Viktor Trojanovic
2019-Nov-16 15:34 UTC
[Samba] I can't get Win10 clients to sync time with the DC
On 16.11.2019 15:17, Sonic wrote:> On Thu, Nov 14, 2019 at 1:56 PM Viktor Trojanovic via samba > <samba at lists.samba.org> wrote: >> I'm running a Samba AD DC v4.9.9 with Windows 10 clients connected to it >> and just noticed that the clients are not synchronizing time with the >> server. I'm not sure why not. >> >> My setup is a bit special in that the DC is running inside a (privileged) >> linux container. > This may or may not lead to a solution as I'm not running the DC in a > privileged container. I run chrony on the host with the socket inside > the container. > chrony.conf on the host contains: > =================> ntpsigndsocket /mnt/containers/dc/rootfs/usr/local/samba/var/lib/ntp_signd > =================> > And the DC looks for the socket at (the default location, no statement > in smb.conf): > =================> ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd > =================> > In your case, due to the privileged container, the host may not have > access to the file system in the container (really don't know, haven't > worked with one). > But this is working for me, only one chrony running on the host, which > also serves up tine directly but allows samba in the container to use > the socket as well. > > ChrisI think you may be confusing privileged with unprivileged containers, what you describe is perfectly possible with a privileged container but would be a bit more complicated to set up with an unprivileged one (since the user id's in the container would be different from the ones on the host). It seems like this would be worth a shot if no one else comes up with a better solution. I never used chrony before, how do you tell it not to try and change the system time? Can you share your whole conf file? Viktor
On Sat, Nov 16, 2019 at 10:34 AM Viktor Trojanovic <viktor at troja.ch> wrote:> I think you may be confusing privileged with unprivileged containers, > what you describe is perfectly possible with a privileged container but > would be a bit more complicated to set up with an unprivileged one > (since the user id's in the container would be different from the ones > on the host).Oh yes, you're right. I am running privileged containers. LXC containers using Debian (both host and containers).> It seems like this would be worth a shot if no one else comes up with a > better solution. I never used chrony before, how do you tell it not to > try and change the system time? Can you share your whole conf file?I want it to keep (update/change if/when needed) the system time - it's running on the host OS, not in the container. I'm just placing the socket inside the container so that samba can also use the socket. I was using ntpd but switched to chrony for no specific reason. I'm guessing either would work. chrony.conf: ==========================pool us.pool.ntp.org iburst keyfile /etc/chrony/chrony.keys driftfile /var/lib/chrony/chrony.drift logdir /var/log/chrony maxupdateskew 100.0 directive. hwclockfile /etc/adjtime directive. rtcsync makestep 1 3 local stratum 8 manual allow 192.168.1.0/24 bindcmdaddress 192.168.1.1 ntpsigndsocket /mnt/containers/dc/rootfs/usr/local/samba/var/lib/ntp_signd ========================== As can be seen the socket for chrony, which is running on the host, is inside the container (/mnt/containers/dc/rootfs/), both the host OS and the container OS have access to it. Chris
Viktor Trojanovic
2019-Nov-17 10:37 UTC
[Samba] I can't get Win10 clients to sync time with the DC
On 16.11.2019 23:37, Sonic wrote:> On Sat, Nov 16, 2019 at 10:34 AM Viktor Trojanovic <viktor at troja.ch> wrote: >> I think you may be confusing privileged with unprivileged containers, >> what you describe is perfectly possible with a privileged container but >> would be a bit more complicated to set up with an unprivileged one >> (since the user id's in the container would be different from the ones >> on the host). > Oh yes, you're right. I am running privileged containers. LXC > containers using Debian (both host and containers). > >> It seems like this would be worth a shot if no one else comes up with a >> better solution. I never used chrony before, how do you tell it not to >> try and change the system time? Can you share your whole conf file? > I want it to keep (update/change if/when needed) the system time - > it's running on the host OS, not in the container. I'm just placing > the socket inside the container so that samba can also use the socket. > I was using ntpd but switched to chrony for no specific reason. I'm > guessing either would work. > chrony.conf: > ==========================> pool us.pool.ntp.org iburst > keyfile /etc/chrony/chrony.keys > driftfile /var/lib/chrony/chrony.drift > logdir /var/log/chrony > maxupdateskew 100.0 > directive. > hwclockfile /etc/adjtime > directive. > rtcsync > makestep 1 3 > local stratum 8 > manual > allow 192.168.1.0/24 > bindcmdaddress 192.168.1.1 > ntpsigndsocket /mnt/containers/dc/rootfs/usr/local/samba/var/lib/ntp_signd > ==========================> > As can be seen the socket for chrony, which is running on the host, is > inside the container (/mnt/containers/dc/rootfs/), both the host OS > and the container OS have access to it. > > ChrisI'm not sure I understand your setup. It seems like you are running Chrony on the host only and you just share the socket with the container, no chrony running there. So, how can clients query the DC for time? I thought it's the time service (chrony/ntp) that sends the time to the clients, not Samba itself... or did I get that wrong? Viktor