Time Synchronisation: Difference between revisions
Mmuehlfeld (talk | contribs) m (moved Configure NTP to Time Synchronisation: The new HowTo version will contain everything about time syncronisation. Not just configuring NTP) |
Mmuehlfeld (talk | contribs) (Complete re-write of the HowTo, incl. client configuration, etc.) |
||
Line 1: | Line 1: | ||
= Introducion = |
|||
You require a recent ntpd version (=>4.2.6) that supports signed ntp. E. g. the version shipped with RHEL < 6.1 and Ubuntu < 11.04 are too old. The Ntpd of Debian Squeeze supports signed ntp. |
|||
In an Active Directory, an accurate time syncronisation is required and critical like DNS E. g. Kerberos relies on correct timestamps to prevent replay attacks and AD needs them for resolving replication conflicts. |
|||
1a. Download ntpd from ntp.org (verify md5 sum) and compile it (add additional ./configure parameters, if needed): |
|||
The maximum time tolerance in an Active Directory is 5 minutes per default. If e. g. your clients clock differs more than that to your servers clock, accessing the server is denied. |
|||
$ tar -zxvf ntp-4.x.x.tar.gz |
|||
$ cd ntp-4.x.x |
|||
$ ./configure --enable-ntp-signd |
|||
$ make |
|||
$ make install |
|||
In an Active Directory, the Domain Controller with the PDC Emulator role is considered as the default time source in a forest. See http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr for information about time syncronisation in an AD DS hierarchy. |
|||
1b. Set the permission of the ntp_signd directory (default /usr/local/samba/var/lib/ntp_signd/) to 0750 and its owner to root:ntp to ensure that it is readable from ntpd. |
|||
2a. If you already have a supported ntpd version and ntp.conf, you have to add/adjust only the following lines for minimal: |
|||
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ |
|||
restrict default mssntp |
|||
2b. If a minimal/simple ntp.conf is fine for you, then fill the file with the following: |
|||
server 127.127.1.0 |
|||
fudge 127.127.1.0 stratum 12 |
|||
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ |
|||
restrict default mssntp |
|||
= General information = |
|||
2c. A more complex ntp.conf is the following: |
|||
server 127.127.1.0 |
|||
fudge 127.127.1.0 stratum 10 |
|||
server 0.pool.ntp.org iburst prefer |
|||
server 1.pool.ntp.org iburst prefer |
|||
driftfile /var/lib/ntp/ntp.drift |
|||
logfile /var/log/ntp |
|||
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ |
|||
restrict default kod nomodify notrap nopeer mssntp |
|||
restrict 127.0.0.1 |
|||
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
|||
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
|||
For explanation: This config allows clients to receive time from this NTP host, localhost |
|||
doesn't have any restrictions, and the servers we receive the time from, are not allowed |
|||
to do anything other than providing the time to us. For more information about ntpd |
|||
access control, see |
|||
http://support.ntp.org/bin/view/Support/AccessRestrictions |
|||
== Server information used in this HowTo == |
|||
3. On members of the domain you don't have to configure anything. Per default they will receive |
|||
the time from the DC that has the FSMO role PDC. |
|||
Inside this HowTo, we will be using the following configuration/settings: |
|||
== Supported client versions == |
|||
Installation Directory: /usr/local/samba/ |
|||
Please note that the ntp.org server we interface with does not support authenticated time to Windows 2000 clients. This is due to these clients not behaving as the ntp.org server expects (they send garbage - presumably un-initialised memory - when the server expects zeros). As these clients are now very old and unsupported, you may need to find another way to keep these clocks in sync. |
|||
Domain Controller (owner of PDC role): DC1.samdom.example.com |
|||
Domain Controller (not owner of PDC role): DC2.samdom.example.com |
|||
== Permissions, SELinux Labeling and Policy == |
|||
=== NTP === |
|||
Set Permissions: |
|||
$ chgrp ntp /usr/local/samba/var/lib/ntp_signd |
|||
== Limitations of ntpd with old clients == |
|||
Please note that [http://www.ntp.org/ ntpd from ntp.org] Samba interface with, does not support authenticated time to Windows 2000 clients! This is due to these clients not behaving as the ntpd server expects. As these clients are now very old and unsupported, you may need to find another way to keep these clocks in sync. |
