[Samba] NTP/Chrony + samba-AD-DC
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 26 08:58:19 UTC 2019
Hai Rowland and all happy campers on the samba list ofcourse ;-)
Can you/someone verify this?
Just read it. no need to setup ubuntu.
I think its ok, you see what i mean, below the 2x winbind part in apparmor.
(samba -b the needed part)
WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
After some checking i notice (posible) problems in both packages.
And take note of how i make this change.!
The NTP part (apt install ntp)
And Yes, we have an apparmor bug in NTPD and Chrony.
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw, << incorrect path.
# samba4 winbindd pipe
/run/samba/winbindd/pipe rw, < can better.. But not wrong.
For Chrony. (apt install chrony)
# To sign replies to MS-SNTP clients by the smbd daemon
/var/lib/samba/ntp_signd r,
/var/lib/samba/ntp_signd/{,*} rw,
Thats missing the winbindd pipe part.
Im only questioning, /var/lib/samba/winbindd_privileged/ and/or /var/run/samba/winbindd/pipe ?
Since im not sure here, i've added the winbindd_privileged also.
I suggest this, should be easy and quick fix.
First we enble the LOCAL file to include our personal settings.
# enable the local file part for ntpd.
sed -i 's[#include <local/usr.sbin.ntpd>[include <local/usr.sbin.ntpd>[g' /etc/apparmor.d/usr.sbin.ntpd
# NTPD fix.
echo "
# To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
/var/lib/samba/ntp_signd r,
/var/lib/samba/ntp_signd/{,*} rw,
# samba4 winbindd pipe
/{,var/}run/samba/winbindd r,
/{,var/}run/samba/winbindd/pipe rw,
# samba4 winbindd privileged pipe ? Needed?
/var/lib/samba/winbindd r,
/var/lib/samba/winbindd/pipe rw,
" >> /etc/apparmor.d/local/usr.sbin.ntpd
# Chrony fix
sed -i 's[#include <local/usr.sbin.chronyd>[include <local/usr.sbin.chronyd>[g' /etc/apparmor.d/usr.sbin.chronyd
echo "
# To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
/var/lib/samba/ntp_signd r,
/var/lib/samba/ntp_signd/{,*} rw,
# samba4 winbindd pipe
/{,var/}run/samba/winbindd r,
/{,var/}run/samba/winbindd/pipe rw,
# samba4 winbindd privileged pipe ? Needed?
/var/lib/samba/winbindd r,
/var/lib/samba/winbindd/pipe rw,
" >> /etc/apparmor.d/local/usr.sbin.chronyd
Now both should work fine again, but someone needs to verify this.
I dont use apparmor myself on my servers.
Personaly, I advice to use NTPD for the AD-DCs only.
Why, ntp supports all operating modes from RFC 5905, including broadcast, multicast, and manycast server/client.
But if you dont need that, then chrony should be fine also.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: vrijdag 26 april 2019 8:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows clients require reboot once a
> day in order to access mapped drives
>
> I'll fire up the ubuntu test vm..
> Report back later..
> I.. Need... More... Cofee.....First ;-)
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Rowland Penny [mailto:rpenny at samba.org]
> > Verzonden: donderdag 25 april 2019 20:08
> > Aan: samba at lists.samba.org
> > CC: L.P.H. van Belle
> > Onderwerp: Re: [Samba] Windows clients require reboot once a
> > day in order to access mapped drives
> >
> > On Thu, 25 Apr 2019 10:34:24 -0700
> > Mason Schmitt <mason at ftlcomputing.com> wrote:
> >
> > > >
> > > >
> > > > Forgot to mention, are sure your time sync over AD is working
> > > > correctly. One to add to you list, check times of server and
> > > > clients, (* yes again, if needed just to be sure).
> > > >
> > >
> > > Yes, I have double check that time is correctly being synced.
> > >
> > > FYI, Rowland, the process outlined in the wiki for using
> > chronyd does
> > > not work on Ubuntu 18.04 (my AD DC is on Ubuntu, but my
> > file server is
> > > CentOS). I can only successfully sync windows clients with ntpd
> > > running on the DC. Also, if using apparmor, the default apparmor
> > > rules don't work. Here's what I had to do to get windows
> clients to
> > > successfully sync with my Ubuntu DC.
> > >
> > > # Install ntp (if chrony is installed, this will disable and mask
> > > chrony in systemd)
> > > apt install ntp
> > >
> > > # First comment out the default NTP ACLs
> > > sed -i 's/^restrict -/#restrict -/g' /etc/ntp.conf
> > >
> > > # Then add some samba specific settings to /etc/ntp.conf
> > > cat << EOF >> /etc/ntp.conf
> > >
> > > # Use AD for authenticanting Windows NTP clients
> > > ntpsigndsocket /var/lib/samba/ntp_signd
> > >
> > > # Acess control
> > > # Default restriction: Allow clients to only query the time
> > > restrict -4 default kod notrap nomodify nopeer noquery mssntp
> > > restrict -6 default kod notrap nomodify nopeer noquery mssntp
> > >
> > > # We're running in a VM, so we need to protect ntpd from waking up
> > > # in a panic, in a situation where a VM has been shutdown for an
> > > # extended period of time
> > > tinker panic 0
> > > EOF
> > >
> > > # There is a bug in Ubuntu's apparmor config for ntp, so
> > this fixes it
> > > sed -i /ntp_signd/c'\ /var/lib/samba/ntp_signd/socket rw,'
> > > /etc/apparmor.d/usr.sbin.ntpd
> > > apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd
> > >
> > > # Set the necessary permissions on the ntp signed socket
> > > chmod 750 /var/lib/samba/ntp_signd
> > > chown root:ntp /var/lib/samba/ntp_signd
> > > systemctl enable ntp.service
> > > systemctl restart ntp.service
> > >
> > >
> > > # Test to make sure NTP is working
> > > ntpq -p
> >
> > Louis, you use Ubuntu 18.04, can you confirm this ? (note
> to Mason: I
> > do not disbelieve you, I just need confirmation before changing the
> > wiki, I do not use Ubuntu so cannot confirm the changes)
> >
> > Rowland
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list