Difference between revisions of "Time Synchronisation"

m (Mmuehlfeld moved page Time synchronisation to Time Synchronisation: Fix title to TitleCase)
(Rewrote documentation. Rephrased, clearer wording, etc.)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
In an Active Directory, an accurate time synchronisation is absolutely necessary. E. g. Kerberos relies on correct timestamps to prevent replay attacks and AD needs it for resolving replication conflicts. The maximum time tolerance in an Active Directory is 5 minutes per default. If e. g. your domain members (clients, Member Servers, DCs) clock differs more than that to your servers clock, accessing the server is denied. As the default time source in an Active Directory forest, is the Domain Controller with the [[Flexible_Single-Master_Operations_(FSMO)_roles#PDC_Emulator|PDC emulator FSMO role]]. See http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr for information about time synchronisation in an AD DS hierarchy.
+
In an Active Directory (AD) you must have an accurate time synchronisation. For example, Kerberos requires correct time stamps to prevent replay attacks and the AD uses the time to resolve replication conflicts. The default maximum allowed time deviation in an AD is 5 minutes. If a domain member or domain controller (DC) has a higher or lower time difference, the access is denied. As a result, a user cannot access shares or query the directory.
  
ntpd from http://ntp.org allows time synchronisation with external sources and can also be configured to be a time source for others. Please note, that ntpd does not support authenticated time to Windows 2000 clients! This is due to these clients not behaving as the ntpd server expects. As these clients are now very old and unsupported, you may need to find another way to keep these clocks in sync.
+
Samba supports the "ntpd" from http://ntp.org. The daemon synchronises the time with external sources and enables clients to retrieve the time from the server running the daemon.
  
'''See the [[Host_information_used_in_documentation|host information used in documentation]] page for used paths, hostnames, etc.'''
+
Note that "ntpd" does not support authenticated time synchronisation with Windows 2000 clients.
  
  
Line 11: Line 11:
  
  
= Configuring time synchronisation on a DC =
+
= Configuring Time Synchronisation on a DC =
  
 
== Requirements ==
 
== Requirements ==
  
* ntpd >= 4.2.6 from [http://www.ntp.org/ ntp.org], with enabled signed ntp support ("--enable-ntp-signd"), installed via package or self compiled
+
* ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support ("--enable-ntp-signd")
  
* Make sure, that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessible by other
+
* Verify the socket permissions on your domain controller (DC). The "ntpd" daemon must have read permissions in the "ntp_signed" directory. To list the permissions, enter:
  
 +
# ls -ld /usr/local/samba/var/lib/ntp_signd/
 +
drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
 +
 +
: To set the permissions, run:
 
  # chown root:ntp /usr/local/samba/var/lib/ntp_signd/
 
  # chown root:ntp /usr/local/samba/var/lib/ntp_signd/
 
  # chmod 750 /usr/local/samba/var/lib/ntp_signd/
 
  # chmod 750 /usr/local/samba/var/lib/ntp_signd/
 
# ls -ld /usr/local/samba/var/lib/ntp_signd/
 
drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
 
  
  
  
== Setup ntpd.conf ==
+
== Set up the ntpd.conf File on a DC ==
 +
 
 +
Typically, the "ntpd" daemon read its configuration from the /etc/ntpd.conf file.
  
Typically ntpd's configuration file is /etc/ntpd.conf in most distributions. In the following, you see a working minimum ntpd.conf, that retrieves its time from an external NTP server and provides time via signed NTP for others.
+
The following is a minimum "ntpd.conf" file that synchronises the time with three external NTP server and enables clients to query the time using signed NTP requests:
  
  # Local clock (Note: This is not the localhost address!)
+
  # Local clock. Note that is not the "localhost" address!
 
  server 127.127.1.0
 
  server 127.127.1.0
 
  fudge  127.127.1.0 stratum 10
 
  fudge  127.127.1.0 stratum 10
 
   
 
   
  # The source, where we are receiving the time from
+
  # Where to retrieve the time from
 
  server 0.pool.ntp.org    iburst prefer
 
  server 0.pool.ntp.org    iburst prefer
 +
server 1.pool.ntp.org    iburst prefer
 +
server 2.pool.ntp.org    iburst prefer
 
   
 
   
 
  driftfile      /var/lib/ntp/ntp.drift
 
  driftfile      /var/lib/ntp/ntp.drift
Line 43: Line 48:
 
   
 
   
 
  # Access control
 
  # Access control
  # Default restriction: Only allow querying time (incl. ms-sntp) from this machine
+
  # Default restriction: Allow clients only to query the time
 
  restrict default kod nomodify notrap nopeer mssntp
 
  restrict default kod nomodify notrap nopeer mssntp
 
   
 
   
  # Allow everything from localhost
+
  # No restrictions for "localhost"
 
  restrict 127.0.0.1
 
  restrict 127.0.0.1
 
   
 
   
  # Allow that our time source can only provide time and do nothing else
+
  # Enable the time sources to only provide time to this host
 
  restrict 0.pool.ntp.org  mask 255.255.255.255    nomodify notrap nopeer noquery
 
  restrict 0.pool.ntp.org  mask 255.255.255.255    nomodify notrap nopeer noquery
 +
restrict 1.pool.ntp.org  mask 255.255.255.255    nomodify notrap nopeer noquery
 +
restrict 2.pool.ntp.org  mask 255.255.255.255    nomodify notrap nopeer noquery
 +
 +
For further information about the "ntpd" access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.
  
