Time Synchronisation: Difference between revisions

From SambaWiki
(Created page with " You require a recent ntpd version (=>4.2.6) that supports signed ntp. E. g. the version shipped with RHEL6 and Ubuntu < 11.04 are to old. The Ntpd of Debian Squeeze supports sig…")
 
(tell that client reconfiguration is usually NOT necessary)
(47 intermediate revisions by 11 users not shown)
Line 1: Line 1:
= Introduction =


In an Active Directory (AD) you must have an accurate time synchronisation. For example, Kerberos requires correct time stamps to prevent replay attacks and the AD uses the time to resolve replication conflicts. The default maximum allowed time deviation in an AD is 5 minutes. If a domain member or domain controller (DC) has a higher or lower time difference, the access is denied. As a result, a user cannot access shares or query the directory.
You require a recent ntpd version (=>4.2.6) that supports signed ntp. E. g. the version shipped with RHEL6 and Ubuntu < 11.04 are to old. The Ntpd of Debian Squeeze supports signed ntp.


Samba supports the <code>ntpd</code> from http://ntp.org. The daemon synchronises the time with external sources and enables clients to retrieve the time from the server running the daemon.
1. Download ntpd from ntp.org (verify md5 sum) and compile it (add additionals ./configure parameters, if needed):


By default domain joined Windows clients synchronize their clock via NT5DS with the AD-DC which holds the PDC-emulator FSMO role.
$ tar -zxvf ntp-4.x.x.tar.gz
The NT5DS protocol uses digital signatures. These can be provided by Samba if ntp runs on the same server, and is configured as described on this page (with options mssntp and ntpsigndsocket).
$ cd ntp-4.x.x
Alternatively you could configure all machines to do standard ntp, but NT5DS is recommended.
$ ./configure --enable-ntp-signd
$ make
$ make install


Note that <code>ntpd</code> does not support authenticated time synchronisation with Windows 2000 clients.
2a. If you already have a supported ntpd version and ntp.conf, you have to add/adjust only the following lines for minimal:
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default mssntp


= Configuring Time Synchronisation on a DC =
2b. If a minimal/simple ntp.conf is fine for you, then fill the file with the following:
server 127.127.1.0
fudge 127.127.1.0 stratum 12
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default mssntp


== Requirements ==
2c. A more complex ntp.conf is the following:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
For explanation: This config allows clients to receive time from this NTP host, localhost
doesn't have any restrictions, and the servers we receive the time from ,are not allowed
to do anything else than providing the time to us. For mor information about ntpd
access controll, see
http://support.ntp.org/bin/view/Support/AccessRestrictions


* ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support (<code>--enable-ntp-signd</code>)
3. On members of the domain you don't have to configure anything. Per default they will receive
the time from the DC that has the FSMO role PDC.


* Verify the socket permissions on your domain controller (DC). The <code>ntpd</code> daemon must have read permissions in the <code>ntp_signed</code> directory. To list the permissions, enter:
=== NTP ===
Set Permissions:
$ chgrp ntp /usr/local/samba/var/lib/ntp_signd


# ls -ld /usr/local/samba/var/lib/ntp_signd/
Multiple attempts to set the context for ntp failed so the below policy was needed for windows clients time sync after joining the DOMAIN.
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/ntp_signd
drwxr-x--- 2 root ntp 4096 1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/
$ chcon -t ntpd_t /usr/local/samba/var/run/ntp_signd/socket


: To set the permissions, run:
<tt>samba4.te</tt> policy:
# chown root:ntp /usr/local/samba/var/lib/ntp_signd/
module samba4 1.0;
# chmod 750 /usr/local/samba/var/lib/ntp_signd/
require {
type ntpd_t;
type usr_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= ntpd_t ==============
allow ntpd_t usr_t:sock_file write;
#============= ntpd_t ==============
allow ntpd_t initrc_t:unix_stream_socket connectto;



Check and load policy:

$ checkmodule -M -m -o samba4.mod samba4.te
== Set up the ntpd.conf File on a DC ==
$ semodule_package -o samba4.pp -m samba4.mod

$ semodule -i samba4.pp
Typically, the <code>ntpd</code> daemon read its configuration from the <code>/etc/ntpd.conf</code> file.

The following is a minimum <code>ntpd.conf</code> file that synchronises the time with three external NTP server and enables clients to query the time using signed NTP requests:

# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Where to retrieve the time from
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
server 2.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

For further information about the <code>ntpd</code> access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.

If you have SELinux enabled on your server, see [[Time_Synchronisation_-_SELinux_Labeling_and_Policy|Time Synchronisation - SELinux Labeling and Policy]].





= Configuring Time Synchronisation on a Unix Domain Member =

== Requirements ==

* ntpd from http://www.ntp.org.



== Set up the ntpd.conf File on a Unix Domain Member ==

Typically, the <code>ntpd</code> daemon reads its configuration, depending on the operating system, from the <code>/etc/ntpd.conf</code> or <code>/etc/ntp.conf</code> file.

The following is a minimum conf file that synchronises the time with the Samba Active Directory (AD) domain controllers (DC) <code>DC1</code> and <code>DC2</code> and does not provide time services for other hosts.

# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Where to retrieve the time from
server DC1.samdom.example.com iburst prefer
server DC2.samdom.example.com iburst
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
# Access control
# Default restriction: Disallow everything
restrict default ignore
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources only to only provide time to this host
restrict DC1.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery
restrict DC2.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery

For further information about the <code>ntpd</code> access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.





= Configuring Time Synchronisation on a Windows Domain Member =

The following describes the basics of how to configure time synchronizsation on a Windows domain member. For further details, see your Microsoft Windows documentation.



== Default Time Source ==

Windows AD domain members use the DC holding the [[Flexible_Single-Master_Operations_(FSMO)_Roles#PDC_Emulator|PDC emulator FSMO role]] as default time source. If you have set up ntp on the DC as described on this page, you usually do not need to reconfigure the clients. Alternative configuration options for the clients are described below.

For more information about the time synchronisation and hierarchy in an AD, see http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr.

== Setting User Defined Time Sources and Options ==

To create a group policy object (GPO) to for setting a user defined NTP time source and options:

* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account.

* Open the <code>Group Policy Management Console</code>. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]].

* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>.

* Enter a name for the GPO, such as <code>Time Sources</code>. The new GPO is shown below the domain entry.

* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>.

* Navigate to the <code>Computer Configuration</code> &rarr; <code>Policies</code> &rarr; <code>Administrative Templates</code> &rarr; <code>System</code> &rarr; <code>Windows Time Service</code> &rarr; <code>Time Providers</code> entry, and double-click <code>Configure Windows NTP Client</code> to configure the policy:
:* Enable the policy and set the following options:
::* Enter the fully-quallified domain name (FQDN) of the NTP server to the <code>NtpServer</code> field and and append the <code>0x9</code> flag. For example:
:::[[Image:GPO_Windows_NTP_Client_Options.png]]
::: To enter multiple server, separate the individual entries using a space.
::* Keep the <code>NT5DS</code> type setting.
::* Update the additional parameters, if necessary.
:* Click <code>OK</code> to save the settings.

* Navigate to the <code>Computer Configuration</code> &rarr; <code>Policies</code> &rarr; <code>Administrative Templates</code> &rarr; <code>System</code> &rarr; <code>Windows Time Service</code> &rarr; <code>Time Providers</code> entry, and double-click <code>Enable Windows NTP Client</code> to configure the policy:
:* Enable the policy.
:* Click <code>OK</code> to save the settings.

* Close the <code>Group Policy Management Editor</code>.

* Close the <code>Group Policy Management Console</code>.


Notes:

* The default Type NT5DS ignores the parameter NtpServer, and syncs with the DC.

* If ntpd on your DC is not configured for mssntp with ntpsigndsocket, use Type NTP.

* If a client will not be able to connect to the DC for a long time (for example a laptop), use Type AllSync and set NtpServer to "time.windows.com,0x9". This will cause the client to try both NT5DS to your DC, and NTP to NtpServer.



----
[[Category:Active Directory]]

Revision as of 11:32, 26 April 2018

Introduction

In an Active Directory (AD) you must have an accurate time synchronisation. For example, Kerberos requires correct time stamps to prevent replay attacks and the AD uses the time to resolve replication conflicts. The default maximum allowed time deviation in an AD is 5 minutes. If a domain member or domain controller (DC) has a higher or lower time difference, the access is denied. As a result, a user cannot access shares or query the directory.

Samba supports the ntpd from http://ntp.org. The daemon synchronises the time with external sources and enables clients to retrieve the time from the server running the daemon.

By default domain joined Windows clients synchronize their clock via NT5DS with the AD-DC which holds the PDC-emulator FSMO role. The NT5DS protocol uses digital signatures. These can be provided by Samba if ntp runs on the same server, and is configured as described on this page (with options mssntp and ntpsigndsocket). Alternatively you could configure all machines to do standard ntp, but NT5DS is recommended.

Note that ntpd does not support authenticated time synchronisation with Windows 2000 clients.

Configuring Time Synchronisation on a DC

Requirements

  • ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support (--enable-ntp-signd)
  • Verify the socket permissions on your domain controller (DC). The ntpd daemon must have read permissions in the ntp_signed directory. To list the permissions, enter:
# ls -ld /usr/local/samba/var/lib/ntp_signd/
drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
To set the permissions, run:
# chown root:ntp /usr/local/samba/var/lib/ntp_signd/
# chmod 750 /usr/local/samba/var/lib/ntp_signd/


Set up the ntpd.conf File on a DC

Typically, the ntpd daemon read its configuration from the /etc/ntpd.conf file.

The following is a minimum ntpd.conf file that synchronises the time with three external NTP server and enables clients to query the time using signed NTP requests:

# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# Where to retrieve the time from
server 0.pool.ntp.org     iburst prefer
server 1.pool.ntp.org     iburst prefer
server 2.pool.ntp.org     iburst prefer

driftfile       /var/lib/ntp/ntp.drift
logfile         /var/log/ntp
ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/

# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp

# No restrictions for "localhost"
restrict 127.0.0.1

# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery

For further information about the ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.

If you have SELinux enabled on your server, see Time Synchronisation - SELinux Labeling and Policy.



Configuring Time Synchronisation on a Unix Domain Member

Requirements


Set up the ntpd.conf File on a Unix Domain Member

Typically, the ntpd daemon reads its configuration, depending on the operating system, from the /etc/ntpd.conf or /etc/ntp.conf file.

The following is a minimum conf file that synchronises the time with the Samba Active Directory (AD) domain controllers (DC) DC1 and DC2 and does not provide time services for other hosts.

# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# Where to retrieve the time from
server DC1.samdom.example.com     iburst prefer
server DC2.samdom.example.com     iburst

driftfile /var/lib/ntp/ntp.drift
logfile   /var/log/ntp

# Access control
# Default restriction: Disallow everything
restrict default ignore

# No restrictions for "localhost"
restrict 127.0.0.1

# Enable the time sources only to only provide time to this host
restrict DC1.samdom.example.com   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict DC2.samdom.example.com   mask 255.255.255.255    nomodify notrap nopeer noquery

For further information about the ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.



Configuring Time Synchronisation on a Windows Domain Member

The following describes the basics of how to configure time synchronizsation on a Windows domain member. For further details, see your Microsoft Windows documentation.


Default Time Source

Windows AD domain members use the DC holding the PDC emulator FSMO role as default time source. If you have set up ntp on the DC as described on this page, you usually do not need to reconfigure the clients. Alternative configuration options for the clients are described below.

For more information about the time synchronisation and hierarchy in an AD, see http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr.

Setting User Defined Time Sources and Options

To create a group policy object (GPO) to for setting a user defined NTP time source and options:

  • Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain Administrator account.
  • Open the Group Policy Management Console. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
  • Right-click to your AD domain and select Create a GPO in this domain, and Link it here.
  • Enter a name for the GPO, such as Time Sources. The new GPO is shown below the domain entry.
  • Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.
  • Navigate to the Computer ConfigurationPoliciesAdministrative TemplatesSystemWindows Time ServiceTime Providers entry, and double-click Configure Windows NTP Client to configure the policy:
  • Enable the policy and set the following options:
  • Enter the fully-quallified domain name (FQDN) of the NTP server to the NtpServer field and and append the 0x9 flag. For example:
GPO Windows NTP Client Options.png
To enter multiple server, separate the individual entries using a space.
  • Keep the NT5DS type setting.
  • Update the additional parameters, if necessary.
  • Click OK to save the settings.
  • Navigate to the Computer ConfigurationPoliciesAdministrative TemplatesSystemWindows Time ServiceTime Providers entry, and double-click Enable Windows NTP Client to configure the policy:
  • Enable the policy.
  • Click OK to save the settings.
  • Close the Group Policy Management Editor.
  • Close the Group Policy Management Console.


Notes:

  • The default Type NT5DS ignores the parameter NtpServer, and syncs with the DC.
  • If ntpd on your DC is not configured for mssntp with ntpsigndsocket, use Type NTP.
  • If a client will not be able to connect to the DC for a long time (for example a laptop), use Type AllSync and set NtpServer to "time.windows.com,0x9". This will cause the client to try both NT5DS to your DC, and NTP to NtpServer.