On Tue, 12 Sep 2017 14:41:42 -0300 Flávio Silveira via samba <samba at lists.samba.org> wrote:> > Ok, I understand now, one question though: if realm is > AD.TECNOPON.COM.BR, does domain need to be AD?No, you can use anything you like, provided it is one word, 15 characters or less, without punctuation.> If I understand > correctly, realm is "full domain with subdomain" and domain is the > subdomain, yes? >No, the AD realm is the dns domain of the computer in uppercase, it being a subdomain does not come into it. From your example above, the dns domain would be: ad.tecnopon.com.br The realm would be: AD.TECNOPON.COM.BR Rowland
Em 12/09/2017 14:59, Rowland Penny via samba escreveu:> On Tue, 12 Sep 2017 14:41:42 -0300 > Flávio Silveira via samba <samba at lists.samba.org> wrote: > >> Ok, I understand now, one question though: if realm is >> AD.TECNOPON.COM.BR, does domain need to be AD? > No, you can use anything you like, provided it is one word, 15 > characters or less, without punctuation. > >> If I understand >> correctly, realm is "full domain with subdomain" and domain is the >> subdomain, yes? >> > No, the AD realm is the dns domain of the computer in uppercase, it > being a subdomain does not come into it. From your example above, the > dns domain would be: ad.tecnopon.com.br > The realm would be: AD.TECNOPON.COM.BR > > Rowland >Great! I've provisioned the domain and moved towards setting up Time Synchronisation by reading this: https://wiki.samba.org/index.php/Time_Synchronisation I've set the permissions accordingly: root at dc1:~# ls -ld /var/lib/samba/ntp_signd/ drwxr-x--- 2 root ntp 4096 Sep 12 16:43 /var/lib/samba/ntp_signd/ root at dc1:~# Now I'm working on editing ntp.conf. The tutorial gives a config example as below:> # Local clock. Note that is not the "localhost" address! > server 127.127.1.0 > fudge 127.127.1.0 stratum 10 > > # Where to retrieve the time from > server 0.pool.ntp.org iburst prefer > server 1.pool.ntp.org iburst prefer > server 2.pool.ntp.org iburst prefer > > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntp > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer mssntp > > # No restrictions for "localhost" > restrict 127.0.0.1 > > # Enable the time sources to only provide time to this host > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery > restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noqueryDebian ntp.conf default is:> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help > > driftfile /var/lib/ntp/ntp.drift > > # Enable this if you want statistics to be logged. > #statsdir /var/log/ntpstats/ > > statistics loopstats peerstats clockstats > filegen loopstats file loopstats type day enable > filegen peerstats file peerstats type day enable > filegen clockstats file clockstats type day enable > > > # You do need to talk to an NTP server or two (or three). > #server ntp.your-provider.example > > # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your > server will > # pick a different set every time it starts up. Please consider > joining the > # pool: <http://www.pool.ntp.org/join.html> > pool 0.debian.pool.ntp.org iburst > pool 1.debian.pool.ntp.org iburst > pool 2.debian.pool.ntp.org iburst > pool 3.debian.pool.ntp.org iburst > > > # Access control configuration; see > /usr/share/doc/ntp-doc/html/accopt.html for > # details. The web page > <http://support.ntp.org/bin/view/Support/AccessRestrictions> > # might also be helpful. > # > # Note that "restrict" applies to both servers and clients, so a > configuration > # that might be intended to block requests from certain clients could > also end > # up blocking replies from your own upstream servers. > > # By default, exchange time with everybody, but don't allow configuration. > restrict -4 default kod notrap nomodify nopeer noquery limited > restrict -6 default kod notrap nomodify nopeer noquery limited > > # Local users may interrogate the ntp server more closely. > restrict 127.0.0.1 > restrict ::1 > > # Needed for adding pool entries > restrict source notrap nomodify noquery > > # Clients from this (example!) subnet have unlimited access, but only if > # cryptographically authenticated. > #restrict 192.168.123.0 mask 255.255.255.0 notrust > > > # If you want to provide time to your local subnet, change the next line. > # (Again, the address is an example only.) > #broadcast 192.168.123.255 > > # If you want to listen to time broadcasts on your local subnet, > de-comment the > # next lines. Please do this only if you trust everybody on the network! > #disable auth > #broadcastclientGiving all that I'm guessing I can do something like this, right?> # Local clock. Note that is not the "localhost" address! > server 127.127.1.0 > fudge 127.127.1.0 stratum 10 > > # Where to retrieve the time from > server 0.br.pool.ntp.org iburst prefer > server 1.br.pool.ntp.org iburst prefer > server 2.br.pool.ntp.org iburst prefer > server 3.br.pool.ntp.org iburst prefer > > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntpstats > ntpsigndsocket /var/lib/samba/ntp_signd/ > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer mssntp > > # No restrictions for "localhost" > restrict 127.0.0.1 > > # Enable the time sources to only provide time to this host > restrict 0.br.pool.ntp.org mask 255.255.255.255 nomodify notrap > nopeer noquery > restrict 1.br.pool.ntp.org mask 255.255.255.255 nomodify notrap > nopeer noquery > restrict 2.br.pool.ntp.org mask 255.255.255.255 nomodify notrap > nopeer noquery > restrict 3.br.pool.ntp.org mask 255.255.255.255 nomodify notrap > nopeer noqueryDoes this looks correct? Can I ignore Debian's ntp.conf file completely? Thank you
Hai, Flavio,
Yes, it looks good, but i suggest, if you setting up a new DC on debian..