|||
= Configuring Time Syncronisation on a DC = |
|||
== Requirements == |
|||
* [http://www.ntp.org/ ntpd] >= 4.2.6 with enabled signed ntp support |
|||
== Installation == |
|||
* Install ntpd from your distributions repository. Make sure, that it was compiled using the „--enable-ntp-signd“ option! |
|||
* Compile by yourself (Add „--enable-ntp-signd“ to the „configure“ options!). |
|||
== Check Samba AD DC socket permissions == |
|||
Check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: |
|||
# ls -ld /usr/local/samba/var/lib/ntp_signd/ |
|||
drwxr-x--- 2 root ntp 4096 1. May 09:30 /usr/local/samba/var/lib/ntp_signd/ |
|||
== Setup ntpd.conf == |
|||
# Local clock (this is not the localhost address!) |
|||
server 127.127.1.0 |
|||
fudge 127.127.1.0 stratum 10 |
|||
# The source, where we are receiving the time from |
|||
server 0.pool.ntp.org iburst prefer |
|||
driftfile /var/lib/ntp/ntp.drift |
|||
logfile /var/log/ntp |
|||
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ |
|||
# Access control |
|||
# Default restriction: Only allow querying time (incl. ms-sntp) from this machine |
|||
restrict default kod nomodify notrap nopeer mssntp |
|||
# Allow everything from localhost |
|||
restrict 127.0.0.1 |
|||
# Allow that our time source can only provide time and do nothing else |
|||
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery |
|||
For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions |
|||
== SELinux Labeling and Policy (optional) == |
|||
Set policy for Windows client time sync: |
|||
Multiple attempts to set the context for ntp failed so the below policy was needed for windows clients time sync after joining the DOMAIN. |
|||
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd |
|||
Make the policy permanent |
|||
# semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd" |
|||
Verify |
Verify the change |
||
# cat /etc/selinux/targeted/contexts/files/file_contexts.local |
|||
You should see a line like |
You should see a line like: |
||
/usr/local/samba/var/lib/ntp_signd system_u:object_r:ntpd_t:s0 |
|||
The below |
The below policy file is based on 4.1.6 on RHEL 6.5 and should be for reference only. Always run the below egrep command, after you have a base policy file created. Then stop / start ntpd and Samba AD services on your system and add to the base policy until competed. |
||
egrep "samba|ntpd" /var/log/audit/audit.log | audit2allow |
egrep "samba|ntpd" /var/log/audit/audit.log | audit2allow |
||
If all is |
If all is fine, you'll see this for each "allow" line below in the policy file. |
||
#!!! This avc is allowed in the current policy |
#!!! This avc is allowed in the current policy |
||
allow ntpd_t self:capability sys_admin; |
allow ntpd_t self:capability sys_admin; |
||
etc |
etc. |
||
etc... |
|||
<tt>samba4.te</tt> policy: |
<tt>samba4.te</tt> policy: |
||
Line 126: | Line 160: | ||
$ semodule_package -o samba4.pp -m samba4.mod |
$ semodule_package -o samba4.pp -m samba4.mod |
||
$ semodule -i samba4.pp |
$ semodule -i samba4.pp |
||
= Configuring Time Syncronisation on Samba Member Servers = |
|||
== Requirements == |
|||
* [http://www.ntp.org/ ntpd] |
|||
== Installation == |
|||
* Install ntpd from your distributions repository. |
|||
* Compile it by yourself. |
|||
== Setup ntpd.conf == |
|||
# Local clock (this is not the localhost address!) |
|||
server 127.127.1.0 |
|||
fudge 127.127.1.0 stratum 10 |
|||
# The source, where we are receiving the time from (PDC) |
|||
server DC1.samdom.example.com iburst prefer |
|||
driftfile /var/lib/ntp/ntp.drift |
|||
logfile /var/log/ntp |
|||
# Access control |
|||
# Default restriction |
|||
restrict default ignore |
|||
# Allow everything from localhost |
|||
restrict 127.0.0.1 |
|||
# Allow that our time source can only provide time and do nothing else |
|||
restrict DC1.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery |
|||
For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions |
|||
= Configuring Time Syncronisation on Windows Clients = |
|||
== Default behaviour == |
|||
Per default, Windows clients in an Active Directory, automatically syncronize their time with the DC, owning the „PDC“ role. If you don't want to use a different source, configure fallback time server, etc. you don't have to take action. |
