[Samba] samba as a time server (newby question): time not updated
Jonathan Johnson
jon at sutinen.com
Fri Jun 23 15:05:38 GMT 2006
On 6/21/2006 4:41 AM, Thomas Heiligenmann wrote:
> Ivan Teliatnikov schrieb:
>> On Tue, 2006-06-20 at 08:21 -0500, Adam Williams wrote:
>>> Sorry I haven't followed the thread, but if you use netlogon script,
>>> you can put in it
>>>
>>> net time \\server /set /yes
>> I do use netlogon and the line is in the script. It starts working ONLY
>> if the use who logs in has escalated (PowerUser or Admin) privileges on
>> the machine, this is not possible because we use DOMAIN authentication.
>>
>> I still cannot understand why it does not work? Do you I need to change
>> permissions on each client to allow non-admin users to change time?
> IIRC yes - you have to add 'SeSystemTimePrivilege' to the users. Under
> nt40 it's accessible under UserManager, there's also a command line
> tool named ntrights.exe, or you could try Samba's rpcclient...
Setting the system time is, by default, a right reserved to members of
the local Administrators and Power Users groups on the local machine.
(Note that Domain Admins is a member of the local Administrators group.)
This can be changed in group policy under Windows 2000/XP. In the group
policy editor, look under "Local Computer Policy\Computer
Configuration\Windows Settings\Security Settings\Local Policies\User
Rights Assignment". The policy name is "Change the system time".
This right can be assigned by domain group policy (though I'm not sure
how to globally apply group policy in a Samba domain). It can also be
assigned on Windows NT systems, but at the moment I can't recall how.
As far as the Windows Time service that is included with Windows 2000
and later goes, be aware that it synchronizes to an Internet-based time
server only once a week. In a Windows 2000 (or later) domain, the
Windows Time service synchronizes with the domain controller. For a
discussion of the Windows Time service, please see this Microsoft link:
http://technet2.microsoft.com/WindowsServer/en/Library/a0fcd250-e5f7-41b3-b0e8-240f8236e2101033.mspx
(Note: this link discusses Windows Server 2003, but I believe it mostly
applies to XP and 2000 systems as well.)
I have found that synchronizing once a week is sometimes not often
enough -- a computer's clock can drift considerably in that time (I have
seen anywhere from 1/2 sec per day to several seconds per day). For some
applications, especially where the systems are in a regulated
environment such as securities trading, this is far too much drift to be
acceptable. A very useful utility I have found to improve this is Tom
Horsley's NTPTime, which is an NTP client. You can download it here:
http://home.att.net/~Tom.Horsley/ntptime.html
As others have suggested, on your Samba server, be sure to run an NTP
server. Configuring it can be daunting, so don't give up too easily.
Once configured, it will keep the clock on your Samba server very
accurate. Then configure your workstations and other servers to
synchronize against the Samba server (instead of an Internet server, to
keep the load on those servers down).
-Jon Johnson
Sutinen Consulting, Inc.
www.sutinen.com
More information about the samba
mailing list