Go here: https://github.com/thctlo/samba4/tree/master/howtos
And read the file: stretch-base-2-samba-minimal-ad.txt
This should works also for debian Jessie, if it errors only remove the words
" limited" from the line restrict.
Now, review the code below, you need to make a few small changes.
Like the ntp server and interface names.
#For ntp and an unmodified ntp.conf.
# backup the original debian file.
cp /etc/ntp.conf{,.org-debian}
# Disable the pool servers.
sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org
iburst/g' /etc/ntp.conf
sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org
iburst/g' /etc/ntp.conf
sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org
iburst/g' /etc/ntp.conf
sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org
iburst/g' /etc/ntp.conf
# Enable a good NTP (stratum 1) server.
# This line, change ntp1.nl.net to a close stable ntp server.
# found here : http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
sed -i 's/#server ntp.your-provider.example/server ntp1.nl.net/g'
/etc/ntp.conf
cat << EOF >> /etc/ntp.conf
# Enable the interaced you need. *( you need to change eth0 to your interface
name)
# Optional, define which interface ntp could/should use
interface listen lo
interface listen eth0
#interface ignore wildcard
interface ignore ipv6
#
EOF
systemctl restart ntp
# create the ntp_signd folder if not exists.
if [ ! -d /var/lib/samba/ntp_signd/ ]; then
mkdir -p /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd
chown root:ntp /var/lib/samba/ntp_signd
Fi
# check name group
if [ "$(stat -c "%G" /var/lib/samba/ntp_signd/)" !=
"ntp" ]; then
echo "Error incorrect group detected on /var/lib/samba/ntp_signd/,
correcting now."
chgrp ntp /var/lib/samba/ntp_signd
Fi
# check owner/group rights.
if [ "$(stat -c "%a" /var/lib/samba/ntp_signd/)" -ne 750 ];
then
echo "Error incorrect group rights detected on
/var/lib/samba/ntp_signd/, correcting now."
chmod 750 /var/lib/samba/ntp_signd
else
echo "folder : /var/lib/samba/ntp_signd already exists with correct
rights (750)"
fi
# add the folder location to ntp.conf
cat << EOF >> /etc/ntp.conf
#
###### Needed for Samba 4 ####### in the restrict -4 or -6 added mssntp at
the end
# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd
#
EOF
sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery
limited/restrict -4 default kod notrap nomodify nopeer noquery limited
mssntp/g' /etc/ntp.conf
sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery
limited/restrict -6 default kod notrap nomodify nopeer noquery limited
mssntp/g' /etc/ntp.conf
systemctl restart ntp
systemctl status ntp
And your done.
Your welkom, ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Flávio Silveira via samba
> Verzonden: woensdag 13 september 2017 15:17
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] File server questions
>
>
>
> Em 12/09/2017 14:59, Rowland Penny via samba escreveu:
> > On Tue, 12 Sep 2017 14:41:42 -0300
> > Flávio Silveira via samba <samba at lists.samba.org> wrote:
> >
> >> Ok, I understand now, one question though: if realm is
> >> AD.TECNOPON.COM.BR, does domain need to be AD?
> > No, you can use anything you like, provided it is one word, 15
> > characters or less, without punctuation.
> >
> >> If I understand
> >> correctly, realm is "full domain with subdomain" and
domain is the
> >> subdomain, yes?