|||
== Setting user defined time source(s) and options == |
|||
If you require your Windows clients to syncronize time with a different server than your DC owning the PDC role, you can configure this via Group Policies. Using the following way, you can define multiple time servers and adjust time sycronisation related options: |
|||
* Create a new Group Policy Object in the Group Policy Management Console and edit it. |
|||
* In the Group Policy Management Editor, go to „Computer Configuration“ / „Administrative Templates“ / „System“ / „Windows Time Service“ / „Time Providers“. |
|||
* Edit the „Configure Windows NTP Client“ policy: |
|||
[[Image:GPO_Windows_NTP_Client_Options.png]] |
|||
:This example changes the NTP server setting to a different DC, that provides time, but is not owner of the PDC role. For further explanations on the possible options, see the description in the policy and, visit http://technet.microsoft.com/de-de/library/cc779145%28v=ws.10%29.aspx. |
|||
* Save the GPO and link it to the desired OU. |
|||
= Configuring Time Syncronisation on Linux Clients = |
|||
See [[#Configuring_Time_Syncronisation_on_Samba_Member_Servers|Configuring Time Syncronisation on Samba Member Servers]]. |
Revision as of 16:00, 4 May 2014
Introducion
In an Active Directory, an accurate time syncronisation is required and critical like DNS E. g. Kerberos relies on correct timestamps to prevent replay attacks and AD needs them for resolving replication conflicts.
The maximum time tolerance in an Active Directory is 5 minutes per default. If e. g. your clients clock differs more than that to your servers clock, accessing the server is denied.
In an Active Directory, the Domain Controller with the PDC Emulator role is considered as the default time source in a forest. See http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr for information about time syncronisation in an AD DS hierarchy.
General information
Server information used in this HowTo
Inside this HowTo, we will be using the following configuration/settings:
Installation Directory: /usr/local/samba/ Domain Controller (owner of PDC role): DC1.samdom.example.com Domain Controller (not owner of PDC role): DC2.samdom.example.com
Limitations of ntpd with old clients
Please note that ntpd from ntp.org Samba interface with, does not support authenticated time to Windows 2000 clients! This is due to these clients not behaving as the ntpd server expects. As these clients are now very old and unsupported, you may need to find another way to keep these clocks in sync.
Configuring Time Syncronisation on a DC
Requirements
- ntpd >= 4.2.6 with enabled signed ntp support
Installation
- Install ntpd from your distributions repository. Make sure, that it was compiled using the „--enable-ntp-signd“ option!
- Compile by yourself (Add „--enable-ntp-signd“ to the „configure“ options!).
Check Samba AD DC socket permissions
Check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other:
# ls -ld /usr/local/samba/var/lib/ntp_signd/ drwxr-x--- 2 root ntp 4096 1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
Setup ntpd.conf
# Local clock (this is not the localhost address!) server 127.127.1.0 fudge 127.127.1.0 stratum 10 # The source, where we are receiving the time from server 0.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ # Access control # Default restriction: Only allow querying time (incl. ms-sntp) from this machine restrict default kod nomodify notrap nopeer mssntp # Allow everything from localhost restrict 127.0.0.1 # Allow that our time source can only provide time and do nothing else restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions
SELinux Labeling and Policy (optional)
Set policy for Windows client time sync:
# chcon -u system_u -t ntpd_t /usr/local/samba/var/lib/ntp_signd
Make the policy permanent
# semanage -a -t ntpd_t "/usr/local/samba/var/lib/ntp_signd"
Verify the change
# cat /etc/selinux/targeted/contexts/files/file_contexts.local
You should see a line like:
/usr/local/samba/var/lib/ntp_signd system_u:object_r:ntpd_t:s0
The below policy file is based on 4.1.6 on RHEL 6.5 and should be for reference only. Always run the below egrep command, after you have a base policy file created. Then stop / start ntpd and Samba AD services on your system and add to the base policy until competed.
