samba - Jun 2018 - chrony configuration for secondary samba DC

On Sunday, 3 June 2018 16:32:12 CEST Rowland Penny via samba
wrote:
> On Sun, 3 Jun 2018 17:11:47 +0300
> 
> Alexei Rozenvaser <alexei.roz at gmail.com> wrote:
> > On Sun, Jun 3, 2018 at 4:51 PM Rowland Penny via samba
> > 
> > <samba at lists.samba.org> wrote:
> > > On Sun, 3 Jun 2018 16:29:04 +0300
> > > 
> > > Alexei Rozenvaser via samba <samba at lists.samba.org>
wrote:
> > > > Hi
> > > > 
> > > > I'm running samba 4.7.6 on ubuntu 18.04 as (backup /
secondary)
> > > > domain controller
> > > 
> > > No your not, you are just running Samba as another DC, all DCs
are
> > > equal except for the FSMO roles and they can be on any DC.
> > > 
> > >>>Yes, you are right. That exactly what i meant.
> > >>>
> > > >that joined to an Existing Active Directory (Windows
> > > >
> > > > 2012R2 server).
> > > > The question is about Time Synchronization across the
domain.
> > > > How should I configure chrony v3.2 in order to provide time
> > > 
> > > > synchronization:
> > > apt-get purge chrony
> > > apt-get install ntp
> > > 
> > > then read this:
> > > 
> > > https://wiki.samba.org/index.php/Time_Synchronisation
> > > 
> > > Rowland
> > > 
> > >>>I read this article.
> > >>>But unfortunately it applies to ntpd only.
> > >>>Don't you think it better to study how to configure
chrony, since
> > >>>it become the default ubunt's NTP server?
> 
> It might be Ubuntu's default time server, but it will not work on a
> Samba DC, you must use ntp.
> Try running 'sudo samba -b | grep 'SIGND', what are the first
three
> letters in the output ?
Rowland, chrony should work fine with Samba as support for ntp_signed has been 
added with version 3.1. I've worked with the chrony developer implementing
it.

It would be great if someone could update the Time_Synchronisation tutorial 
with details for chrony as it seems it will replace ntpd.

chrony with Samba support has also been added to RHEL 7.4.



	Andreas

On Mon, 04 Jun 2018 10:48:17 +0200
Andreas Schneider <asn at samba.org> wrote:
> On Sunday, 3 June 2018 16:32:12 CEST Rowland Penny via samba wrote:
> > On Sun, 3 Jun 2018 17:11:47 +0300
> > 
> > Alexei Rozenvaser <alexei.roz at gmail.com> wrote:
> > > On Sun, Jun 3, 2018 at 4:51 PM Rowland Penny via samba
> > > 
> > > <samba at lists.samba.org> wrote:
> > > > On Sun, 3 Jun 2018 16:29:04 +0300
> > > > 
> > > > Alexei Rozenvaser via samba <samba at lists.samba.org>
wrote:
> > > > > Hi
> > > > > 
> > > > > I'm running samba 4.7.6 on ubuntu 18.04 as (backup
/
> > > > > secondary) domain controller
> > > > 
> > > > No your not, you are just running Samba as another DC, all
DCs
> > > > are equal except for the FSMO roles and they can be on any
DC.
> > > > 
> > > >>>Yes, you are right. That exactly what i meant.
> > > >>>
> > > > >that joined to an Existing Active Directory (Windows
> > > > >
> > > > > 2012R2 server).
> > > > > The question is about Time Synchronization across the
domain.
> > > > > How should I configure chrony v3.2 in order to provide
time
> > > > 
> > > > > synchronization:
> > > > apt-get purge chrony
> > > > apt-get install ntp
> > > > 
> > > > then read this:
> > > > 
> > > > https://wiki.samba.org/index.php/Time_Synchronisation
> > > > 
> > > > Rowland
> > > > 
> > > >>>I read this article.
> > > >>>But unfortunately it applies to ntpd only.
> > > >>>Don't you think it better to study how to
configure chrony,
> > > >>>since it become the default ubunt's NTP server?
> > 
> > It might be Ubuntu's default time server, but it will not work on
a
> > Samba DC, you must use ntp.
> > Try running 'sudo samba -b | grep 'SIGND', what are the
first three
> > letters in the output ?
> 
> Rowland, chrony should work fine with Samba as support for ntp_signed
> has been added with version 3.1. I've worked with the chrony
> developer implementing it.
Yes it does seem to work on a Samba AD DC, but (as seems to be normal)
the documentation is abysmal (i.e. it was written by a developer, who
knows how it works, rather than a user who is trying to find out how
it works).

