[Samba] Samba4, NTP, and Ubuntu 12.04

Andrew Martin amartin at xes-inc.com
Mon Jul 8 15:34:17 MDT 2013


I have a question regarding signed NTP support for Samba4 on Ubuntu 12.04. I have followed most of the steps outlined here:

These steps I did differently are:
* I did not install from source because the latest Ubuntu package for ntp available on Ubuntu 12.04 includes ntp-signd support already
* I did not install Samba4 to /usr/local/samba, so I also modified that part of ntp.conf 
* Ubuntu uses AppArmor instead of SELinux - I found that the apparmor profile for ntp already includes support for ntp-signd for Samba4:

Therefore, I created the /var/run/samba/ntp_signd directory and set permissions on it:
# mkdir /var/run/samba/ntp_signd
# chown root:ntp /var/run/samba/ntp_signd
# chmod 0750 /var/run/samba/ntp_signd
# ls -l /var/run/samba | grep ntp_signd
drwxr-x--- 2 root ntp              40 Jul  8 13:59 ntp_signd

The contents of my /etc/ntp.conf are:
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org
fudge stratum 10
server 0.pool.ntp.org  iburst prefer
server 1.pool.ntp.org  iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 0.pool.ntp.org mask nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask nomodify notrap nopeer noquery

I then restarted ntpd with "service ntp restart" and attempted to run "w32tm /rsync" from a domain member. Using Wireshark, I see the query packet leave the client going to the server, but the server never sends a packet in response. Performing an strace on the ntpd process reveals that it cannot access /var/run/samba/ntp_signd/socket - "No such file or directory". After trying a number of things (permissions, other locations for ntp_signd, changes to ntp.conf), I eventually reverted to this (above) configuration. 

After a period of time, it just starts working. I can run "w32tm /resync" successfully and see the response packet from the server via Wireshark. I then rebooted the Samba4 DC server to test that it continues to work after a restart. The /var/run directory is emptied on reboot, so now the /var/run/samba directory does not contain ntp_signd; it does not exist. Yet even with that directory not existing, the Windows client is still able to sync time from the server! The strace no longer contains the "No such file or directory" error. How is this possible? Is this working correctly?



More information about the samba mailing list