For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.
+
If you have SELinux enabled on your server, see [[Time_Synchronisation_-_SELinux_Labeling_and_Policy|Time Synchronisation - SELinux Labeling and Policy]].
Examples about ntpd SELinux labeling and policy you will find [[Time_syncronisation_SELinux_labeling_and_policy|here]].
 
  
  
Line 59: Line 67:
  
  
= Configuring time synchronisation on Samba Domain Members =
+
= Configuring Time Synchronisation on a Linux Domain Member =
  
 
== Requirements ==
 
== Requirements ==
  
* ntpd from [http://www.ntp.org/ ntp.org], installed via package or self compiled
+
* ntpd from http://www.ntp.org.
 +
 
  
  
 +
== Set up the ntpd.conf File on a Linux Domain Member ==
  
== Setup ntpd.conf ==
+
Typically, the "ntpd" daemon read its configuration from the /etc/ntpd.conf file.
  
Typically ntpd's configuration file is /etc/ntpd.conf in most distributions. In the following, you see a working minimum ntpd.conf, that retrieves its time from an Samba AD Domain Controller and doesn't provide NTP for others.
+
The following is a minimum "ntpd.conf" file that synchronises the time with the Samba Active Directory (AD) domain controllers (DC) "DC1" and "DC2" and does not provide time services for other hosts.
  
  # Local clock (this is not the localhost address!)
+
  # Local clock. Note that is not the "localhost" address!
 
  server 127.127.1.0
 
  server 127.127.1.0
 
  fudge  127.127.1.0 stratum 10
 
  fudge  127.127.1.0 stratum 10
 
   
 
   
  # The source, where we are receiving the time from
+
  # Where to retrieve the time from
 
  server DC1.samdom.example.com    iburst prefer
 
  server DC1.samdom.example.com    iburst prefer
 +
server DC2.samdom.example.com    iburst
 
   
 
   
 
  driftfile /var/lib/ntp/ntp.drift
 
  driftfile /var/lib/ntp/ntp.drift
Line 82: Line 93:
 
   
 
   
 
  # Access control
 
  # Access control
  # Default restriction
+
  # Default restriction: Disallow everything
 
  restrict default ignore
 
  restrict default ignore
 
   
 
   
  # Allow everything from localhost
+
  # No restrictions for "localhost"
 
  restrict 127.0.0.1
 
  restrict 127.0.0.1
 
   
 
   
  # Allow that our time source can only provide time and do nothing else
+
  # Enable the time sources only to only provide time to this host
 
  restrict DC1.samdom.example.com  mask 255.255.255.255    nomodify notrap nopeer noquery
 
  restrict DC1.samdom.example.com  mask 255.255.255.255    nomodify notrap nopeer noquery
 +
restrict DC2.samdom.example.com  mask 255.255.255.255    nomodify notrap nopeer noquery
 +
 +
For further information about the "ntpd" access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.
  
For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions
 
  
  
  
  
 +
= Configuring Time Synchronisation on a Windows Domain Member =
  
= Configuring time synchronisation on Windows clients =
+
== Default Time Source ==
  
Per default, Windows clients in an Active Directory, automatically synchronize their time with the DC, owning the PDC emulator role. If you don't want to use a different source or to configure multiple time server, etc. you don't have to take any action.
+
Windows AD domain members use the DC holding the [[Flexible_Single-Master_Operations_(FSMO)_roles#PDC_Emulator|PDC emulator FSMO role]] as default time source. For more information about the time synchronisation and hierarchy in an AD, see http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr.
  
  
  
== Setting user defined time source(s) and options ==
+
== Setting User Defined Time Sources and Options ==
  
If you require your Windows clients to synchronize time with a different server than your DC owning the PDC role, you can configure this via Group Policies. Using the following way, you can define multiple time servers and adjust time synchronisation related options:
+
To configure a different time source than the domain controller (DC) holding the [[Flexible_Single-Master_Operations_(FSMO)_roles#PDC_Emulator|PDC emulator FSMO role]]:
  
* Create a new Group Policy Object in the Group Policy Management Console (part of the [[Installing_RSAT|Remote Server Administration Tools]]) and edit it.
+
* Open the Group Policy Management Console (GPMC).
 +
: To install, see [[Installing_RSAT|Installing the Remote Server Administration Tools (RSAT)]].
  
* In the Group Policy Management Editor, go to "Computer Configuration" / "Administrative Templates" / "System" / "Windows Time Service" / "Time Providers".
+
* Create a new group policy object (GPO).
 +
 
 +
* Right-click the GPO and select "Edit".
 +
 
 +
* In the Group Policy Management Editor (GPME) navigate to "Computer Configuration" / "Administrative Templates" / "System" / "Windows Time Service" / "Time Providers".
  
