Difference between revisions of "Time Synchronisation"

m (Mmuehlfeld moved page Time Synchronisation to Time syncronisation: rename page)
(Large refresh of the "time syncronisation" documentation. The SElinux stuff was also moved to a separate page for better keeping it simple)
Line 1: Line 1:
 
= Introducion =
 
= Introducion =
  
In an Active Directory, an accurate time synchronisation is required and critical like DNS E. g. Kerberos relies on correct timestamps to prevent replay attacks and AD needs them for resolving replication conflicts.
+
In an Active Directory, an accurate time synchronisation is absolutely necessary. E. g. Kerberos relies on correct timestamps to prevent replay attacks and AD needs it for resolving replication conflicts. The maximum time tolerance in an Active Directory is 5 minutes per default. If e. g. your domain members (clients, Member Servers, DCs) clock differs more than that to your servers clock, accessing the server is denied. As the default time source in an Active Directory forest, is the Domain Controller with the [[Flexible_Single-Master_Operations_(FSMO)_roles#PDC_Emulator|PDC emulator FSMO role]]. See http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr for information about time synchronisation in an AD DS hierarchy.
  
The maximum time tolerance in an Active Directory is 5 minutes per default. If e. g. your clients clock differs more than that to your servers clock, accessing the server is denied.
+
ntpd from http://ntp.org allows allows time syncronisation with external sources and can also be configured to be a time source for others. Please note, that ntpd does not support authenticated time to Windows 2000 clients! This is due to these clients not behaving as the ntpd server expects. As these clients are now very old and unsupported, you may need to find another way to keep these clocks in sync.
  
In an Active Directory, the Domain Controller with the PDC Emulator role is considered as the default time source in a forest. See http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr for information about time synchronisation in an AD DS hierarchy.
+
'''See the [[Server_information_used_in_documentation|server information used in documentation]] page for used pathes, hostnames, etc.'''
  
  
  
= General information =
 
  
== Server information used in this HowTo ==
 
  
Inside this HowTo, we will be using the following configuration/settings:
+
= Configuring time synchronisation on a DC =
 
 
Installation Directory:                    /usr/local/samba/
 
Domain Controller (owner of PDC role):    DC1.samdom.example.com
 
Domain Controller (not owner of PDC role): DC2.samdom.example.com
 
 
 
 
 
 
 
== Limitations of ntpd with old clients ==
 
 
 
Please note that [http://www.ntp.org/ ntpd from ntp.org] Samba interface with, does not support authenticated time to Windows 2000 clients! This is due to these clients not behaving as the ntpd server expects. As these clients are now very old and unsupported, you may need to find another way to keep these clocks in sync.
 
 
 
 
 
 
 
 
 
 
 
= Configuring Time Synchronisation on a DC =
 
  
 
== Requirements ==
 
== Requirements ==
  
* [http://www.ntp.org/ ntpd] >= 4.2.6 with enabled signed ntp support
+
* ntpd >= 4.2.6 from [http://www.ntp.org/ ntp.org], with enabled signed ntp support ("--enable-ntp-signd"), installed via package or self compiled
  
 
+
* Make sure, that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other
 
 
== Installation ==
 
 
 
* Install ntpd from your distributions repository. Make sure, that it was compiled using the „--enable-ntp-signd“ option!
 
 
 
* Compile yourself (Add „--enable-ntp-signd“ to the „configure“ options!).
 
 
 
== Check Samba AD DC socket permissions ==
 
 
 
Check that the socket permissions are set correct. It must be <u>readable</u> by the account your ntpd uses and should not be accessable by other:
 
  
 
  # chown root:ntp /usr/local/samba/var/lib/ntp_signd/
 
  # chown root:ntp /usr/local/samba/var/lib/ntp_signd/
Line 52: Line 24:
 
  # ls -ld /usr/local/samba/var/lib/ntp_signd/
 
  # ls -ld /usr/local/samba/var/lib/ntp_signd/
 
  drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
 
  drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
 +
 +
  
 
== Setup ntpd.conf ==
 
== Setup ntpd.conf ==
  
  # Local clock (this is not the localhost address!)
+
Typically ntpd's configuration file is /etc/ntpd.conf in most distributions. In the following, you see a working minimum ntpd.conf, that retrieves its time from an external NTP server and provides time via signed NTP for others.
 +
 
