[Samba] Questions about time synchronisation in a multi-DC Samba environment

L.P.H. van Belle belle at bazuin.nl
Mon Apr 8 14:56:54 UTC 2019 

Hai, 


For all DC's. set up NTP. 
And point all DC's to the same source. 
To avoid different time offsets, use a STRATUM 1 NTP server and dont use the default pools. 
https://support.ntp.org/bin/view/Servers/StratumOneTimeServers 
Look up for a server close to you. 

Greetz, 

Louis

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stephen via samba
> Verzonden: maandag 8 april 2019 16:52
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Questions about time synchronisation in a 
> multi-DC Samba environment
> 
> Hi All,
> 
> I am currently running a setup with a main DC ad1, that has ntpd 
> installed and is currently configured to retrieve the time 
> from the UK 
> NTP time pool. I also have a second backup AD DC, ad2, on 
> which I have 
> not installed ntpd but I have installed ntpdate. My current 
> understanding is that the setup I have just described is in-line with 
> the recommended best practices outlined in the following document:
> https://wiki.samba.org/index.php/Time_Synchronisation
> 
> 
> My question is this:
> 
> How do those of you using Samba in multi DC setups ensure that time 
> remains synchronised between all the DCs present in the domain when 
> using this kind of arrangement? Obviously ad1 will keep itself 
> accurately synchronised here automatically since it has already been 
> configured to use ntpd. My concern here is the other slave DCs in the 
> setup such as ad2 which currently lack ntpd.
> 
> At the moment, when I create my server ad2 within my script  i call 
> ntpdate -u ad1 to synchronise the time on ad2 against ad1 initially. 
> When I do this I see the following output which seems correct:
> pi at ad2:~ $ sudo ntpdate -u ad1
>   8 Apr 15:39:16 ntpdate[602]: adjust time server 
> 192.168.1.229 offset 
> -0.000224 sec
> 
> Whilst this approach does seem to work, my understanding here is that 
> synchronisation via ntpdate is a one-off event. So my concern 
> is after 
> this initial synchronisation during the server commissioning 
> process the 
> ad2 clock could slowly drift away from ad1, eventually 
> breaking Kerberos 
> authentication when this drift reaches  approximately 5 minutes.
> 
> How can I make sure my ad2 clock remains in step with ad1 and 
> re-synchronises repeatedly? Is a regular cron job and ntpdate 
> the answer 
> here, or do people usually use a different approach in their 
> own networks?
> Please enlighten me!
> 
> Kind Regards
> Stephen Ellwood
> 
> The ntp.conf file used on my ad1 server is posted below:
> 
> pi at ad1:~ $ cat /etc/ntp.conf
> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> 
> driftfile /var/lib/ntp/ntp.drift
> ntpsigndsocket /var/lib/samba/ntp_signd/
> 
> # Enable this if you want statistics to be logged.
> #statsdir /var/log/ntpstats/
> 
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> 
> 
> # You do need to talk to an NTP server or two (or three).
> #server ntp.your-provider.example
> 
> # pool.ntp.org maps to about 1000 low-stratum NTP servers.  
> Your server 
> will
> # pick a different set every time it starts up.  Please 
> consider joining 
> the
> # pool: <http://www.pool.ntp.org/join.html>
> pool 0.uk.pool.ntp.org iburst
> pool 1.uk.pool.ntp.org iburst
> pool 2.uk.pool.ntp.org iburst
> pool 3.uk.pool.ntp.org iburst
> 
> 
> # Access control configuration; see 
> /usr/share/doc/ntp-doc/html/accopt.html for
> # details.  The web page 
> <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> # might also be helpful.
> #
> # Note that "restrict" applies to both servers and clients, so a 
> configuration
> # that might be intended to block requests from certain clients could 
> also end
> # up blocking replies from your own upstream servers.
> 
> # By default, exchange time with everybody, but don't allow 
> configuration.
> restrict -4 default kod notrap nomodify nopeer noquery limited
> restrict -6 default kod notrap nomodify nopeer noquery limited
> 
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
> 
> # Needed for adding pool entries
> restrict source notrap nomodify noquery
> restrict default kod nomodify notrap nopeer mssntp
> 
> # Clients from this (example!) subnet have unlimited access, 
> but only if
> # cryptographically authenticated.
> #restrict 192.168.123.0 mask 255.255.255.0 notrust
> 
> 
> # If you want to provide time to your local subnet, change 
> the next line.
> # (Again, the address is an example only.)
> #broadcast 192.168.123.255
> 
> # If you want to listen to time broadcasts on your local subnet, 
> de-comment the
> # next lines.  Please do this only if you trust everybody on 
> the network!
> #disable auth
> #broadcastclient
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list