Stephen
2019-Apr-08 14:51 UTC
[Samba] Questions about time synchronisation in a multi-DC Samba environment
Hi All, I am currently running a setup with a main DC ad1, that has ntpd installed and is currently configured to retrieve the time from the UK NTP time pool. I also have a second backup AD DC, ad2, on which I have not installed ntpd but I have installed ntpdate. My current understanding is that the setup I have just described is in-line with the recommended best practices outlined in the following document: https://wiki.samba.org/index.php/Time_Synchronisation My question is this: How do those of you using Samba in multi DC setups ensure that time remains synchronised between all the DCs present in the domain when using this kind of arrangement? Obviously ad1 will keep itself accurately synchronised here automatically since it has already been configured to use ntpd. My concern here is the other slave DCs in the setup such as ad2 which currently lack ntpd. At the moment, when I create my server ad2 within my script i call ntpdate -u ad1 to synchronise the time on ad2 against ad1 initially. When I do this I see the following output which seems correct: pi at ad2:~ $ sudo ntpdate -u ad1 8 Apr 15:39:16 ntpdate[602]: adjust time server 192.168.1.229 offset -0.000224 sec Whilst this approach does seem to work, my understanding here is that synchronisation via ntpdate is a one-off event. So my concern is after this initial synchronisation during the server commissioning process the ad2 clock could slowly drift away from ad1, eventually breaking Kerberos authentication when this drift reaches approximately 5 minutes. How can I make sure my ad2 clock remains in step with ad1 and re-synchronises repeatedly? Is a regular cron job and ntpdate the answer here, or do people usually use a different approach in their own networks? Please enlighten me! Kind Regards Stephen Ellwood The ntp.conf file used on my ad1 server is posted below: pi at ad1:~ $ cat /etc/ntp.conf # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift ntpsigndsocket /var/lib/samba/ntp_signd/ # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable # You do need to talk to an NTP server or two (or three). #server ntp.your-provider.example # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: <http://www.pool.ntp.org/join.html> pool 0.uk.pool.ntp.org iburst pool 1.uk.pool.ntp.org iburst pool 2.uk.pool.ntp.org iburst pool 3.uk.pool.ntp.org iburst # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery limited restrict -6 default kod notrap nomodify nopeer noquery limited # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Needed for adding pool entries restrict source notrap nomodify noquery restrict default kod nomodify notrap nopeer mssntp # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. #restrict 192.168.123.0 mask 255.255.255.0 notrust # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) #broadcast 192.168.123.255 # If you want to listen to time broadcasts on your local subnet, de-comment the # next lines. Please do this only if you trust everybody on the network! #disable auth #broadcastclient
L.P.H. van Belle
2019-Apr-08 14:56 UTC
[Samba] Questions about time synchronisation in a multi-DC Samba environment
Hai, For all DC's. set up NTP. And point all DC's to the same source. To avoid different time offsets, use a STRATUM 1 NTP server and dont use the default pools. https://support.ntp.org/bin/view/Servers/StratumOneTimeServers Look up for a server close to you. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stephen via samba > Verzonden: maandag 8 april 2019 16:52 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Questions about time synchronisation in a > multi-DC Samba environment > > Hi All, > > I am currently running a setup with a main DC ad1, that has ntpd > installed and is currently configured to retrieve the time > from the UK > NTP time pool. I also have a second backup AD DC, ad2, on > which I have > not installed ntpd but I have installed ntpdate. My current > understanding is that the setup I have just described is in-line with > the recommended best practices outlined in the following document: > https://wiki.samba.org/index.php/Time_Synchronisation > > > My question is this: > > How do those of you using Samba in multi DC setups ensure that time > remains synchronised between all the DCs present in the domain when > using this kind of arrangement? Obviously ad1 will keep itself > accurately synchronised here automatically since it has already been > configured to use ntpd. My concern here is the other slave DCs in the > setup such as ad2 which currently lack ntpd. > > At the moment, when I create my server ad2 within my script i call > ntpdate -u ad1 to synchronise the time on ad2 against ad1 initially. > When I do this I see the following output which seems correct: > pi at ad2:~ $ sudo ntpdate -u ad1 > 8 Apr 15:39:16 ntpdate[602]: adjust time server > 192.168.1.229 offset > -0.000224 sec > > Whilst this approach does seem to work, my understanding here is that > synchronisation via ntpdate is a one-off event. So my concern > is after > this initial synchronisation during the server commissioning > process the > ad2 clock could slowly drift away from ad1, eventually > breaking Kerberos > authentication when this drift reaches approximately 5 minutes. > > How can I make sure my ad2 clock remains in step with ad1 and > re-synchronises repeatedly? Is a regular cron job and ntpdate > the answer > here, or do people usually use a different approach in their > own networks? > Please enlighten me! > > Kind Regards > Stephen Ellwood > > The ntp.conf file used on my ad1 server is posted below: > > pi at ad1:~ $ cat /etc/ntp.conf > # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help > > driftfile /var/lib/ntp/ntp.drift > ntpsigndsocket /var/lib/samba/ntp_signd/ > > # Enable this if you want statistics to be logged. > #statsdir /var/log/ntpstats/ > > statistics loopstats peerstats clockstats > filegen loopstats file loopstats type day enable > filegen peerstats file peerstats type day enable > filegen clockstats file clockstats type day enable > > > # You do need to talk to an NTP server or two (or three). > #server ntp.your-provider.example > > # pool.ntp.org maps to about 1000 low-stratum NTP servers. > Your server > will > # pick a different set every time it starts up. Please > consider joining > the > # pool: <http://www.pool.ntp.org/join.html> > pool 0.uk.pool.ntp.org iburst > pool 1.uk.pool.ntp.org iburst > pool 2.uk.pool.ntp.org iburst > pool 3.uk.pool.ntp.org iburst > > > # Access control configuration; see > /usr/share/doc/ntp-doc/html/accopt.html for > # details. The web page > <http://support.ntp.org/bin/view/Support/AccessRestrictions> > # might also be helpful. > # > # Note that "restrict" applies to both servers and clients, so a > configuration > # that might be intended to block requests from certain clients could > also end > # up blocking replies from your own upstream servers. > > # By default, exchange time with everybody, but don't allow > configuration. > restrict -4 default kod notrap nomodify nopeer noquery limited > restrict -6 default kod notrap nomodify nopeer noquery limited > > # Local users may interrogate the ntp server more closely. > restrict 127.0.0.1 > restrict ::1 > > # Needed for adding pool entries > restrict source notrap nomodify noquery > restrict default kod nomodify notrap nopeer mssntp > > # Clients from this (example!) subnet have unlimited access, > but only if > # cryptographically authenticated. > #restrict 192.168.123.0 mask 255.255.255.0 notrust > > > # If you want to provide time to your local subnet, change > the next line. > # (Again, the address is an example only.) > #broadcast 192.168.123.255 > > # If you want to listen to time broadcasts on your local subnet, > de-comment the > # next lines. Please do this only if you trust everybody on > the network! > #disable auth > #broadcastclient > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2019-Apr-08 15:07 UTC
[Samba] Questions about time synchronisation in a multi-DC Samba environment
On Mon, 8 Apr 2019 15:51:32 +0100 Stephen via samba <samba at lists.samba.org> wrote:> Hi All, > > I am currently running a setup with a main DC ad1, that has ntpd > installed and is currently configured to retrieve the time from the > UK NTP time pool. I also have a second backup AD DC, ad2, on which I > have not installed ntpd but I have installed ntpdate. My current > understanding is that the setup I have just described is in-line with > the recommended best practices outlined in the following document: > https://wiki.samba.org/index.php/Time_SynchronisationThanks for pointing out the wiki page isn't clear that you must run a time server on all Samba AD DC's, I have added an info box to it. Rowland
Stephen
2019-Apr-08 15:10 UTC
[Samba] Questions about time synchronisation in a multi-DC Samba environment
Thanks for your help Louis and Rowland. I will make sure I install on all my DCs as you have both suggested. Thanks Again Stephen Ellwood On 08/04/2019 16:07, Rowland Penny via samba wrote:> On Mon, 8 Apr 2019 15:51:32 +0100 > Stephen via samba <samba at lists.samba.org> wrote: > >> Hi All, >> >> I am currently running a setup with a main DC ad1, that has ntpd >> installed and is currently configured to retrieve the time from the >> UK NTP time pool. I also have a second backup AD DC, ad2, on which I >> have not installed ntpd but I have installed ntpdate. My current >> understanding is that the setup I have just described is in-line with >> the recommended best practices outlined in the following document: >> https://wiki.samba.org/index.php/Time_Synchronisation > Thanks for pointing out the wiki page isn't clear that you must run a > time server on all Samba AD DC's, I have added an info box to it. > > Rowland > >