 +
  # Local clock (Note: This is not the localhost address!)
 
  server 127.127.1.0
 
  server 127.127.1.0
 
  fudge  127.127.1.0 stratum 10
 
  fudge  127.127.1.0 stratum 10
 
 
   
 
   
 
  # The source, where we are receiving the time from
 
  # The source, where we are receiving the time from
 
  server 0.pool.ntp.org    iburst prefer
 
  server 0.pool.ntp.org    iburst prefer
 
 
   
 
   
 
  driftfile      /var/lib/ntp/ntp.drift
 
  driftfile      /var/lib/ntp/ntp.drift
 
  logfile        /var/log/ntp
 
  logfile        /var/log/ntp
 
  ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
 
  ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
 
 
   
 
   
 
  # Access control
 
  # Access control
Line 79: Line 52:
 
  restrict 0.pool.ntp.org  mask 255.255.255.255    nomodify notrap nopeer noquery
 
  restrict 0.pool.ntp.org  mask 255.255.255.255    nomodify notrap nopeer noquery
  
For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions
+
For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.
 
+
Examples about ntpd SELinux labeling and policy you will find [[Time_syncronisation_SELinux_labeling_and_policy|here]].
 
 
 
 
== SELinux Labeling and Policy (optional) ==
 
 
 
Set policy for Windows client time sync:
 
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
 
 
 
Make the policy permanent
 
# semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"
 
 
 
Verify the change
 
# cat /etc/selinux/targeted/contexts/files/file_contexts.local
 
  
You should see a line like:
 
/usr/local/samba/var/lib/ntp_signd    system_u:object_r:ntpd_t:s0
 
  
The below policy file is based on 4.1.6 on RHEL 6.5 and should be for reference only. Always run the below egrep command, after you have a base policy file created. Then stop / start ntpd and Samba AD services on your system and add to the base policy until competed.
 
  
egrep "samba|ntpd" /var/log/audit/audit.log | audit2allow
 
  
If all is fine, you'll see this for each "allow" line below in the policy file.
 
#!!! This avc is allowed in the current policy
 
allow ntpd_t self:capability sys_admin;
 
etc.
 
 
<tt>samba4.te</tt> policy:
 
module samba4 1.0;
 
 
 
require {
 
  type ntpd_t;
 
  type usr_t;
 
  type initrc_t;
 
  type fs_t;
 
  type setfiles_t;
 
  type lib_t;
 
  type unconfined_t;
 
  type locate_t;
 
  class dir write;
 
  class dir search;
 
  class dir open;
 
  class dir read;
 
  class dir getattr;
 
  class dir remove_name;
 
  class dir add_name;
 
  class dir relabelto;
 
  class unix_stream_socket connectto;
 
  class sock_file write;
 
  class sock_file create;
 
  class sock_file unlink;
 
  class filesystem associate;
 
  class capability sys_admin;
 
}
 
 
 
#============= initrc_t ==============
 
allow initrc_t ntpd_t:dir { write remove_name add_name };
 
allow initrc_t ntpd_t:sock_file create;
 
allow initrc_t ntpd_t:sock_file unlink;
 
 
#============= ntpd_t ==============
 
allow ntpd_t usr_t:sock_file write;
 
allow ntpd_t initrc_t:unix_stream_socket connectto;
 
allow ntpd_t fs_t:filesystem associate;
 
allow ntpd_t lib_t:sock_file write;
 
allow ntpd_t unconfined_t:unix_stream_socket connectto;
 
allow ntpd_t self:sock_file write;
 
allow ntpd_t self:capability sys_admin;
 
 
#============= locate_t ==============
 
allow locate_t ntpd_t:dir { read getattr open search };
 
 
#============= setfiles_t ==============
 
allow setfiles_t ntpd_t:dir relabelto; 
 
 
  
Check and load policy:
+
= Configuring time synchronisation on a Samba Member Server =
$ checkmodule -M -m -o samba4.mod samba4.te
 