egrep "samba|ntpd" /var/log/audit/audit.log | audit2allow
If all is fine, you'll see this for each "allow" line below in the policy file.
#!!! This avc is allowed in the current policy allow ntpd_t self:capability sys_admin; etc.
samba4.te policy:
module samba4 1.0; require { type ntpd_t; type usr_t; type initrc_t; type fs_t; type setfiles_t; type lib_t; type unconfined_t; type locate_t; class dir write; class dir search; class dir open; class dir read; class dir getattr; class dir remove_name; class dir add_name; class dir relabelto; class unix_stream_socket connectto; class sock_file write; class sock_file create; class sock_file unlink; class filesystem associate; class capability sys_admin; } #============= initrc_t ============== allow initrc_t ntpd_t:dir { write remove_name add_name }; allow initrc_t ntpd_t:sock_file create; allow initrc_t ntpd_t:sock_file unlink; #============= ntpd_t ============== allow ntpd_t usr_t:sock_file write; allow ntpd_t initrc_t:unix_stream_socket connectto; allow ntpd_t fs_t:filesystem associate; allow ntpd_t lib_t:sock_file write; allow ntpd_t unconfined_t:unix_stream_socket connectto; allow ntpd_t self:sock_file write; allow ntpd_t self:capability sys_admin; #============= locate_t ============== allow locate_t ntpd_t:dir { read getattr open search }; #============= setfiles_t ============== allow setfiles_t ntpd_t:dir relabelto;
Check and load policy:
$ checkmodule -M -m -o samba4.mod samba4.te $ semodule_package -o samba4.pp -m samba4.mod $ semodule -i samba4.pp
Configuring Time Syncronisation on Samba Member Servers
Requirements
Installation
- Install ntpd from your distributions repository.
- Compile it by yourself.
Setup ntpd.conf
# Local clock (this is not the localhost address!) server 127.127.1.0 fudge 127.127.1.0 stratum 10 # The source, where we are receiving the time from (PDC) server DC1.samdom.example.com iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp # Access control # Default restriction restrict default ignore # Allow everything from localhost restrict 127.0.0.1 # Allow that our time source can only provide time and do nothing else restrict DC1.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery
For further information about ntpd access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions
Configuring Time Syncronisation on Windows Clients
Default behaviour
Per default, Windows clients in an Active Directory, automatically syncronize their time with the DC, owning the „PDC“ role. If you don't want to use a different source, configure fallback time server, etc. you don't have to take action.
Setting user defined time source(s) and options
If you require your Windows clients to syncronize time with a different server than your DC owning the PDC role, you can configure this via Group Policies. Using the following way, you can define multiple time servers and adjust time sycronisation related options:
- Create a new Group Policy Object in the Group Policy Management Console and edit it.
- In the Group Policy Management Editor, go to „Computer Configuration“ / „Administrative Templates“ / „System“ / „Windows Time Service“ / „Time Providers“.
- Edit the „Configure Windows NTP Client“ policy:
- This example changes the NTP server setting to a different DC, that provides time, but is not owner of the PDC role. For further explanations on the possible options, see the description in the policy and, visit http://technet.microsoft.com/de-de/library/cc779145%28v=ws.10%29.aspx.
- Save the GPO and link it to the desired OU.
Configuring Time Syncronisation on Linux Clients
See Configuring Time Syncronisation on Samba Member Servers.