In ntp.conf you set a line like this:

restrict default kod nomodify notrap nopeer mssntp

I cannot find anything that tells me what chrony replaces 'restrict'
with. Is it needed ? is there something that replaces it, or can you
safely ignore it?

Until all the questions are answered and all the kinks are ironed out,
Samba shouldn't support chrony in the way it does ntp

Rowland

He Rowland/list,

Not that im pro chrony, i still preffer ntp.

If everybody with an os below test this, and report back like below, then all
settings are findable through the list.

Please review / check it. 


Requirements, chrony 3.x+, this is depends on distro version. 
Debian 9 : 3.0		checked - done - OK 
Ubuntu 17.10 : 3.1
Ubuntu 18.04 : 3.2	checked - done - OK
Fedora 26 : 3.2
Mageia Cauldron : 3.3
Centos 7.5 : 3.2
openSuse 15 : 3.2

################################################################
Below is tested on Debian 9 and Ubuntu 18.04:

apt-get install chrony
# Install and cleanup ntp is apt-get install chrony --autoremove
chgrp "_chrony"  /var/lib/samba/ntp_signd

Add the following at the end of /etc/chrony/chrony.conf 

echo "
#(optional : bindaddress 192.168.1.1 of the FQDN of the AD DC)
ntpsigndsocket /var/lib/samba/ntp_signd

#(optional allow/deny in order of processing) 
#allow 192.168.1.0/24
# or set more allow/deny. Watch the order ( top to bottem )!
#allow 192.168.1.2
#deny 192.168.1
#allow 192.168.2"
>> /etc/chrony/chrony.conf
editor /etc/chrony/chrony.conf
And set your own timeservers. 
Format: server your.time.server.tld iburst 

systemctl restart chrony
systemctl restart samba-ad-dc 

And check chrony time with : 
chronyc tracking
################################################################


Reboot a pc, login and check time via event log messages. 

For the list members, sofare it looks like its no problem if you run chrony and
ntp on different servers.
Atm im now my DC1 with chrony and DC2 with ntp. 

Important note here is you must set the source servers manualy. 
If you use pool server, these can rotate and can give a out of sync in your
time.
So do set a close (stratum 1 public NTP) server.


Greetz, 

Louis

On Mon, 4 Jun 2018 16:01:42 +0200
L.P.H. van Belle <belle at bazuin.nl> wrote:
> He Rowland/list,
> 
> Not that im pro chrony, i still preffer ntp.
> 
> If everybody with an os below test this, and report back like below,
> then all settings are findable through the list. 
> 
> Please review / check it. 
> 
> 
> Requirements, chrony 3.x+, this is depends on distro version. 
> Debian 9 : 3.0		checked - done - OK 
> Ubuntu 17.10 : 3.1
> Ubuntu 18.04 : 3.2	checked - done - OK
> Fedora 26 : 3.2
> Mageia Cauldron : 3.3
> Centos 7.5 : 3.2
> openSuse 15 : 3.2
> 
> ################################################################
> Below is tested on Debian 9 and Ubuntu 18.04:
> 
> apt-get install chrony
> # Install and cleanup ntp is apt-get install chrony --autoremove
> chgrp "_chrony"  /var/lib/samba/ntp_signd
> 
> Add the following at the end of /etc/chrony/chrony.conf 
> 
> echo "
> #(optional : bindaddress 192.168.1.1 of the FQDN of the AD DC)
> ntpsigndsocket /var/lib/samba/ntp_signd
> 
> #(optional allow/deny in order of processing) 
> #allow 192.168.1.0/24
> # or set more allow/deny. Watch the order ( top to bottem )!
> #allow 192.168.1.2
> #deny 192.168.1
> #allow 192.168.2"
> >> /etc/chrony/chrony.conf
> 
> editor /etc/chrony/chrony.conf
> And set your own timeservers. 
> Format: server your.time.server.tld iburst 
> 
> systemctl restart chrony
> systemctl restart samba-ad-dc 
> 
> And check chrony time with : 
> chronyc tracking
> ################################################################
> 
> 
> Reboot a pc, login and check time via event log messages. 
> 
> For the list members, sofare it looks like its no problem if you run
> chrony and ntp on different servers. Atm im now my DC1 with chrony
> and DC2 with ntp. 
> 
> Important note here is you must set the source servers manualy. 
> If you use pool server, these can rotate and can give a out of sync
> in your time. So do set a close (stratum 1 public NTP) server.
> 
> 
> Greetz, 
> 
> Louis
> 
Yours looks very similar to mine and I agree that ntp on one and chrony
on the other seems to work ok.
It just seems that you don't have the fine security control that ntp
does, unless I haven't found the right documentation yet ;-)

