[Samba] AD DC in a container: NTP

Viktor Trojanovic viktor at troja.ch
Tue Jan 8 13:32:45 UTC 2019

I’m currently trying to install a new (primary) AD DC in a Linux container. It seems to me that being in a container, the DC is easier to maintain and backup than on bare metal, and I prefer a container over a VM for performance reasons. If the container setup will prove to be too much of hassle, I’ll switch to a VM, though. 

The first issue I’m facing is time synchronization. An container cannot set its time independent of the main kernel, and for obvious reasons it cannot manipulate the kernel time. 

If I understand correctly, and do correct me if I’m wrong, it is not possible to run a Samba DC without running a time server. So it’s not possible to entirely disable ntpd in the container. 

Which would mean that on the DC, I need ntp to not act as a client but still to act as a time server for domain members. 

To achieve this, I changed /etc/ntp.conf to look as follows: 

# Local clock. Note that is not the "localhost" address!
#fudge stratum 10
fudge stratum 0

# Where to retrieve the time from
# server 0.pool.ntp.org     iburst prefer
# server 1.pool.ntp.org     iburst prefer
# server 2.pool.ntp.org     iburst prefer

driftfile       /var/lib/ntp/ntp.drift
logfile         /var/log/ntp
ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/

# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp

# No restrictions for "localhost"

# Enable the time sources to only provide time to this host
# restrict 0.pool.ntp.org   mask    nomodify notrap nopeer noquery
# restrict 1.pool.ntp.org   mask    nomodify notrap nopeer noquery
# restrict 2.pool.ntp.org   mask    nomodify notrap nopeer noquery
tinker panic 0

However, ntpd is still trying to change/adjust the system time, leading to a couple of errors in the syslog: 

start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation not permitted
set_freq: ntp_loopfilter.c line 1082: ntp_adjtime: Operation not permitted

I’d assume I could just ignore those but before continuing, I’d appreciate some comments from the team. Do you see any major issues in my approach, and what would you do differently? 


More information about the samba mailing list