[Samba] AD DC in a container: NTP
rpenny at samba.org
Tue Jan 8 13:46:45 UTC 2019
On Tue, 8 Jan 2019 14:32:45 +0100
Viktor Trojanovic via samba <samba at lists.samba.org> wrote:
> I’m currently trying to install a new (primary) AD DC in a Linux
> container. It seems to me that being in a container, the DC is easier
> to maintain and backup than on bare metal, and I prefer a container
> over a VM for performance reasons. If the container setup will prove
> to be too much of hassle, I’ll switch to a VM, though.
> The first issue I’m facing is time synchronization. An container
> cannot set its time independent of the main kernel, and for obvious
> reasons it cannot manipulate the kernel time.
> If I understand correctly, and do correct me if I’m wrong, it is not
> possible to run a Samba DC without running a time server. So it’s not
> possible to entirely disable ntpd in the container.
> Which would mean that on the DC, I need ntp to not act as a client
> but still to act as a time server for domain members.
> To achieve this, I changed /etc/ntp.conf to look as follows:
> # Local clock. Note that is not the "localhost" address!
> server 127.127.1.0
> #fudge 127.127.1.0 stratum 10
> fudge 127.127.1.0 stratum 0
> # Where to retrieve the time from
> # server 0.pool.ntp.org iburst prefer
> # server 1.pool.ntp.org iburst prefer
> # server 2.pool.ntp.org iburst prefer
> driftfile /var/lib/ntp/ntp.drift
> logfile /var/log/ntp
> ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
> # Access control
> # Default restriction: Allow clients only to query the time
> restrict default kod nomodify notrap nopeer mssntp
> # No restrictions for "localhost"
> restrict 127.0.0.1
> # Enable the time sources to only provide time to this host
> # restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap
> nopeer noquery # restrict 1.pool.ntp.org mask 255.255.255.255
> nomodify notrap nopeer noquery # restrict 2.pool.ntp.org mask
> 255.255.255.255 nomodify notrap nopeer noquery tinker panic 0
> However, ntpd is still trying to change/adjust the system time,
> leading to a couple of errors in the syslog:
> start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation
> not permitted set_freq: ntp_loopfilter.c line 1082: ntp_adjtime:
> Operation not permitted
> I’d assume I could just ignore those but before continuing, I’d
> appreciate some comments from the team. Do you see any major issues
> in my approach, and what would you do differently?
Have you read this:
A DC needs to use another time source.
More information about the samba