Oleg Blyahher
2021-Mar-15 12:23 UTC
[Samba] Getting the time to work with a DC inside an LXC container
Hi everyone, Running Samba DC Version 4.12.10-Debian on Debian 10, inside a privileged LXC on a host with Ubuntu 20.04 with LXD. I've migrated to this one from another setup that wasn't working so well, but that had a working time server. I had tried following this wiki article: https://wiki.samba.org/index.php/Time_Synchronisation but to no avail. Both Chrony and ntpd want access to the host's kernel and don't really work. I've also edited the group policy so that domain-joined clients will simply use Microsoft's default time servers, but *w32tm /query /source* returns "Local CMOS Clock". What's the easiest way of telling domain joined machines where to look for the time? I'm perfectly fine with using someone else's time servers. Here's my smb.conf, just in case: # Global parameters [global] ??????? netbios name = DC ??????? realm = REALM ??????? server role = active directory domain controller ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ??????? workgroup = MYGROUP ??????? idmap_ldb:use rfc2307? = yes ??????? template shell = /bin/bash ??????? template homedir = /home/%U ??????? ldap server require strong auth = no ??? ??? tls enabled? = yes ??? ??? tls keyfile? = /etc/ssl/private/cert.pem ??? ??? tls certfile = /etc/ssl/certs/cert.key ??????? ldap debug level = 3 ??????? ntlm auth = mschapv2-and-ntlmv2-only ??????? log level = 3 auth:5 winbind:5 ??????? check password script = /usr/bin/crackcheck -d /var/cache/cracklib/cracklib_dict [netlogon] ??????? path = /var/lib/samba/sysvol/domain.com/scripts ??????? read only = No [sysvol] ??????? path = /var/lib/samba/sysvol ??????? read only = No Thanks!
Rowland penny
2021-Mar-15 13:17 UTC
[Samba] Getting the time to work with a DC inside an LXC container
On 15/03/2021 12:23, Oleg Blyahher via samba wrote:> Hi everyone, > > Running Samba DC Version 4.12.10-Debian on Debian 10, inside a > privileged LXC on a host with Ubuntu 20.04 with LXD. > > I've migrated to this one from another setup that wasn't working so > well, but that had a working time server. > > I had tried following this wiki article: > https://wiki.samba.org/index.php/Time_Synchronisation but to no avail. > Both Chrony and ntpd want access to the host's kernel and don't really > work. > > I've also edited the group policy so that domain-joined clients will > simply use Microsoft's default time servers, but > *w32tm /query /source* > > returns "Local CMOS Clock". > > What's the easiest way of telling domain joined machines where to look > for the time? I'm perfectly fine with using someone else's time servers.That would be a Windows problem, but even if your clients keep perfect time, your DC might not and could get out of sync with your clients. Samba (like Windows) supports using the DC with the PDC_Emulator FSMO role as the ultimate timeserver in an AD domain, so that DC must be able to get its time from an external time server. Rowland
Marco Gaiarin
2021-Mar-15 13:32 UTC
[Samba] Getting the time to work with a DC inside an LXC container
Mandi! Oleg Blyahher via samba In chel di` si favelave...> What's the easiest way of telling domain joined machines where to look for > the time? I'm perfectly fine with using someone else's time servers.Two way: a) remove the CAP_SYS_TIME capability from the 'drop' list, eg enable it; supposing: root at clerk:~# lxc-info -n 100 -c lxc.cap.drop lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio add to container config file: lxc.cap.drop: lxc.cap.drop: mac_admin mac_override sys_module sys_rawio b) remove ntpd hardware access, eg add in ntp.conf: # don't update the system's clock disable kernel note taht clock of the container is the clock of the host, so you have to keep host clock in sync by other means if option b). -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Sonic
2021-Mar-24 12:43 UTC
[Samba] Getting the time to work with a DC inside an LXC container
