Michael Tokarev
2023-Aug-09 09:13 UTC
[Samba] Samba domain time sync woes (Debian Bookworm)
09.08.2023 12:05, Rowland Penny via samba wrote:> ... All DCs get their time from the DC that holds > the PDC_Emulator FSMO role...What do you mean by that? Are you saying that if I run a samba AD-DC, samba will mess with system time? There are so many questions here... We already run ntp on all linux machines, including the ones where samba ad-dc is running. Does samba mess with system time? Can't other (not holding PDC_Emulator role) DCs just use the system time? What if the PDC_Emulator DC is not available or is on a remote site? This sounds.. wrong. /mjt
On 09/08/2023 10:13, Michael Tokarev via samba wrote:> 09.08.2023 12:05, Rowland Penny via samba wrote: > >> ... All DCs get their time from the DC that holds the PDC_Emulator >> FSMO role... > > What do you mean by that?? Are you saying that if I run a samba AD-DC, > samba will mess with system time?? There are so many questions here... > > We already run ntp on all linux machines, including the ones where samba > ad-dc is running. > > Does samba mess with system time? > Can't other (not holding PDC_Emulator role) DCs just use the system time? > What if the PDC_Emulator DC is not available or is on a remote site? > > This sounds.. wrong. > > /mjt >Samba itself doesn't care about time, it is AD and more importantly kerberos that does. The time doesn't really need to be accurate, just as long as all AD members use the same time. The way it works is basically every domain member must run a 'time' client that can ask a DC for the time, then all DCs get their time from the DC with PDC_Emulator FSMO role, which gets its time from an external source. This wasn't designed by Samba, it is how Microsoft designed it. So, if the DC with the PDC_Emulator role goes offline, you need to either get it back on line quickly, or move the PDC_Emulator role to another DC. As for remote sites, this is yet another reason to have at least one DC at every site. Rowland