Time Synchronisation: Difference between revisions

From SambaWiki
No edit summary
mNo edit summary
Line 55: Line 55:


To make it permanent run this command:
To make it permanent run this command:
$ semanage -a -t ntpd_t "/usr/local/samba/lib/ntp_signd"
$ semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"


Verify with:
Verify with:

Revision as of 13:39, 8 April 2014

You require a recent ntpd version (=>4.2.6) that supports signed ntp. E. g. the version shipped with RHEL < 6.1 and Ubuntu < 11.04 are too old. The Ntpd of Debian Squeeze supports signed ntp.

1a. Download ntpd from ntp.org (verify md5 sum) and compile it (add additional ./configure parameters, if needed):

 $ tar -zxvf ntp-4.x.x.tar.gz
 $ cd ntp-4.x.x
 $ ./configure --enable-ntp-signd
 $ make
 $ make install

1b. Set the permission of the ntp_signd directory (default /usr/local/samba/var/lib/ntp_signd/) to 0750 and its owner to root:ntp to ensure that it is readable from ntpd.

2a. If you already have a supported ntpd version and ntp.conf, you have to add/adjust only the following lines for minimal:

 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
 restrict default mssntp

2b. If a minimal/simple ntp.conf is fine for you, then fill the file with the following:

 server 127.127.1.0
 fudge 127.127.1.0  stratum 12
 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
 restrict default mssntp

2c. A more complex ntp.conf is the following:

 server 127.127.1.0
 fudge  127.127.1.0 stratum 10
 server 0.pool.ntp.org  iburst prefer
 server 1.pool.ntp.org  iburst prefer
 driftfile /var/lib/ntp/ntp.drift
 logfile /var/log/ntp
 ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
 restrict default kod nomodify notrap nopeer mssntp
 restrict 127.0.0.1
 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
 restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

For explanation: This config allows clients to receive time from this NTP host, localhost doesn't have any restrictions, and the servers we receive the time from, are not allowed to do anything other than providing the time to us. For more information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions

3. On members of the domain you don't have to configure anything. Per default they will receive the time from the DC that has the FSMO role PDC.

Supported client versions

Please note that the ntp.org server we interface with does not support authenticated time to Windows 2000 clients. This is due to these clients not behaving as the ntp.org server expects (they send garbage - presumably un-initialised memory - when the server expects zeros). As these clients are now very old and unsupported, you may need to find another way to keep these clocks in sync.

Permissions, SELinux Labeling and Policy

NTP

Set Permissions:

$ chgrp ntp /usr/local/samba/var/lib/ntp_signd

Multiple attempts to set the context for ntp failed so the below policy was needed for windows clients time sync after joining the DOMAIN.

$ chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd

To make it permanent run this command:

$ semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"

Verify with:

$ cat /etc/selinux/targeted/contexts/files/file_contexts.local

You should see a line like this:

 /usr/local/samba/var/lib/ntp_signd    system_u:object_r:ntpd_t:s0

The below plocy file is based on 4.1.6 under RHEL 6.5 ( an older < 4.x would look at bit different ) and should be for reference only. Always run the below egrep command after you get a base policy file created, then stop / start ntpd and samba4 services on your system and add to the base policy until competed.

egrep "samba|ntpd" /var/log/audit/audit.log | audit2allow

If all is good you'll see this for each "allow" line below in the policy file.

#!!! This avc is allowed in the current policy
allow ntpd_t self:capability sys_admin;
etc...
etc...

samba4.te policy:

module samba4 1.0;
  
require {
  type ntpd_t;
  type usr_t;
  type initrc_t;
  type fs_t;
  type setfiles_t;
  type lib_t;
  type unconfined_t;
  type locate_t;
  class dir write;
  class dir search;
  class dir open;
  class dir read;
  class dir getattr;
  class dir remove_name;
  class dir add_name;
  class dir relabelto;
  class unix_stream_socket connectto;
  class sock_file write;
  class sock_file create;
  class sock_file unlink;
  class filesystem associate;
  class capability sys_admin;
}
 
#============= initrc_t ==============
allow initrc_t ntpd_t:dir { write remove_name add_name };
allow initrc_t ntpd_t:sock_file create;
allow initrc_t ntpd_t:sock_file unlink;

#============= ntpd_t ==============
allow ntpd_t usr_t:sock_file write;
allow ntpd_t initrc_t:unix_stream_socket connectto;
allow ntpd_t fs_t:filesystem associate;
allow ntpd_t lib_t:sock_file write;
allow ntpd_t unconfined_t:unix_stream_socket connectto;
allow ntpd_t self:sock_file write;
allow ntpd_t self:capability sys_admin;

#============= locate_t ==============
allow locate_t ntpd_t:dir { read getattr open search };

#============= setfiles_t ==============
allow setfiles_t ntpd_t:dir relabelto;  

Check and load policy:

$ checkmodule -M -m -o samba4.mod samba4.te 
$ semodule_package -o samba4.pp -m samba4.mod
$ semodule -i samba4.pp