The following, using chrony on Debian, works for me allowing the AD clients to sync with the Samba server: Changes to chrony.conf - remove any server directives add: local stratum 8 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd (use your specific location) allow a.b.c.d/mm allow w.x.y.z/nn (use your allowed subnets) My chrony.conf is: ==============================local stratum 8 manual keyfile /etc/chrony/chrony.keys driftfile /var/lib/chrony/chrony.drift maxupdateskew 100.0 allow a.b.c.d/mm allow w.x.y.z/nn ntpsigndsocket /usr/local/samba/var/lib/ntp_signd ============================== Changes to chrony.service - remove or comment out "ConditionCapability=CAP_SYS_TIME" My chrony.service is: ==============================[Unit] Description=chrony, an NTP client/server Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5) Conflicts=systemd-timesyncd.service openntpd.service ntp.service ntpsec.service After=network.target #ConditionCapability=CAP_SYS_TIME [Service] Type=forking PIDFile=/run/chronyd.pid EnvironmentFile=-/etc/default/chrony ExecStart=/usr/sbin/chronyd $DAEMON_OPTS ExecStartPost=-/usr/lib/chrony/chrony-helper update-daemon PrivateTmp=yes ProtectHome=yes ProtectSystem=full [Install] Alias=chronyd.service WantedBy=multi-user.target ============================== Changes to /etc/default/chrony - add -x to DAEMON_OPTS My /etc/default/chrony is: ==============================DAEMON_OPTS="-F -1 -x" ============================== Before I discovered the above as a working solution I used a GPO to set the time service for the clients. One example site: https://theitbros.com/configure-ntp-time-sync-group-policy/ Chris
L.P.H. van Belle
2021-Mar-24 12:52 UTC
[Samba] Getting the time to work with a DC inside an LXC container
See comment lower..> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sonic via samba > Verzonden: woensdag 24 maart 2021 13:43 > Aan: Oleg Blyahher > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Getting the time to work with a DC inside an LXC > container > > The following, using chrony on Debian, works for me allowing the AD > clients to sync with the Samba server: > > Changes to chrony.conf - > remove any server directives > add: > local stratum 8 > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd (use your specific > location) > allow a.b.c.d/mm > allow w.x.y.z/nn (use your allowed subnets) > > My chrony.conf is: > ==============================> local stratum 8 > manual > keyfile /etc/chrony/chrony.keys > driftfile /var/lib/chrony/chrony.drift > maxupdateskew 100.0 > allow a.b.c.d/mm > allow w.x.y.z/nn > ntpsigndsocket /usr/local/samba/var/lib/ntp_signd > ==============================> > Changes to chrony.service - > remove or comment out "ConditionCapability=CAP_SYS_TIME" > > My chrony.service is: > ==============================> [Unit] > Description=chrony, an NTP client/server > Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5) > Conflicts=systemd-timesyncd.service openntpd.service ntp.service > ntpsec.service > After=network.target > #ConditionCapability=CAP_SYS_TIME > > [Service] > Type=forking > PIDFile=/run/chronyd.pid > EnvironmentFile=-/etc/default/chrony > ExecStart=/usr/sbin/chronyd $DAEMON_OPTS > ExecStartPost=-/usr/lib/chrony/chrony-helper update-daemon > PrivateTmp=yes > ProtectHome=yes > ProtectSystem=full > > [Install] > Alias=chronyd.service > WantedBy=multi-user.target > ==============================Here i recommend to NOT change the system default service files.. The "correct" way of this edit should be: systemctl edit chrony.service This creates an override file in /etc/systemd/chrony.service.d/overrided.conf ( dont know from head if that 100% correct but its in /etc/systemd ) Now add : [Unit] ConditionCapability Save and done. Way better to keep track on if things changes and this helps with upgrades. * systemctl edit --full chrony.service copies this file to /etc/systemd fully and you can edit that. the other option.> > Changes to /etc/default/chrony - > add -x to DAEMON_OPTS > > My /etc/default/chrony is: > ==============================> DAEMON_OPTS="-F -1 -x" > ==============================> > Before I discovered the above as a working solution I used a GPO to > set the time service for the clients. > One example site: https://theitbros.com/configure-ntp-time-sync-group- > policy/ > > Chris > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaand thanks for sharing this. It will help others. Greetz, Louis