[Samba] Questions about time synchronisation in a multi-DC Samba environment
L.P.H. van Belle
belle at bazuin.nl
Mon Apr 8 14:56:54 UTC 2019
For all DC's. set up NTP.
And point all DC's to the same source.
To avoid different time offsets, use a STRATUM 1 NTP server and dont use the default pools.
Look up for a server close to you.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stephen via samba
> Verzonden: maandag 8 april 2019 16:52
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Questions about time synchronisation in a
> multi-DC Samba environment
> Hi All,
> I am currently running a setup with a main DC ad1, that has ntpd
> installed and is currently configured to retrieve the time
> from the UK
> NTP time pool. I also have a second backup AD DC, ad2, on
> which I have
> not installed ntpd but I have installed ntpdate. My current
> understanding is that the setup I have just described is in-line with
> the recommended best practices outlined in the following document:
> My question is this:
> How do those of you using Samba in multi DC setups ensure that time
> remains synchronised between all the DCs present in the domain when
> using this kind of arrangement? Obviously ad1 will keep itself
> accurately synchronised here automatically since it has already been
> configured to use ntpd. My concern here is the other slave DCs in the
> setup such as ad2 which currently lack ntpd.
> At the moment, when I create my server ad2 within my script i call
> ntpdate -u ad1 to synchronise the time on ad2 against ad1 initially.
> When I do this I see the following output which seems correct:
> pi at ad2:~ $ sudo ntpdate -u ad1
> 8 Apr 15:39:16 ntpdate: adjust time server
> 192.168.1.229 offset
> -0.000224 sec
> Whilst this approach does seem to work, my understanding here is that
> synchronisation via ntpdate is a one-off event. So my concern
> is after
> this initial synchronisation during the server commissioning
> process the
> ad2 clock could slowly drift away from ad1, eventually
> breaking Kerberos
> authentication when this drift reaches approximately 5 minutes.
> How can I make sure my ad2 clock remains in step with ad1 and
> re-synchronises repeatedly? Is a regular cron job and ntpdate
> the answer
> here, or do people usually use a different approach in their
> own networks?
> Please enlighten me!
> Kind Regards
> Stephen Ellwood
> The ntp.conf file used on my ad1 server is posted below:
> pi at ad1:~ $ cat /etc/ntp.conf
> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> driftfile /var/lib/ntp/ntp.drift
> ntpsigndsocket /var/lib/samba/ntp_signd/
> # Enable this if you want statistics to be logged.
> #statsdir /var/log/ntpstats/
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> # You do need to talk to an NTP server or two (or three).
> #server ntp.your-provider.example
> # pool.ntp.org maps to about 1000 low-stratum NTP servers.
> Your server
> # pick a different set every time it starts up. Please
> consider joining
> # pool: <http://www.pool.ntp.org/join.html>
> pool 0.uk.pool.ntp.org iburst
> pool 1.uk.pool.ntp.org iburst
> pool 2.uk.pool.ntp.org iburst
> pool 3.uk.pool.ntp.org iburst
> # Access control configuration; see
> /usr/share/doc/ntp-doc/html/accopt.html for
> # details. The web page
> # might also be helpful.
> # Note that "restrict" applies to both servers and clients, so a
> # that might be intended to block requests from certain clients could
> also end
> # up blocking replies from your own upstream servers.
> # By default, exchange time with everybody, but don't allow
> restrict -4 default kod notrap nomodify nopeer noquery limited
> restrict -6 default kod notrap nomodify nopeer noquery limited
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
> # Needed for adding pool entries
> restrict source notrap nomodify noquery
> restrict default kod nomodify notrap nopeer mssntp
> # Clients from this (example!) subnet have unlimited access,
> but only if
> # cryptographically authenticated.
> #restrict 192.168.123.0 mask 255.255.255.0 notrust
> # If you want to provide time to your local subnet, change
> the next line.
> # (Again, the address is an example only.)
> #broadcast 192.168.123.255
> # If you want to listen to time broadcasts on your local subnet,
> de-comment the
> # next lines. Please do this only if you trust everybody on
> the network!
> #disable auth
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba