Time Synchronisation: Difference between revisions

From SambaWiki
m (Fixed link)
m (Fixed link)
Line 119: Line 119:
== Setting User Defined Time Sources and Options ==
== Setting User Defined Time Sources and Options ==


To configure a different time source than the domain controller (DC) holding the [[Flexible_Single-Master_Operations_(FSMO)_roles#PDC_Emulator|PDC emulator FSMO role]]:
To configure a different time source than the domain controller (DC) holding the [[Flexible_Single-Master_Operations_(FSMO)_Roles#PDC_Emulator|PDC emulator FSMO role]]:


* Open the Group Policy Management Console (GPMC).
* Open the Group Policy Management Console (GPMC).

Revision as of 14:00, 9 October 2016

Introduction

In an Active Directory (AD) you must have an accurate time synchronisation. For example, Kerberos requires correct time stamps to prevent replay attacks and the AD uses the time to resolve replication conflicts. The default maximum allowed time deviation in an AD is 5 minutes. If a domain member or domain controller (DC) has a higher or lower time difference, the access is denied. As a result, a user cannot access shares or query the directory.

Samba supports the "ntpd" from http://ntp.org. The daemon synchronises the time with external sources and enables clients to retrieve the time from the server running the daemon.

Note that "ntpd" does not support authenticated time synchronisation with Windows 2000 clients.



Configuring Time Synchronisation on a DC

Requirements

  • ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support ("--enable-ntp-signd")
  • Verify the socket permissions on your domain controller (DC). The "ntpd" daemon must have read permissions in the "ntp_signed" directory. To list the permissions, enter:
# ls -ld /usr/local/samba/var/lib/ntp_signd/
drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
To set the permissions, run:
# chown root:ntp /usr/local/samba/var/lib/ntp_signd/
# chmod 750 /usr/local/samba/var/lib/ntp_signd/


Set up the ntpd.conf File on a DC

Typically, the "ntpd" daemon read its configuration from the /etc/ntpd.conf file.

The following is a minimum "ntpd.conf" file that synchronises the time with three external NTP server and enables clients to query the time using signed NTP requests:

# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# Where to retrieve the time from
server 0.pool.ntp.org     iburst prefer
server 1.pool.ntp.org     iburst prefer
server 2.pool.ntp.org     iburst prefer

driftfile       /var/lib/ntp/ntp.drift
logfile         /var/log/ntp
ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/

# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp

# No restrictions for "localhost"
restrict 127.0.0.1

# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery

For further information about the "ntpd" access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.

If you have SELinux enabled on your server, see Time Synchronisation - SELinux Labeling and Policy.



Configuring Time Synchronisation on a Linux Domain Member

Requirements


Set up the ntpd.conf File on a Linux Domain Member

Typically, the "ntpd" daemon read its configuration from the /etc/ntpd.conf file.

The following is a minimum "ntpd.conf" file that synchronises the time with the Samba Active Directory (AD) domain controllers (DC) "DC1" and "DC2" and does not provide time services for other hosts.

# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# Where to retrieve the time from
server DC1.samdom.example.com     iburst prefer
server DC2.samdom.example.com     iburst

driftfile /var/lib/ntp/ntp.drift
logfile   /var/log/ntp

# Access control
# Default restriction: Disallow everything
restrict default ignore

# No restrictions for "localhost"
restrict 127.0.0.1

# Enable the time sources only to only provide time to this host
restrict DC1.samdom.example.com   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict DC2.samdom.example.com   mask 255.255.255.255    nomodify notrap nopeer noquery

For further information about the "ntpd" access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.



Configuring Time Synchronisation on a Windows Domain Member

Default Time Source

Windows AD domain members use the DC holding the PDC emulator FSMO role as default time source. For more information about the time synchronisation and hierarchy in an AD, see http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr.


Setting User Defined Time Sources and Options

To configure a different time source than the domain controller (DC) holding the PDC emulator FSMO role:

  • Open the Group Policy Management Console (GPMC).
To install, see Installing the Remote Server Administration Tools (RSAT).
  • Create a new group policy object (GPO).
  • Right-click the GPO and select "Edit".
  • In the Group Policy Management Editor (GPME) navigate to "Computer Configuration" / "Administrative Templates" / "System" / "Windows Time Service" / "Time Providers".
  • Edit the "Configure Windows NTP Client" policy:
  • To set "DC2.samdom.example.com" as the only and primary time source ("0x9") using the NTP protocol:
GPO Windows NTP Client Options.png
For descriptions on the other options in the screen capture, see the GPO help.
  • Save the GPO
  • Link the GPO to a organizational unit (OU) or to the domain.