> >>
> > No, the AD realm is the dns domain of the computer in uppercase, it
> > being a subdomain does not come into it. From your example
> above, the
> > dns domain would be: ad.tecnopon.com.br The realm would be:
> > AD.TECNOPON.COM.BR
> >
> > Rowland
> >
>
> Great! I've provisioned the domain and moved towards setting
> up Time Synchronisation by reading this:
> https://wiki.samba.org/index.php/Time_Synchronisation
>
> I've set the permissions accordingly:
>
> root at dc1:~# ls -ld /var/lib/samba/ntp_signd/
> drwxr-x--- 2 root ntp 4096 Sep 12 16:43
> /var/lib/samba/ntp_signd/ root at dc1:~#
>
> Now I'm working on editing ntp.conf.
>
> The tutorial gives a config example as below:
>
> > # Local clock. Note that is not the "localhost" address!
> > server 127.127.1.0
> > fudge 127.127.1.0 stratum 10
> >
> > # Where to retrieve the time from
> > server 0.pool.ntp.org iburst prefer
> > server 1.pool.ntp.org iburst prefer
> > server 2.pool.ntp.org iburst prefer
> >
> > driftfile /var/lib/ntp/ntp.drift
> > logfile /var/log/ntp
> > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time
> restrict
> > default kod nomodify notrap nopeer mssntp
> >
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> >
> > # Enable the time sources to only provide time to this host
> > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify
> notrap nopeer noquery
> > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify
> notrap nopeer noquery
> > restrict 2.pool.ntp.org mask 255.255.255.255 nomodify
> notrap nopeer noquery
>
> Debian ntp.conf default is:
>
> > # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> >
> > driftfile /var/lib/ntp/ntp.drift
> >
> > # Enable this if you want statistics to be logged.
> > #statsdir /var/log/ntpstats/
> >
> > statistics loopstats peerstats clockstats filegen loopstats file
> > loopstats type day enable filegen peerstats file peerstats type day
> > enable filegen clockstats file clockstats type day enable
> >
> >
> > # You do need to talk to an NTP server or two (or three).
> > #server ntp.your-provider.example
> >
> > # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your
> > server will # pick a different set every time it starts up. Please
> > consider joining the # pool: <http://www.pool.ntp.org/join.html>
> > pool 0.debian.pool.ntp.org iburst
> > pool 1.debian.pool.ntp.org iburst
> > pool 2.debian.pool.ntp.org iburst
> > pool 3.debian.pool.ntp.org iburst
> >
> >
> > # Access control configuration; see
> > /usr/share/doc/ntp-doc/html/accopt.html for # details. The
> web page
> > <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> > # might also be helpful.
> > #
> > # Note that "restrict" applies to both servers and clients,
so a
> > configuration # that might be intended to block requests
> from certain
> > clients could also end # up blocking replies from your own upstream
> > servers.
> >
> > # By default, exchange time with everybody, but don't allow
> configuration.
> > restrict -4 default kod notrap nomodify nopeer noquery limited
> > restrict -6 default kod notrap nomodify nopeer noquery limited
> >
> > # Local users may interrogate the ntp server more closely.
> > restrict 127.0.0.1
> > restrict ::1
> >
> > # Needed for adding pool entries
> > restrict source notrap nomodify noquery
> >
> > # Clients from this (example!) subnet have unlimited
> access, but only
> > if # cryptographically authenticated.
> > #restrict 192.168.123.0 mask 255.255.255.0 notrust
> >
> >
> > # If you want to provide time to your local subnet, change
> the next line.
> > # (Again, the address is an example only.) #broadcast
> 192.168.123.255
> >
> > # If you want to listen to time broadcasts on your local subnet,
> > de-comment the # next lines. Please do this only if you trust
> > everybody on the network!
> > #disable auth
> > #broadcastclient
>
> Giving all that I'm guessing I can do something like this, right?
>
> > # Local clock. Note that is not the "localhost" address!
> > server 127.127.1.0
> > fudge 127.127.1.0 stratum 10
> >
> > # Where to retrieve the time from
> > server 0.br.pool.ntp.org iburst prefer server
> 1.br.pool.ntp.org iburst
> > prefer server 2.br.pool.ntp.org iburst prefer server
> 3.br.pool.ntp.org
> > iburst prefer
> >
> > driftfile /var/lib/ntp/ntp.drift logfile
> > /var/log/ntpstats ntpsigndsocket /var/lib/samba/ntp_signd/
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time
> restrict
> > default kod nomodify notrap nopeer mssntp
> >
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> >
> > # Enable the time sources to only provide time to this host
> restrict
> > 0.br.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> > noquery restrict 1.br.pool.ntp.org mask 255.255.255.255
> nomodify
> > notrap nopeer noquery restrict 2.br.pool.ntp.org mask
> > 255.255.255.255 nomodify notrap nopeer noquery restrict
> > 3.br.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> > noquery
>
> Does this looks correct? Can I ignore Debian's ntp.conf file
> completely?
