[Samba] AD DC in a container: NTP

Viktor Trojanovic viktor at troja.ch
Wed Jan 9 11:30:09 UTC 2019

On Wed, 9 Jan 2019 at 10:51, Rowland Penny via samba <samba at lists.samba.org>

> On Wed, 9 Jan 2019 10:24:40 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > What Marco and Robert already did say.
> >
> > This is what i mean ( and Robert ). Marco's option to disable though
> > kernel is also an option.
> > Maybe a bit cryptic but like this.
> >
> > HOST              - CONTAINER - SambaDC- samba-AD distibuting time to
> > PC's. ||                         |||
> > HOST_its_NTP_Service  => get Internet time
> > ||||
> >
> > OTHERHOSTS NTP Client - COINTAINER - SambaMember  - Point ntp to
> > HOST_its_NTP_Service
> > OTHERHOST-Random-linux server. -  Point ntp client to
> > HOST_its_NTP_Service
> >
> > Only thing here what i dont know, .. Rowland, can you tell this?
> >
> > Does samba "need" the ntp_sigd socket to provide the time over AD?
> Yes and then again, no
> Yes, if you are going to use the DC as a time source.
> No, if you don't use the DC as a time source.
> All that is required is that all domain computers are within 5 minutes
> of each other, how you do this is up to you. Best practice is for the
> DC with the PDC emulator role to get the time from an external time
> server and all other domain computers to then, ultimately, use the PDC
> emulator DC as their time server.
> If you can ensure that all domain computers are within 5 minutes of
> each other, then you shouldn't have problems.
> Rowland
I guess that confirms it: Using the AD DC as a time source does indeed
require NTP. For the sake of argument, is it possible to use a machine that
is not a DC, and potentially not even part of the AD, to serve time to
other domain members? And how would you go about automatically pointing
domain hosts to said machine? Group policy for clients, scripts for
servers, or is there a simpler way?

It seems to me the cleanest way, and closest to best practice, is to keep
the DC(s) serving time. The obvious exception would be in situations where
all domain hosts are containerized, then ntp is not needed in any of the
containers. But I'm more than open to other opinions.


More information about the samba mailing list