samba - Oct 2022 - running ntpd with samba DC: containers?

Hi!

As it often happens these days, more and more often a DS (primary or not)
is run in a linux container of one sort or another, because samba DC needs
its own unique configuration which is not compatible with file services.

But now there's a question: what to do with NTP and w32time in this case?

The problem is that running ntpd within a container is usually a bad idea,
and actually it doesn't even work, since only the host system does the
timekeeping, containers aren't even allowed to touch system time, and it
would be a conflict anyway.  Running a DC inside a virtual machine (e.g.
qemu) where it's possible to run ntpd, will be even worse, since accurate
time and a virtual machine is not well-compatible.

  windowsclient $> w32tm /monitor
  PDC.domain *** PDC *** [192.168.177.6:123]:
      ICMP: 0ms delay
      NTP: error WSAECONNRESET - no server listening NTP-port

It looks like the clock on the client machines is not syncronized, even
if w32tm /resync says "Command is completed successfully" - on at
least
one of our machines it is ~4sec different than on the PDC.

More, when windows client is joined to a domain, it can't use regular
NTP (with given ntp server) anymore, the NTP configuration is grayed
out with a message "some parameters are disabled by your organization"
or something like that.

What's the right way to syncronize time for windows clients in this case?

Thanks,

/mjt

I use samba in a container with network time synced from the host machine.

This has been working fine with my windows hosts, as far as I can tell.


Note: I'm not claiming the following will work for you. I'm just
copy-pasting my own config files. Use at your own risk, so on and so forth.




host: uses systemd-timesyncd without configuration changes.

container tech: systemd-nspawn

config file for systemd-nspawn

mimir /etc/systemd/nspawn # cat dc1.nspawn
[Exec]
MachineID=Some UUID goes here
ResolvConf=replace-uplink
PrivateUsers=false
LinkJournal=false
Ephemeral=true

[Files]
BindReadOnly=/bin/
BindReadOnly=/usr/
BindReadOnly=/var/
BindReadOnly=/lib/
BindReadOnly=/etc/
BindReadOnly=/sbin/
BindReadOnly=/lib64/

BindReadOnly=/dev/null:/etc/fstab

BindReadOnly=/var/lib/machines/dc1-state/etc/hosts:/etc/hosts
BindReadOnly=/var/lib/machines/dc1-state/etc/hostname:/etc/hostname
BindReadOnly=/var/lib/machines/dc1-state/etc/ntp.conf:/etc/ntp.conf
BindReadOnly=/var/lib/machines/dc1-state/etc/systemd/resolved.conf:/etc/systemd/resolved.conf

Bind=/var/lib/machines/dc1-state/etc/krb5.keytab:/etc/krb5.keytab

Bind=/var/lib/machines/dc1-state/var/log/:/var/log/
Bind=/var/lib/machines/dc1-state/etc/raddb/:/etc/raddb/
Bind=/var/lib/machines/dc1-state/etc/samba/:/etc/samba/
Bind=/var/lib/machines/dc1-state/var/lib/samba/:/var/lib/samba/
Bind=/var/lib/machines/dc1-state/var/cache/samba/:/var/cache/samba/
Bind=/var/lib/machines/dc1-state/etc/systemd/system/:/etc/systemd/system/

Bind=/var/lib/machines/dc-sysvol-state/:/var/lib/samba/sysvol/

TemporaryFileSystem=/home/
TemporaryFileSystem=/var/tmp/
TemporaryFileSystem=/var/lib/machines/

[Network]
MACVLAN=general



Container ntp.conf

mimir /var/lib/machines/dc1-state/etc # cat ntp.conf
# This bizarre rule makes ntp fall back to reading from the
# bios clock if no network connection is available.
server 127.127.1.0
fudge 127.127.1.0 stratum 10

# Access control
# Default restriction: Allow clients only to query the time
restrict default nomodify notrap nopeer mssntp

# No restrictions for "localhost"
restrict 127.0.0.1

# Storage
driftfile /var/lib/ntp/ntp.drift
logfile/var/log/ntp
ntpsigndsocket /var/lib/samba/ntp_signd



container smb.conf

mimir /var/lib/machines/dc1-state/etc # cat samba/smb.conf
[global]
server role                = active directory domain controller
allow dns updates        = nonsecure
dns forwarder                = 10.0.0.1
idmap_ldb:use rfc2307        = yes

workgroup                = DOMAIN-GOES-HERE
realm                        = DOMAIN-GOES-HERE

##
# Hack hack hack
# This allows freeradius winbind auth to work
##
ntlm auth                = mschapv2-and-ntlmv2-only

#Fucking printers
load printers                = no
printing                = bsd
printcap name                = /dev/null
disable spoolss        = yes

[sysvol]
path                        = /var/lib/samba/sysvol
read only                = no

[netlogon]
path                        = /var/lib/samba/sysvol/DOMAIN-GOES-HERE/scripts
read only                = no



On Mon, Oct 31, 2022 at 4:12 AM Michael Tokarev via samba <
samba at lists.samba.org> wrote:
> Hi!
>
> As it often happens these days, more and more often a DS (primary or not)
> is run in a linux container of one sort or another, because samba DC needs
> its own unique configuration which is not compatible with file services.
>
> But now there's a question: what to do with NTP and w32time in this
case?
>
> The problem is that running ntpd within a container is usually a bad idea,
> and actually it doesn't even work, since only the host system does the
> timekeeping, containers aren't even allowed to touch system time, and
it
> would be a conflict anyway.  Running a DC inside a virtual machine (e.g.
> qemu) where it's possible to run ntpd, will be even worse, since
accurate
> time and a virtual machine is not well-compatible.
>
>   windowsclient $> w32tm /monitor
>   PDC.domain *** PDC *** [192.168.177.6:123]:
>       ICMP: 0ms delay
>       NTP: error WSAECONNRESET - no server listening NTP-port
>
> It looks like the clock on the client machines is not syncronized, even
> if w32tm /resync says "Command is completed successfully" - on at
least
> one of our machines it is ~4sec different than on the PDC.
>
> More, when windows client is joined to a domain, it can't use regular
> NTP (with given ntp server) anymore, the NTP configuration is grayed
> out with a message "some parameters are disabled by your
organization"
> or something like that.
>
> What's the right way to syncronize time for windows clients in this
case?
>
> Thanks,
>
> /mjt
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>