Rowland

> 
> Yours looks very similar to mine and I agree that ntp on one 
> and chrony
> on the other seems to work ok.
> It just seems that you don't have the fine security control that ntp
> does, unless I haven't found the right documentation yet ;-)
> 
> Rowland
> 
Yes, the security control for example is the the allow/deny part.

Chrony and ntp are processing the configs from top to bottem, so you can
overrule other defaults if needed.
In the mean time i've lookup some things, some random comment you can find
on the internet.

- Chrony also seems to work way better than ntpd in VMs (for some reason).
- Chrony supports KVM's paravirtualized PTP clock, which gives pretty good
accuracy.
- he most obvious reasons chrony is more secure is its apparent simplicity,
compared to the
legacy mess that is ntpd riddled with ancient landmines and old coding
standards.
It is one of the reasons they mention security reasons to using chrony in the
RHEL7 documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite

^^ A must read ^^ shows some nice things there.

And the already know link:
https://chrony.tuxfamily.org/comparison.html 


Resume, a snap of the important parts. 

Chrony is more secury, but does not broadcast to clients and has better VM
support.
Ntp supports clustering, chrony not, but is well known. 
Both work. ;-) if you check you OS for the chrony version before installing.

I suggest, choose what you want. 
If you need clustering you must use ntp.
If you need broadcasting to clients, you must use ntp. 

Anything other, you choose. Both work. 


Greetz, 

Louis

On Mon, 4 Jun 2018 17:45:20 +0200
Miroslav Lichvar <mlichvar at redhat.com> wrote:
> On Mon, Jun 04, 2018 at 04:54:36PM +0200, Andreas Schneider wrote:
> > On Monday, 4 June 2018 14:52:34 CEST Rowland Penny wrote:
> > > In ntp.conf you set a line like this:
> > > 
> > > restrict default kod nomodify notrap nopeer mssntp
> > > 
> > > I cannot find anything that tells me what chrony replaces
> > > 'restrict' with. Is it needed ? is there something that
replaces
> > > it, or can you safely ignore it?
> > > 
> > > Until all the questions are answered and all the kinks are ironed
> > > out, Samba shouldn't support chrony in the way it does ntp
> > 
> > Miroslav, can you explain the missing details?
> 
> I think the important difference between ntpd and chrony wrt to
> ntp_signd is that ntpd has a special restriction for MS-SNTP packets
> (the mssntp option). I think this is because it is generally not
> possible to limit all client access (e.g. servers can always request
> time from ntpd clients) and also to limit addresses that can block
> ntpd as the communication with ntp_signd is synchronous.
> 
> chronyd doesn't make a difference between non-MS-SNTP and MS-SNTP
> packets. There is no blocking due to ntp_signd.
> 
> So, when migrating from ntpd to chrony, all "restrict XXX mssntp"
> lines should have a corresponding "allow XXX" line in
chrony.conf.
> 
That is sort of what I thought, but the docs aren't really that
clear ;-)

Rowland