$ semodule_package -o samba4.pp -m samba4.mod
 
$ semodule -i samba4.pp
 
 
 
 
 
 
 
 
 
 
 
= Configuring Time Synchronisation on Samba Member Servers =
 
  
 
== Requirements ==
 
== Requirements ==
  
* [http://www.ntp.org/ ntpd]
+
* ntpd from [http://www.ntp.org/ ntp.org], installed via package or self compiled
  
  
  
== Installation ==
+
== Setup ntpd.conf ==
  
* Install ntpd from your distributions repository.
+
Typically ntpd's configuration file is /etc/ntpd.conf in most distributions. In the following, you see a working minimum ntpd.conf, that retrieves its time from an Samba AD Domain Controller and doesn't provide NTP for others.
 
 
* Compile it yourself.
 
 
 
== Setup ntpd.conf ==
 
  
 
  # Local clock (this is not the localhost address!)
 
  # Local clock (this is not the localhost address!)
Line 184: Line 75:
 
  fudge  127.127.1.0 stratum 10
 
  fudge  127.127.1.0 stratum 10
 
   
 
   
  # The source, where we are receiving the time from (PDC)
+
  # The source, where we are receiving the time from
 
  server DC1.samdom.example.com    iburst prefer
 
  server DC1.samdom.example.com    iburst prefer
 
   
 
   
Line 206: Line 97:
  
  
= Configuring Time Synchronisation on Windows Clients =
+
= Configuring time synchronisation on Windows clients =
 
 
== Default behaviour ==
 
  
Per default, Windows clients in an Active Directory, automatically synchronize their time with the DC, owning the „PDC“ role. If you don't want to use a different source, configure fallback time server, etc. you don't have to take action.
+
Per default, Windows clients in an Active Directory, automatically synchronize their time with the DC, owning the PDC emulator role. If you don't want to use a different source or to configure multiple time server, etc. you don't have to take any action.
  
  
Line 218: Line 107:
 
If you require your Windows clients to synchronize time with a different server than your DC owning the PDC role, you can configure this via Group Policies. Using the following way, you can define multiple time servers and adjust time sycronisation related options:
 
If you require your Windows clients to synchronize time with a different server than your DC owning the PDC role, you can configure this via Group Policies. Using the following way, you can define multiple time servers and adjust time sycronisation related options:
  
* Create a new Group Policy Object in the Group Policy Management Console and edit it.
+
* Create a new Group Policy Object in the Group Policy Management Console (part of the [[Installing_RSAT|Remote Server Administration Tools]]) and edit it.
  
* In the Group Policy Management Editor, go to „Computer Configuration“ / „Administrative Templates“ / „System“ / „Windows Time Service“ / „Time Providers“.
+
* In the Group Policy Management Editor, go to "Computer Configuration" / "Administrative Templates" / "System" / "Windows Time Service" / "Time Providers".
  
* Edit the „Configure Windows NTP Client“ policy:
+
* Edit the "Configure Windows NTP Client" policy:
  
 
:[[Image:GPO_Windows_NTP_Client_Options.png]]
 
:[[Image:GPO_Windows_NTP_Client_Options.png]]
  
:This example changes the NTP server setting to a different DC, that provides time, but is not owner of the PDC role. For further explanations on the possible options, see the description in the policy and, visit http://technet.microsoft.com/de-de/library/cc779145%28v=ws.10%29.aspx.
+
:This example changes the NTP server setting to a DC that provides time, but is not owner of the PDC role. For further explanations on the possible options, see the description in the policy and, visit http://technet.microsoft.com/de-de/library/cc779145%28v=ws.10%29.aspx.
  
 
* Save the GPO and link it to the desired OU.
 
* Save the GPO and link it to the desired OU.
Line 234: Line 123:
  
  
= Configuring Time Synchronisation on Linux Clients =
+
= Configuring time synchronisation on Linux clients =
  
See [[#Configuring_Time_Synchronisation_on_Samba_Member_Servers|Configuring Time Synchronisation on Samba Member Servers]].
+
See [[#Configuring_time_synchronisation_on_a_Samba_Member_Server|Configuring Time Synchronisation on Samba Member Servers]].

