[Samba] AD DC in a container: NTP

Viktor Trojanovic viktor at troja.ch
Tue Jan 8 13:49:00 UTC 2019

From: Rowland Penny via samba
Sent: Dienstag, 8. Januar 2019 14:47
To: samba at lists.samba.org
Subject: Re: [Samba] AD DC in a container: NTP

On Tue, 8 Jan 2019 14:32:45 +0100
Viktor Trojanovic via samba <samba at lists.samba.org> wrote:

> I’m currently trying to install a new (primary) AD DC in a Linux
> container. It seems to me that being in a container, the DC is easier
> to maintain and backup than on bare metal, and I prefer a container
> over a VM for performance reasons. If the container setup will prove
> to be too much of hassle, I’ll switch to a VM, though. 
> The first issue I’m facing is time synchronization. An container
> cannot set its time independent of the main kernel, and for obvious
> reasons it cannot manipulate the kernel time. 
> If I understand correctly, and do correct me if I’m wrong, it is not
> possible to run a Samba DC without running a time server. So it’s not
> possible to entirely disable ntpd in the container. 
> Which would mean that on the DC, I need ntp to not act as a client
> but still to act as a time server for domain members. 
> To achieve this, I changed /etc/ntp.conf to look as follows: 
> # Local clock. Note that is not the "localhost" address!
> server
> #fudge stratum 10
> fudge stratum 0
> # Where to retrieve the time from
> # server 0.pool.ntp.org     iburst prefer
> # server 1.pool.ntp.org     iburst prefer
> # server 2.pool.ntp.org     iburst prefer
> driftfile       /var/lib/ntp/ntp.drift
> logfile         /var/log/ntp
> ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd/
> # Access control
> # Default restriction: Allow clients only to query the time
> restrict default kod nomodify notrap nopeer mssntp
> # No restrictions for "localhost"
> restrict
> # Enable the time sources to only provide time to this host
> # restrict 0.pool.ntp.org   mask    nomodify notrap
> nopeer noquery # restrict 1.pool.ntp.org   mask
> nomodify notrap nopeer noquery # restrict 2.pool.ntp.org   mask
>    nomodify notrap nopeer noquery tinker panic 0
> However, ntpd is still trying to change/adjust the system time,
> leading to a couple of errors in the syslog: 
> start_kern_loop: ntp_loopfilter.c line 1119: ntp_adjtime: Operation
> not permitted set_freq: ntp_loopfilter.c line 1082: ntp_adjtime:
> Operation not permitted
> I’d assume I could just ignore those but before continuing, I’d
> appreciate some comments from the team. Do you see any major issues
> in my approach, and what would you do differently? 
> Thanks, 
> Viktor

Have you read this:


A DC needs to use another time source.


Hi Rowland, 

Yes, I read this, of course. The DC would in fact use another time source (the host that sets RTC will retrieve from NTP servers) but it would simply not query NTP by itself in order to do so. 

More information about the samba mailing list