end # Location of the samba ntp_signed directory ntpsigndsocket /var/lib/samba/ntp_signd ####### NTP end Greetz, Louis