[Samba] Questions about time synchronisation in a multi-DC Samba environment

Stephen stephen at ogdenradar.com
Mon Apr 8 14:51:32 UTC 2019

Hi All,

I am currently running a setup with a main DC ad1, that has ntpd 
installed and is currently configured to retrieve the time from the UK 
NTP time pool. I also have a second backup AD DC, ad2, on which I have 
not installed ntpd but I have installed ntpdate. My current 
understanding is that the setup I have just described is in-line with 
the recommended best practices outlined in the following document:

My question is this:

How do those of you using Samba in multi DC setups ensure that time 
remains synchronised between all the DCs present in the domain when 
using this kind of arrangement? Obviously ad1 will keep itself 
accurately synchronised here automatically since it has already been 
configured to use ntpd. My concern here is the other slave DCs in the 
setup such as ad2 which currently lack ntpd.

At the moment, when I create my server ad2 within my script  i call 
ntpdate -u ad1 to synchronise the time on ad2 against ad1 initially. 
When I do this I see the following output which seems correct:
pi at ad2:~ $ sudo ntpdate -u ad1
  8 Apr 15:39:16 ntpdate[602]: adjust time server offset 
-0.000224 sec

Whilst this approach does seem to work, my understanding here is that 
synchronisation via ntpdate is a one-off event. So my concern is after 
this initial synchronisation during the server commissioning process the 
ad2 clock could slowly drift away from ad1, eventually breaking Kerberos 
authentication when this drift reaches  approximately 5 minutes.

How can I make sure my ad2 clock remains in step with ad1 and 
re-synchronises repeatedly? Is a regular cron job and ntpdate the answer 
here, or do people usually use a different approach in their own networks?
Please enlighten me!

Kind Regards
Stephen Ellwood

The ntp.conf file used on my ad1 server is posted below:

pi at ad1:~ $ cat /etc/ntp.conf
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd/

# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server 
# pick a different set every time it starts up.  Please consider joining 
# pool: <http://www.pool.ntp.org/join.html>
pool 0.uk.pool.ntp.org iburst
pool 1.uk.pool.ntp.org iburst
pool 2.uk.pool.ntp.org iburst
pool 3.uk.pool.ntp.org iburst

# Access control configuration; see 
/usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page 
# might also be helpful.
# Note that "restrict" applies to both servers and clients, so a 
# that might be intended to block requests from certain clients could 
also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

# Local users may interrogate the ntp server more closely.
restrict ::1

# Needed for adding pool entries
restrict source notrap nomodify noquery
restrict default kod nomodify notrap nopeer mssntp

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict mask notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)

# If you want to listen to time broadcasts on your local subnet, 
de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth

More information about the samba mailing list