Revision as of 21:57, 5 September 2015

Introducion

In an Active Directory, an accurate time synchronisation is absolutely necessary. E. g. Kerberos relies on correct timestamps to prevent replay attacks and AD needs it for resolving replication conflicts. The maximum time tolerance in an Active Directory is 5 minutes per default. If e. g. your domain members (clients, Member Servers, DCs) clock differs more than that to your servers clock, accessing the server is denied. As the default time source in an Active Directory forest, is the Domain Controller with the PDC emulator FSMO role. See http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr for information about time synchronisation in an AD DS hierarchy.

ntpd from http://ntp.org allows allows time syncronisation with external sources and can also be configured to be a time source for others. Please note, that ntpd does not support authenticated time to Windows 2000 clients! This is due to these clients not behaving as the ntpd server expects. As these clients are now very old and unsupported, you may need to find another way to keep these clocks in sync.

See the server information used in documentation page for used pathes, hostnames, etc.



Configuring time synchronisation on a DC

Requirements

  • ntpd >= 4.2.6 from ntp.org, with enabled signed ntp support ("--enable-ntp-signd"), installed via package or self compiled
  • Make sure, that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other
# chown root:ntp /usr/local/samba/var/lib/ntp_signd/
# chmod 750 /usr/local/samba/var/lib/ntp_signd/

# ls -ld /usr/local/samba/var/lib/ntp_signd/
drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/


Setup ntpd.conf

Typically ntpd's configuration file is /etc/ntpd.conf in most distributions. In the following, you see a working minimum ntpd.conf, that retrieves its time from an external NTP server and provides time via signed NTP for others.

# Local clock (Note: This is not the localhost address!)
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# The source, where we are receiving the time from
server 0.pool.ntp.org     iburst prefer

driftfile       /var/lib/ntp/ntp.drift
logfile         /var/log/ntp
ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/

# Access control
# Default restriction: Only allow querying time (incl. ms-sntp) from this machine
restrict default kod nomodify notrap nopeer mssntp

# Allow everything from localhost
restrict 127.0.0.1

# Allow that our time source can only provide time and do nothing else
restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery

For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions. Examples about ntpd SELinux labeling and policy you will find here.



Configuring time synchronisation on a Samba Member Server

Requirements

  • ntpd from ntp.org, installed via package or self compiled


Setup ntpd.conf

Typically ntpd's configuration file is /etc/ntpd.conf in most distributions. In the following, you see a working minimum ntpd.conf, that retrieves its time from an Samba AD Domain Controller and doesn't provide NTP for others.

# Local clock (this is not the localhost address!)
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# The source, where we are receiving the time from
server DC1.samdom.example.com     iburst prefer

driftfile /var/lib/ntp/ntp.drift
logfile   /var/log/ntp

# Access control
# Default restriction
restrict default ignore

# Allow everything from localhost
restrict 127.0.0.1

# Allow that our time source can only provide time and do nothing else
restrict DC1.samdom.example.com   mask 255.255.255.255    nomodify notrap nopeer noquery

For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions



Configuring time synchronisation on Windows clients

Per default, Windows clients in an Active Directory, automatically synchronize their time with the DC, owning the PDC emulator role. If you don't want to use a different source or to configure multiple time server, etc. you don't have to take any action.


Setting user defined time source(s) and options

If you require your Windows clients to synchronize time with a different server than your DC owning the PDC role, you can configure this via Group Policies. Using the following way, you can define multiple time servers and adjust time sycronisation related options:

  • In the Group Policy Management Editor, go to "Computer Configuration" / "Administrative Templates" / "System" / "Windows Time Service" / "Time Providers".
  • Edit the "Configure Windows NTP Client" policy:
GPO Windows NTP Client Options.png
This example changes the NTP server setting to a DC that provides time, but is not owner of the PDC role. For further explanations on the possible options, see the description in the policy and, visit http://technet.microsoft.com/de-de/library/cc779145%28v=ws.10%29.aspx.
  • Save the GPO and link it to the desired OU.



Configuring time synchronisation on Linux clients

See Configuring Time Synchronisation on Samba Member Servers.