[Samba] AD DC in a container: NTP

Rowland Penny rpenny at samba.org
Tue Jan 8 13:46:45 UTC 2019

On Tue, 8 Jan 2019 14:32:45 +0100
Viktor Trojanovic via samba <samba at lists.samba.org> wrote:

> I’m currently trying to install a new (primary) AD DC in a Linux
> container. It seems to me that being in a container, the DC is easier
> to maintain and backup than on bare metal, and I prefer a container
> over a VM for performance reasons. If the container setup will prove
> to be too much of hassle, I’ll switch to a VM, though. 
> The first issue I’m facing is time synchronization. An container
> cannot set its time independent of the main kernel, and for obvious
> reasons it cannot manipulate the kernel time. 
> If I understand correctly, and do correct me if I’m wrong, it is not
> possible to run a Samba DC without running a time server. So it’s not
> possible to entirely disable ntpd in the container. 
> Which would mean that on the DC, I need ntp to not act as a client
> but still to act as a time server for domain members. 
> To achieve this, I changed /etc/ntp.conf to look as follows: 
> # Local clock. Note that is not the "localhost" address!
> server
> #fudge stratum 10
> fudge stratum 0
> # Where to retrieve the time from
> # server 0.pool.ntp.org     iburst prefer
> # server 1.pool.ntp.org     iburst prefer
> # server 2.pool.ntp.org     iburst prefer
> driftfile       /var/lib/ntp/ntp.drift
> logfile         /var/log/ntp
> ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
> # Access control
> # Default restriction: Allow clients only to query the time
> restrict default kod nomodify notrap nopeer mssntp
> # No restrictions for "localhost"
> restrict
> # Enable the time sources to only provide time to this host
> # restrict 0.pool.ntp.org   mask    nomodify notrap
> nopeer noquery # restrict 1.pool.ntp.org   mask
> nomodify notrap nopeer noquery # restrict 2.pool.ntp.org   mask
>    nomodify notrap nopeer noquery tinker panic 0
> However, ntpd is still trying to change/adjust the system time,
> leading to a couple of errors in the syslog: 
> start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation
> not permitted set_freq: ntp_loopfilter.c line 1082: ntp_adjtime:
> Operation not permitted
> I’d assume I could just ignore those but before continuing, I’d
> appreciate some comments from the team. Do you see any major issues
> in my approach, and what would you do differently? 
> Thanks, 
> Viktor

Have you read this:


A DC needs to use another time source.


More information about the samba mailing list