Alexei Rozenvaser
2018-Jun-03 14:40 UTC
[Samba] chrony configuration for secondary samba DC
By the way there is ntpsigndsocket option in chrony configuration file. https://chrony.tuxfamily.org/doc/3.3/chrony.conf.html#ntpsigndsocket Can you please look at https://wiki.alpinelinux.org/wiki/Setting_up_a_samba-ad-dc and may be https://chrony.tuxfamily.org/comparison.html ? On Sun, Jun 3, 2018 at 5:32 PM Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Sun, 3 Jun 2018 17:11:47 +0300 > Alexei Rozenvaser <alexei.roz at gmail.com> wrote: > > > On Sun, Jun 3, 2018 at 4:51 PM Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > > On Sun, 3 Jun 2018 16:29:04 +0300 > > > Alexei Rozenvaser via samba <samba at lists.samba.org> wrote: > > > > > > > Hi > > > > > > > > I'm running samba 4.7.6 on ubuntu 18.04 as (backup / secondary) > > > > domain controller > > > > > > No your not, you are just running Samba as another DC, all DCs are > > > equal except for the FSMO roles and they can be on any DC. > > > > > >>> > > >>>Yes, you are right. That exactly what i meant. > > >>> > > > >that joined to an Existing Active Directory (Windows > > > > 2012R2 server). > > > > The question is about Time Synchronization across the domain. > > > > How should I configure chrony v3.2 in order to provide time > > > > synchronization: > > > > > > apt-get purge chrony > > > apt-get install ntp > > > > > > then read this: > > > > > > https://wiki.samba.org/index.php/Time_Synchronisation > > > > > > Rowland > > > > > >>> > > >>>I read this article. > > >>>But unfortunately it applies to ntpd only. > > >>>Don't you think it better to study how to configure chrony, since > > >>>it become the default ubunt's NTP server? > > >>> > > > > > It might be Ubuntu's default time server, but it will not work on a > Samba DC, you must use ntp. > Try running 'sudo samba -b | grep 'SIGND', what are the first three > letters in the output ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- Alexei Rozenvaser
On Sun, 2018-06-03 at 17:40 +0300, Alexei Rozenvaser via samba wrote:> By the way there is ntpsigndsocket option in chrony configuration > file. https://chrony.tuxfamily.org/doc/3.3/chrony.conf.html#ntpsigndsocket > Can you please look at > https://wiki.alpinelinux.org/wiki/Setting_up_a_samba-ad-dc and may be > https://chrony.tuxfamily.org/comparison.html ?Neat! While the protocol involved is a disgusting hack (both the MS- SNTP thing and the named pipe protocol I did with the ntp.org folks to make it support it), I'm glad other NTP servers can now integrate with Samba's AD DC. Perhaps when everyone has cooled down a little we can get the Samba wiki page updated with this information? In terms of software history, ntp.org is on it's way out and it would be good to have instructions to work with whatever is the current defaults. (Mark Atwood from ntpsec did promise to re-implement the mssntp support they ripped out, but that was with me promising to write a test client and I never did. Oops). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Mon, 04 Jun 2018 04:59:55 +0200 Andrew Bartlett <abartlet at samba.org> wrote:> Perhaps when everyone has cooled down a little we can get the Samba > wiki page updated with this information?Sorry, but no, I don't think this is a good idea (yet), most distros do not have a new enough version of chrony for it to work. Put it on the Samba wiki that you can use chrony instead of ntp and most users will miss that you need a version of chrony that their distro cannot supply. Rowland
L.P.H. van Belle
2018-Jun-04 08:41 UTC
[Samba] chrony configuration for secondary samba DC
I agree here with more with Andrew.
At least add the needed version on the wiki wil help.
What people choose is there thing.
Debian ( and all its clones), as of debian Stable (Stretch), support chrony.
chrony (3.0-1) unstable; urgency=medium
* Merge branch “experimental”:
- Enable support for MS-SNTP authentication in Samba.
It's there as of : Tue, 17 Jan 2017 22:05:31 +0100 ( experimental )
https://chrony.tuxfamily.org/comparison.html
And people should read:
https://www.coreinfrastructure.org/blogs/securing-network-time/
And yes, most distros now have chrony 3.0, only not the older distros.
Like debian 8/Ubuntu 16.04, RH6.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: maandag 4 juni 2018 10:27
> Aan: Andrew Bartlett
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] chrony configuration for secondary samba DC
>
> On Mon, 04 Jun 2018 04:59:55 +0200
> Andrew Bartlett <abartlet at samba.org> wrote:
>
> > Perhaps when everyone has cooled down a little we can get the Samba
> > wiki page updated with this information?
>
> Sorry, but no, I don't think this is a good idea (yet), most
> distros do
> not have a new enough version of chrony for it to work. Put it on the
> Samba wiki that you can use chrony instead of ntp and most users will
> miss that you need a version of chrony that their distro
> cannot supply.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Alexei Rozenvaser
2018-Jun-04 08:44 UTC
[Samba] chrony configuration for secondary samba DC
Voice of wisdom :-) On Mon, Jun 4, 2018 at 5:59 AM Andrew Bartlett <abartlet at samba.org> wrote:> > On Sun, 2018-06-03 at 17:40 +0300, Alexei Rozenvaser via samba wrote: > > By the way there is ntpsigndsocket option in chrony configuration > > file. https://chrony.tuxfamily.org/doc/3.3/chrony.conf.html#ntpsigndsocket > > Can you please look at > > https://wiki.alpinelinux.org/wiki/Setting_up_a_samba-ad-dc and may be > > https://chrony.tuxfamily.org/comparison.html ? > > Neat! While the protocol involved is a disgusting hack (both the MS- > SNTP thing and the named pipe protocol I did with the ntp.org folks to > make it support it), I'm glad other NTP servers can now integrate with > Samba's AD DC. > > Perhaps when everyone has cooled down a little we can get the Samba > wiki page updated with this information? > > In terms of software history, ntp.org is on it's way out and it would > be good to have instructions to work with whatever is the current > defaults. > > (Mark Atwood from ntpsec did promise to re-implement the mssntp support > they ripped out, but that was with me promising to write a test client > and I never did. Oops). > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba >-- Alexei Rozenvaser