After reading the instructions at https://wiki.samba.org/index.php/Time_Synchronisation, I still have questions about how samba interacts with nptd. The issue is that LXD doesn't want containers setting the time and so won't start ntpd at container startup even though it's enabled in systemd. The host does sync it's time with a national time server, so we can assume that the host's time is good enough for my purposes. I can manually start ntpd, but samba still doesn't want to serve time. Or at least my workstations won't admit to it. What do I need to do to get samba to function as a windows time server in this scenario? * Samba 4.7.6 in an Ubuntu 18.04 container on an Ubuntu 16.04 host. Thanks, Jonathan
On 11/5/18 12:22 PM, Jonathan Kreider via samba wrote:> After reading the instructions at > https://wiki.samba.org/index.php/Time_Synchronisation, I still have > questions about how samba interacts with nptd. > > The issue is that LXD doesn't want containers setting the time and so won't > start ntpd at container startup even though it's enabled in systemd. The > host does sync it's time with a national time server, so we can assume that > the host's time is good enough for my purposes. > > I can manually start ntpd, but samba still doesn't want to serve time. Or > at least my workstations won't admit to it. > > What do I need to do to get samba to function as a windows time server in > this scenario?I run Samba AD inside OCI containers (podman, docker), for that kind of problems, I run the ntp server on the host and expose the socket on a mounted volume (/srv/samba-ad (host) -> /var/lib/samba (container)) The host running ntp server can read the socket inside /srv/samba-ad/..., You should be careful with SELinux / AppArmor acls (whatever are you using) in order to allow the host ntpd to reach the container exposed socket ntp_signd> > * Samba 4.7.6 in an Ubuntu 18.04 container on an Ubuntu 16.04 host. > > Thanks, > Jonathan >
Mandi! Jonathan Kreider via samba In chel di` si favelave...> What do I need to do to get samba to function as a windows time server in > this scenario?Container capability can be relaxed to permit time management, in proxmox container lingo i have to add to container config file: lxc.cap.drop: lxc.cap.drop: mac_admin mac_override sys_module sys_rawio eg, explicitly un-drop 'sys_time' capability. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Jonathan Kreider
2018-Nov-06 22:48 UTC
[Samba] Fwd: Time server on AD DC in an LXD container.
Thanks Robert & Marco. @Robert - I tried your solution, but couldn't get it to work because my host is ubuntu 16.04 and the chrony version for this is too old to support the ntpsigndsocket option. @Marco - your response got me searching in another direction. I had tried ntpd in the container, which LXD did not like. My research turned up that Ubuntu now strongly favors chrony as of 18.04 AND that chrony has been patched to work as a time_server_ (which is what I need) in containers. I've successfully installed chrony in the container and have setup chrony.conf for ntpsigndsocket (and other suggested settings from https://wiki.samba.org/index.php/Time_Synchronisation. I've also verified/set ownership and permissions for /var/lib/samba/ntp_signd. This appears to be the path where samba expects to find this on the Ubuntu distribution. Is there a way to verify that this is the correct path? I've restarted both the samba ad dc and chrony services. However, running w32tm /resync on my W10 domain member is still not working. running: C:\WINDOWS\system32> w32tm /query /source returns only -> Local CMOS Clock Also... --- C:\WINDOWS\system32> w32tm /resync /rediscover Sending resync command to local computer The computer did not resync because no time data was available. --- How do I further troubleshoot this? Is there a way to check on the server whether my samba AD DC is able to provide the time service? Thanks, Jonathan> To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Further investigations reveal: --- C:\WINDOWS\system32> w32tm /monitor GetDcList failed with error code: 0x800706BA. Exiting with error 0x800706BA --- error 0x800706BA indicates that the RPC server is unavailable. Any ideas? Thanks, Jonathan Kreider On Tue, Nov 6, 2018 at 5:48 PM Jonathan Kreider <jonathan.kreider at gmail.com> wrote:> > Thanks Robert & Marco. > > @Robert - I tried your solution, but couldn't get it to work because my > host is ubuntu 16.04 and the chrony version for this is too old to support > the ntpsigndsocket option. > > @Marco - your response got me searching in another direction. I had tried > ntpd in the container, which LXD did not like. My research turned up that > Ubuntu now strongly favors chrony as of 18.04 AND that chrony has been > patched to work as a time_server_ (which is what I need) in containers. > > I've successfully installed chrony in the container and have setup > chrony.conf for ntpsigndsocket (and other suggested settings from > https://wiki.samba.org/index.php/Time_Synchronisation. I've also > verified/set ownership and permissions for /var/lib/samba/ntp_signd. This > appears to be the path where samba expects to find this on the Ubuntu > distribution. Is there a way to verify that this is the correct path? > > I've restarted both the samba ad dc and chrony services. > > However, running w32tm /resync on my W10 domain member is still not > working. > > running: C:\WINDOWS\system32> w32tm /query /source > returns only -> Local CMOS Clock > > Also... > --- > C:\WINDOWS\system32> w32tm /resync /rediscover > Sending resync command to local computer > The computer did not resync because no time data was available. > --- > How do I further troubleshoot this? Is there a way to check on the server > whether my samba AD DC is able to provide the time service? > > Thanks, > Jonathan > > >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >