Time Synchronisation: Difference between revisions
Mmuehlfeld (talk | contribs) m (Mmuehlfeld moved page Time synchronisation to Time Synchronisation: Fix title to TitleCase) |
Mmuehlfeld (talk | contribs) (Rewrote documentation. Rephrased, clearer wording, etc.) |
||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
In an Active Directory |
In an Active Directory (AD) you must have an accurate time synchronisation. For example, Kerberos requires correct time stamps to prevent replay attacks and the AD uses the time to resolve replication conflicts. The default maximum allowed time deviation in an AD is 5 minutes. If a domain member or domain controller (DC) has a higher or lower time difference, the access is denied. As a result, a user cannot access shares or query the directory. |
||
Samba supports the "ntpd" from http://ntp.org. The daemon synchronises the time with external sources and enables clients to retrieve the time from the server running the daemon. |
|||
ntpd from http://ntp.org allows time synchronisation with external sources and can also be configured to be a time source for others. Please note, that ntpd does not support authenticated time to Windows 2000 clients! This is due to these clients not behaving as the ntpd server expects. As these clients are now very old and unsupported, you may need to find another way to keep these clocks in sync. |
|||
Note that "ntpd" does not support authenticated time synchronisation with Windows 2000 clients. |
|||
'''See the [[Host_information_used_in_documentation|host information used in documentation]] page for used paths, hostnames, etc.''' |
|||
Line 11: | Line 11: | ||
= Configuring |
= Configuring Time Synchronisation on a DC = |
||
== Requirements == |
== Requirements == |
||
* ntpd >= 4.2.6 from |
* ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support ("--enable-ntp-signd") |
||
* |
* Verify the socket permissions on your domain controller (DC). The "ntpd" daemon must have read permissions in the "ntp_signed" directory. To list the permissions, enter: |
||
⚫ | |||
⚫ | |||
# ls -ld /usr/local/samba/var/lib/ntp_signd/ |
# ls -ld /usr/local/samba/var/lib/ntp_signd/ |
||
drwxr-x--- 2 root ntp 4096 1. May 09:30 /usr/local/samba/var/lib/ntp_signd/ |
drwxr-x--- 2 root ntp 4096 1. May 09:30 /usr/local/samba/var/lib/ntp_signd/ |
||
: To set the permissions, run: |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
Typically ntpd's configuration file is /etc/ntpd.conf in most distributions. In the following, you see a working minimum ntpd.conf, that retrieves its time from an external NTP server and provides time via signed NTP for others. |
|||
Typically, the "ntpd" daemon read its configuration from the /etc/ntpd.conf file. |
|||
⚫ | |||
The following is a minimum "ntpd.conf" file that synchronises the time with three external NTP server and enables clients to query the time using signed NTP requests: |
|||
⚫ | |||
server 127.127.1.0 |
server 127.127.1.0 |
||
fudge 127.127.1.0 stratum 10 |
fudge 127.127.1.0 stratum 10 |
||
# |
# Where to retrieve the time from |
||
server 0.pool.ntp.org iburst prefer |
server 0.pool.ntp.org iburst prefer |
||
server 1.pool.ntp.org iburst prefer |
|||
server 2.pool.ntp.org iburst prefer |
|||
driftfile /var/lib/ntp/ntp.drift |
driftfile /var/lib/ntp/ntp.drift |
||
Line 43: | Line 48: | ||
# Access control |
# Access control |
||
# Default restriction: |
# Default restriction: Allow clients only to query the time |
||
restrict default kod nomodify notrap nopeer mssntp |
restrict default kod nomodify notrap nopeer mssntp |
||
# |
# No restrictions for "localhost" |
||
restrict 127.0.0.1 |
restrict 127.0.0.1 |
||
# |
# Enable the time sources to only provide time to this host |
||
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
||
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
|||
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
|||
For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions. |
For further information about the "ntpd" access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions. |
||
Examples about ntpd SELinux labeling and policy you will find [[Time_syncronisation_SELinux_labeling_and_policy|here]]. |
|||
If you have SELinux enabled on your server, see [[Time_Synchronisation_-_SELinux_Labeling_and_Policy|Time Synchronisation - SELinux Labeling and Policy]]. |
|||
= Configuring |
= Configuring Time Synchronisation on a Linux Domain Member = |
||
== Requirements == |
== Requirements == |
||
* ntpd from |
* ntpd from http://www.ntp.org. |
||
== |
== Set up the ntpd.conf File on a Linux Domain Member == |
||
Typically, the "ntpd" daemon read its configuration from the /etc/ntpd.conf file. |
|||
Typically ntpd's configuration file is /etc/ntpd.conf in most distributions. In the following, you see a working minimum ntpd.conf, that retrieves its time from an Samba AD Domain Controller and doesn't provide NTP for others. |
|||
The following is a minimum "ntpd.conf" file that synchronises the time with the Samba Active Directory (AD) domain controllers (DC) "DC1" and "DC2" and does not provide time services for other hosts. |
|||
⚫ | |||
⚫ | |||
server 127.127.1.0 |
server 127.127.1.0 |
||
fudge 127.127.1.0 stratum 10 |
fudge 127.127.1.0 stratum 10 |
||
# |
# Where to retrieve the time from |
||
server DC1.samdom.example.com iburst prefer |
server DC1.samdom.example.com iburst prefer |
||
server DC2.samdom.example.com iburst |
|||
driftfile /var/lib/ntp/ntp.drift |
driftfile /var/lib/ntp/ntp.drift |
||
Line 82: | Line 93: | ||
# Access control |
# Access control |
||
# Default restriction |
# Default restriction: Disallow everything |
||
restrict default ignore |
restrict default ignore |
||
# |
# No restrictions for "localhost" |
||
restrict 127.0.0.1 |
restrict 127.0.0.1 |
||
# |
# Enable the time sources only to only provide time to this host |
||
restrict DC1.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery |
restrict DC1.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery |
||
restrict DC2.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery |
|||
For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions |
For further information about the "ntpd" access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions. |
||
Line 97: | Line 109: | ||
= Configuring |
= Configuring Time Synchronisation on a Windows Domain Member = |
||
== Default Time Source == |
|||
Per default, Windows clients in an Active Directory, automatically synchronize their time with the DC, owning the PDC emulator role. If you don't want to use a different source or to configure multiple time server, etc. you don't have to take any action. |
|||
Windows AD domain members use the DC holding the [[Flexible_Single-Master_Operations_(FSMO)_roles#PDC_Emulator|PDC emulator FSMO role]] as default time source. For more information about the time synchronisation and hierarchy in an AD, see http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr. |
|||
⚫ | |||
⚫ | |||
If you require your Windows clients to synchronize time with a different server than your DC owning the PDC role, you can configure this via Group Policies. Using the following way, you can define multiple time servers and adjust time synchronisation related options: |
|||
To configure a different time source than the domain controller (DC) holding the [[Flexible_Single-Master_Operations_(FSMO)_roles#PDC_Emulator|PDC emulator FSMO role]]: |
|||
* Create a new Group Policy Object in the Group Policy Management Console (part of the [[Installing_RSAT|Remote Server Administration Tools]]) and edit it. |
|||
* |
* Open the Group Policy Management Console (GPMC). |
||
: To install, see [[Installing_RSAT|Installing the Remote Server Administration Tools (RSAT)]]. |
|||
* Create a new group policy object (GPO). |
|||
* Right-click the GPO and select "Edit". |
|||
* In the Group Policy Management Editor (GPME) navigate to "Computer Configuration" / "Administrative Templates" / "System" / "Windows Time Service" / "Time Providers". |
|||
* Edit the "Configure Windows NTP Client" policy: |
* Edit the "Configure Windows NTP Client" policy: |
||
* To set "DC2.samdom.example.com" as the only and primary time source ("0x9") using the NTP protocol: |
|||
:[[Image:GPO_Windows_NTP_Client_Options.png]] |
:[[Image:GPO_Windows_NTP_Client_Options.png]] |
||
:For descriptions on the other options in the screen capture, see the GPO help. |
|||
:This example changes the NTP server setting to a DC that provides time, but is not owner of the PDC role. For further explanations on the possible options, see the description in the policy and, visit http://technet.microsoft.com/de-de/library/cc779145%28v=ws.10%29.aspx. |
|||
* Save the GPO |
|||
* |
* Link the GPO to a organizational unit (OU) or to the domain. |
||
Revision as of 00:00, 4 September 2016
Introduction
In an Active Directory (AD) you must have an accurate time synchronisation. For example, Kerberos requires correct time stamps to prevent replay attacks and the AD uses the time to resolve replication conflicts. The default maximum allowed time deviation in an AD is 5 minutes. If a domain member or domain controller (DC) has a higher or lower time difference, the access is denied. As a result, a user cannot access shares or query the directory.
Samba supports the "ntpd" from http://ntp.org. The daemon synchronises the time with external sources and enables clients to retrieve the time from the server running the daemon.
Note that "ntpd" does not support authenticated time synchronisation with Windows 2000 clients.
Configuring Time Synchronisation on a DC
Requirements
- ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support ("--enable-ntp-signd")
- Verify the socket permissions on your domain controller (DC). The "ntpd" daemon must have read permissions in the "ntp_signed" directory. To list the permissions, enter:
# ls -ld /usr/local/samba/var/lib/ntp_signd/ drwxr-x--- 2 root ntp 4096 1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
- To set the permissions, run:
# chown root:ntp /usr/local/samba/var/lib/ntp_signd/ # chmod 750 /usr/local/samba/var/lib/ntp_signd/
Set up the ntpd.conf File on a DC
Typically, the "ntpd" daemon read its configuration from the /etc/ntpd.conf file.
The following is a minimum "ntpd.conf" file that synchronises the time with three external NTP server and enables clients to query the time using signed NTP requests:
# Local clock. Note that is not the "localhost" address! server 127.127.1.0 fudge 127.127.1.0 stratum 10 # Where to retrieve the time from server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer server 2.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ # Access control # Default restriction: Allow clients only to query the time restrict default kod nomodify notrap nopeer mssntp # No restrictions for "localhost" restrict 127.0.0.1 # Enable the time sources to only provide time to this host restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
For further information about the "ntpd" access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.
If you have SELinux enabled on your server, see Time Synchronisation - SELinux Labeling and Policy.
Configuring Time Synchronisation on a Linux Domain Member
Requirements
- ntpd from http://www.ntp.org.
Set up the ntpd.conf File on a Linux Domain Member
Typically, the "ntpd" daemon read its configuration from the /etc/ntpd.conf file.
The following is a minimum "ntpd.conf" file that synchronises the time with the Samba Active Directory (AD) domain controllers (DC) "DC1" and "DC2" and does not provide time services for other hosts.
# Local clock. Note that is not the "localhost" address! server 127.127.1.0 fudge 127.127.1.0 stratum 10 # Where to retrieve the time from server DC1.samdom.example.com iburst prefer server DC2.samdom.example.com iburst driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp # Access control # Default restriction: Disallow everything restrict default ignore # No restrictions for "localhost" restrict 127.0.0.1 # Enable the time sources only to only provide time to this host restrict DC1.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery restrict DC2.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery
For further information about the "ntpd" access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.
Configuring Time Synchronisation on a Windows Domain Member
Default Time Source
Windows AD domain members use the DC holding the PDC emulator FSMO role as default time source. For more information about the time synchronisation and hierarchy in an AD, see http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr.
Setting User Defined Time Sources and Options
To configure a different time source than the domain controller (DC) holding the PDC emulator FSMO role:
- Open the Group Policy Management Console (GPMC).
- To install, see Installing the Remote Server Administration Tools (RSAT).
- Create a new group policy object (GPO).
- Right-click the GPO and select "Edit".
- In the Group Policy Management Editor (GPME) navigate to "Computer Configuration" / "Administrative Templates" / "System" / "Windows Time Service" / "Time Providers".
- Edit the "Configure Windows NTP Client" policy:
- To set "DC2.samdom.example.com" as the only and primary time source ("0x9") using the NTP protocol:
- For descriptions on the other options in the screen capture, see the GPO help.
- Save the GPO
- Link the GPO to a organizational unit (OU) or to the domain.