>
> Thank you
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Em 13/09/2017 10:36, L.P.H. van Belle via samba escreveu:> Hai, Flavio, > > Yes, it looks good, but i suggest, if you setting up a new DC on debian.. > Go here: https://github.com/thctlo/samba4/tree/master/howtos > And read the file: stretch-base-2-samba-minimal-ad.txt > > This should works also for debian Jessie, if it errors only remove the words " limited" from the line restrict. > > Now, review the code below, you need to make a few small changes. > Like the ntp server and interface names. > > #For ntp and an unmodified ntp.conf. > # backup the original debian file. > cp /etc/ntp.conf{,.org-debian} > > # Disable the pool servers. > sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org iburst/g' /etc/ntp.conf > sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org iburst/g' /etc/ntp.conf > sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org iburst/g' /etc/ntp.conf > sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org iburst/g' /etc/ntp.conf > > > # Enable a good NTP (stratum 1) server. > # This line, change ntp1.nl.net to a close stable ntp server. > # found here : http://support.ntp.org/bin/view/Servers/StratumOneTimeServers > sed -i 's/#server ntp.your-provider.example/server ntp1.nl.net/g' /etc/ntp.conf > > cat << EOF >> /etc/ntp.conf > # Enable the interaced you need. *( you need to change eth0 to your interface name) > # Optional, define which interface ntp could/should use > interface listen lo > interface listen eth0 > #interface ignore wildcard > interface ignore ipv6 > # > EOF > systemctl restart ntp > > # create the ntp_signd folder if not exists. > if [ ! -d /var/lib/samba/ntp_signd/ ]; then > mkdir -p /var/lib/samba/ntp_signd/ > chmod 750 /var/lib/samba/ntp_signd > chown root:ntp /var/lib/samba/ntp_signd > Fi > # check name group > if [ "$(stat -c "%G" /var/lib/samba/ntp_signd/)" != "ntp" ]; then > echo "Error incorrect group detected on /var/lib/samba/ntp_signd/, correcting now." > chgrp ntp /var/lib/samba/ntp_signd > Fi > # check owner/group rights. > if [ "$(stat -c "%a" /var/lib/samba/ntp_signd/)" -ne 750 ]; then > echo "Error incorrect group rights detected on /var/lib/samba/ntp_signd/, correcting now." > chmod 750 /var/lib/samba/ntp_signd > else > echo "folder : /var/lib/samba/ntp_signd already exists with correct rights (750)" > fi > > > # add the folder location to ntp.conf > cat << EOF >> /etc/ntp.conf > # > ###### Needed for Samba 4 ####### in the restrict -4 or -6 added mssntp at the end > # Location of the samba ntp_signed directory > ntpsigndsocket /var/lib/samba/ntp_signd > # > EOF > > sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf > sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf > systemctl restart ntp > systemctl status ntp > > And your done. > > Your welkom, ;-) > > > Greetz, > > Louis >Thank for your reply Louis! I've been reading your howtos, but I didn't know how to execute them, so I decided to create a new file as below:> # Local clock. Note that is not the "localhost" address! > server 127.127.1.0 > fudge 127.127.1.0 stratum 10 > > # Where to retrieve the time from > server a.st1.ntp.br iburst prefer > server b.st1.ntp.br iburst prefer > server c.st1.ntp.br iburst prefer > server d.st1.ntp.br iburst prefer > > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntpstats > ntpsigndsocket /var/lib/samba/ntp_signd/ > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer mssntp > > # No restrictions for "localhost" > restrict 127.0.0.1 > > # Enable the time sources to only provide time to this host > restrict a.st1.ntp.br mask 255.255.255.255 nomodify notrap nopeer > noquery > restrict b.st1.ntp.br mask 255.255.255.255 nomodify notrap nopeer > noquery > restrict c.st1.ntp.br mask 255.255.255.255 nomodify notrap nopeer > noquery > restrict d.st1.ntp.br mask 255.255.255.255 nomodify notrap nopeer > noquery > > # Interfaces ntp daemon should listen > > interface listen lo > interface listen enp2s0 > > # Ignore IPv6 wildcard > > interface ignore ipv6As you can see, my "Access control" line doesn't have "noquery" and "limited", but I don't know much about ntp, so I don't know if I should add or not. Your lines also have -4 and -6, which seems to be related to IPv4 and IPv6, if I plan to use IPv4 only, can I stick with "default"? Thanks