 
* Edit the "Configure Windows NTP Client" policy:
 
* Edit the "Configure Windows NTP Client" policy:
 +
 +
* To set "DC2.samdom.example.com" as the only and primary time source ("0x9") using the NTP protocol:
  
 
:[[Image:GPO_Windows_NTP_Client_Options.png]]
 
:[[Image:GPO_Windows_NTP_Client_Options.png]]
  
:This example changes the NTP server setting to a DC that provides time, but is not owner of the PDC role. For further explanations on the possible options, see the description in the policy and, visit http://technet.microsoft.com/de-de/library/cc779145%28v=ws.10%29.aspx.
+
:For descriptions on the other options in the screen capture, see the GPO help.
 +
 
 +
* Save the GPO
  
* Save the GPO and link it to the desired OU.
+
* Link the GPO to a organizational unit (OU) or to the domain.
  
  

Revision as of 00:00, 4 September 2016

Introduction

In an Active Directory (AD) you must have an accurate time synchronisation. For example, Kerberos requires correct time stamps to prevent replay attacks and the AD uses the time to resolve replication conflicts. The default maximum allowed time deviation in an AD is 5 minutes. If a domain member or domain controller (DC) has a higher or lower time difference, the access is denied. As a result, a user cannot access shares or query the directory.

Samba supports the "ntpd" from http://ntp.org. The daemon synchronises the time with external sources and enables clients to retrieve the time from the server running the daemon.

Note that "ntpd" does not support authenticated time synchronisation with Windows 2000 clients.



Configuring Time Synchronisation on a DC

Requirements

  • ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support ("--enable-ntp-signd")
  • Verify the socket permissions on your domain controller (DC). The "ntpd" daemon must have read permissions in the "ntp_signed" directory. To list the permissions, enter:
# ls -ld /usr/local/samba/var/lib/ntp_signd/
drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
To set the permissions, run:
# chown root:ntp /usr/local/samba/var/lib/ntp_signd/
# chmod 750 /usr/local/samba/var/lib/ntp_signd/


Set up the ntpd.conf File on a DC

Typically, the "ntpd" daemon read its configuration from the /etc/ntpd.conf file.

The following is a minimum "ntpd.conf" file that synchronises the time with three external NTP server and enables clients to query the time using signed NTP requests:

# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# Where to retrieve the time from
server 0.pool.ntp.org     iburst prefer
server 1.pool.ntp.org     iburst prefer
server 2.pool.ntp.org     iburst prefer

driftfile       /var/lib/ntp/ntp.drift
logfile         /var/log/ntp
ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/

# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp

# No restrictions for "localhost"
restrict 127.0.0.1

# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery

For further information about the "ntpd" access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.

If you have SELinux enabled on your server, see Time Synchronisation - SELinux Labeling and Policy.



Configuring Time Synchronisation on a Linux Domain Member

Requirements


Set up the ntpd.conf File on a Linux Domain Member

Typically, the "ntpd" daemon read its configuration from the /etc/ntpd.conf file.

The following is a minimum "ntpd.conf" file that synchronises the time with the Samba Active Directory (AD) domain controllers (DC) "DC1" and "DC2" and does not provide time services for other hosts.

# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# Where to retrieve the time from
server DC1.samdom.example.com     iburst prefer
server DC2.samdom.example.com     iburst

driftfile /var/lib/ntp/ntp.drift
logfile   /var/log/ntp

# Access control
# Default restriction: Disallow everything
restrict default ignore

# No restrictions for "localhost"
restrict 127.0.0.1

# Enable the time sources only to only provide time to this host
restrict DC1.samdom.example.com   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict DC2.samdom.example.com   mask 255.255.255.255    nomodify notrap nopeer noquery

For further information about the "ntpd" access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.



Configuring Time Synchronisation on a Windows Domain Member

Default Time Source

Windows AD domain members use the DC holding the PDC emulator FSMO role as default time source. For more information about the time synchronisation and hierarchy in an AD, see http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr.


Setting User Defined Time Sources and Options

To configure a different time source than the domain controller (DC) holding the PDC emulator FSMO role:

  • Open the Group Policy Management Console (GPMC).
To install, see Installing the Remote Server Administration Tools (RSAT).
  • Create a new group policy object (GPO).
  • Right-click the GPO and select "Edit".
  • In the Group Policy Management Editor (GPME) navigate to "Computer Configuration" / "Administrative Templates" / "System" / "Windows Time Service" / "Time Providers".
  • Edit the "Configure Windows NTP Client" policy:
  • To set "DC2.samdom.example.com" as the only and primary time source ("0x9") using the NTP protocol:
GPO Windows NTP Client Options.png
For descriptions on the other options in the screen capture, see the GPO help.
  • Save the GPO
  • Link the GPO to a organizational unit (OU) or to the domain.