Time Synchronisation: Difference between revisions

From SambaWiki
(Created page with " You require a recent ntpd version (=>4.2.6) that supports signed ntp. E. g. the version shipped with RHEL6 and Ubuntu < 11.04 are to old. The Ntpd of Debian Squeeze supports sig…")
 
Line 41: Line 41:
the time from the DC that has the FSMO role PDC.
the time from the DC that has the FSMO role PDC.


== Permissions, SELinux Labeling and Policy ==
=== NTP ===
=== NTP ===
Set Permissions:
Set Permissions:

Revision as of 03:30, 21 January 2013

You require a recent ntpd version (=>4.2.6) that supports signed ntp. E. g. the version shipped with RHEL6 and Ubuntu < 11.04 are to old. The Ntpd of Debian Squeeze supports signed ntp.

1. Download ntpd from ntp.org (verify md5 sum) and compile it (add additionals ./configure parameters, if needed):

 $ tar -zxvf ntp-4.x.x.tar.gz
 $ cd ntp-4.x.x
 $ ./configure --enable-ntp-signd
 $ make
 $ make install

2a. If you already have a supported ntpd version and ntp.conf, you have to add/adjust only the following lines for minimal:

 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
 restrict default mssntp

2b. If a minimal/simple ntp.conf is fine for you, then fill the file with the following:

 server 127.127.1.0
 fudge 127.127.1.0  stratum 12
 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
 restrict default mssntp

2c. A more complex ntp.conf is the following:

 server 127.127.1.0
 fudge  127.127.1.0 stratum 10
 server 0.pool.ntp.org  iburst prefer
 server 1.pool.ntp.org  iburst prefer
 driftfile /var/lib/ntp/ntp.drift
 logfile /var/log/ntp
 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
 restrict default kod nomodify notrap nopeer mssntp
 restrict 127.0.0.1
 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
 restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

For explanation: This config allows clients to receive time from this NTP host, localhost doesn't have any restrictions, and the servers we receive the time from ,are not allowed to do anything else than providing the time to us. For mor information about ntpd access controll, see http://support.ntp.org/bin/view/Support/AccessRestrictions

3. On members of the domain you don't have to configure anything. Per default they will receive the time from the DC that has the FSMO role PDC.

Permissions, SELinux Labeling and Policy

NTP

Set Permissions:

$ chgrp ntp /usr/local/samba/var/lib/ntp_signd

Multiple attempts to set the context for ntp failed so the below policy was needed for windows clients time sync after joining the DOMAIN.

$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/ntp_signd
$ chcon -u system_u -t ntpd_t /usr/local/samba/var/run/
$ chcon -t ntpd_t /usr/local/samba/var/run/ntp_signd/socket

samba4.te policy:

module samba4 1.0;
  
  
require {
   type ntpd_t;
   type usr_t;
   type initrc_t;
   class sock_file write;
   class unix_stream_socket connectto;
}
  
#============= ntpd_t ==============
allow ntpd_t usr_t:sock_file write;
  
#============= ntpd_t ==============
allow ntpd_t initrc_t:unix_stream_socket connectto;

Check and load policy:

$ checkmodule -M -m -o samba4.mod samba4.te 
$ semodule_package -o samba4.pp -m samba4.mod
$ semodule -i samba4.pp