Time Synchronisation
Introduction
In an Active Directory (AD) you must have an accurate time synchronisation. For example, Kerberos requires correct time stamps to prevent replay attacks and the AD uses the time to resolve replication conflicts. The default maximum allowed time deviation in an AD is 5 minutes. If a domain member or domain controller (DC) has a higher or lower time difference, the access is denied. As a result, a user cannot access shares or query the directory.
Samba supports the ntpd
from http://ntp.org. The daemon synchronises the time with external sources and enables clients to retrieve the time from the server running the daemon.
Note that ntpd
does not support authenticated time synchronisation with Windows 2000 clients.
Configuring Time Synchronisation on a DC
Requirements
- ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support (
--enable-ntp-signd
)
- Verify the socket permissions on your domain controller (DC). The
ntpd
daemon must have read permissions in thentp_signed
directory. To list the permissions, enter:
# ls -ld /usr/local/samba/var/lib/ntp_signd/ drwxr-x--- 2 root ntp 4096 1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
- To set the permissions, run:
# chown root:ntp /usr/local/samba/var/lib/ntp_signd/ # chmod 750 /usr/local/samba/var/lib/ntp_signd/
Set up the ntpd.conf File on a DC
Typically, the ntpd
daemon read its configuration from the /etc/ntpd.conf
file.
The following is a minimum ntpd.conf
file that synchronises the time with three external NTP server and enables clients to query the time using signed NTP requests:
# Local clock. Note that is not the "localhost" address! server 127.127.1.0 fudge 127.127.1.0 stratum 10 # Where to retrieve the time from server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer server 2.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ # Access control # Default restriction: Allow clients only to query the time restrict default kod nomodify notrap nopeer mssntp # No restrictions for "localhost" restrict 127.0.0.1 # Enable the time sources to only provide time to this host restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
For further information about the ntpd
access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.
If you have SELinux enabled on your server, see Time Synchronisation - SELinux Labeling and Policy.
Configuring Time Synchronisation on a Unix Domain Member
Requirements
- ntpd from http://www.ntp.org.
Set up the ntpd.conf File on a Unix Domain Member
Typically, the ntpd
daemon reads its configuration, depending on the operating system, from the /etc/ntpd.conf
or /etc/ntp.conf
file.
The following is a minimum conf file that synchronises the time with the Samba Active Directory (AD) domain controllers (DC) DC1
and DC2
and does not provide time services for other hosts.
# Local clock. Note that is not the "localhost" address! server 127.127.1.0 fudge 127.127.1.0 stratum 10 # Where to retrieve the time from server DC1.samdom.example.com iburst prefer server DC2.samdom.example.com iburst driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp # Access control # Default restriction: Disallow everything restrict default ignore # No restrictions for "localhost" restrict 127.0.0.1 # Enable the time sources only to only provide time to this host restrict DC1.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery restrict DC2.samdom.example.com mask 255.255.255.255 nomodify notrap nopeer noquery
For further information about the ntpd
access control, see http://support.ntp.org/bin/view/Support/AccessRestrictions.
Configuring Time Synchronisation on a Windows Domain Member
Default Time Source
Windows AD domain members use the DC holding the PDC emulator FSMO role as default time source. For more information about the time synchronisation and hierarchy in an AD, see http://technet.microsoft.com/en-us/library/cc773013%28v=ws.10%29.aspx#w2k3tr_times_how_izcr.
Setting User Defined Time Sources and Options
To create a group policy object (GPO) to for setting a user defined NTP time source and options:
- Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain
Administrator
account.
- Open the
Group Policy Management Console
. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see Installing RSAT.
- Right-click to your AD domain and select
Create a GPO in this domain, and Link it here
.
- Enter a name for the GPO, such as
Time Sources
. The new GPO is shown below the domain entry.
- Right-click to the newly-created GPO and select
Edit
to open theGroup Policy Management Editor
.
- Navigate to the
Computer Configuration
→Policies
→Administrative Templates
→System
→Windows Time Service
→Time Providers
entry.
- Double-click to the
Configure Windows NTP Client
policy to edit:
- Enable the policy and set the following options:
Enable Windows NTP Client
In order for the above settings to have any effect, you will need to enable the Windows NTP client on the client machines. This can be done on via group policy as follows:
- Navigate to the
Computer Configuration
→Policies
→Administrative Templates
→System
→Windows Time Service
→Time Providers
entry.
- Double-click to the
Enable Windows NTP Client
policy to edit:
- Enable the policy (there are no options to set).
- Close the policy properties by clicking OK. The GPO is automatically saved on the Sysvol share on the domain controller (DC).
- Close the
Group Policy Management Editor
.
- Close the
Group Policy Management Console
.