Hai Flavio,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Flávio Silveira via samba > Verzonden: woensdag 13 september 2017 16:19 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] File server questions > > > > Em 13/09/2017 10:36, L.P.H. van Belle via samba escreveu: > > Hai, Flavio, > > > > Yes, it looks good, but i suggest, if you setting up a new > DC on debian.. > > Go here: https://github.com/thctlo/samba4/tree/master/howtos > > And read the file: stretch-base-2-samba-minimal-ad.txt > > > > > > Thank for your reply Louis! > > I've been reading your howtos, but I didn't know how to > execute them, so > I decided to create a new file as below:These are not executable yet. Thats why the are in .txt files. You can use it as guidance.> > > # Local clock. Note that is not the "localhost" address! > > server 127.127.1.0 > > fudge 127.127.1.0 stratum 10 > > > > # Where to retrieve the time from > > server a.st1.ntp.br iburst prefer > > server b.st1.ntp.br iburst prefer > > server c.st1.ntp.br iburst prefer > > server d.st1.ntp.br iburst prefer > > > > driftfile /var/lib/ntp/ntp.drift > > logfile /var/log/ntpstats > > ntpsigndsocket /var/lib/samba/ntp_signd/ > > > > # Access control > > # Default restriction: Allow clients only to query the time > > restrict default kod nomodify notrap nopeer mssntp > > > > # No restrictions for "localhost" > > restrict 127.0.0.1 > > > > # Enable the time sources to only provide time to this host > > restrict a.st1.ntp.br mask 255.255.255.255 nomodify > notrap nopeer > > noquery > > restrict b.st1.ntp.br mask 255.255.255.255 nomodify > notrap nopeer > > noquery > > restrict c.st1.ntp.br mask 255.255.255.255 nomodify > notrap nopeer > > noquery > > restrict d.st1.ntp.br mask 255.255.255.255 nomodify > notrap nopeer > > noquery > > > > # Interfaces ntp daemon should listen > > > > interface listen lo > > interface listen enp2s0 > > > > # Ignore IPv6 wildcard > > > > interface ignore ipv6 > > As you can see, my "Access control" line doesn't have "noquery" and > "limited", but I don't know much about ntp, so I don't know > if I should add or not. > > Your lines also have -4 and -6, which seems to be related to IPv4 and > IPv6, if I plan to use IPv4 only, can I stick with "default"? > > Thanks > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >I suggest, use the interface ignore ipv6 ( you already did set it ) for the ipv6 ipnumbers, except localhost-ipv6. ( ::1 ) The other defaults are good to start with, then when everything is running correct, only then go optimize the config. And only one thing at a time, or you end up in a mess.. Just a tip. So below is a copy past of a original jessie ntp.conf ( from before my upgrade to stretch) And for you, i changed it to your setup. See what i did and compair it to yours. ####### NTP Begin ( Debian Jessie version ) # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). #server ntp.your-provider.example server a.st1.ntp.br server b.st1.ntp.br server c.st1.ntp.br # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: <http://www.pool.ntp.org/join.html> #pool 0.debian.pool.ntp.org iburst #pool 1.debian.pool.ntp.org iburst #pool 2.debian.pool.ntp.org iburst #pool 3.debian.pool.ntp.org iburst # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery mssntp restrict -6 default kod notrap nomodify nopeer noquery mssntp # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Needed for adding pool entries restrict source notrap nomodify noquery # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. #restrict 192.168.123.0 mask 255.255.255.0 notrust # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) #broadcast 192.168.123.255 # If you want to listen to time broadcasts on your local subnet, de-comment the # next lines. Please do this only if you trust everybody on the network! #disable auth #broadcastclient interface listen lo interface listen enp2s0 #interface ignore wildcard interface ignore ipv6 ###### Needed for Samba 4 ###### # in the restrict -4 or -6 added mssntp at the end # Location of the samba ntp_signed directory ntpsigndsocket /var/lib/samba/ntp_signd ####### NTP end Greetz, Louis