[Samba] Getting the time to work with a DC inside an LXC container

L.P.H. van Belle belle at bazuin.nl
Wed Mar 24 12:52:08 UTC 2021 

See comment lower.. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sonic via samba
> Verzonden: woensdag 24 maart 2021 13:43
> Aan: Oleg Blyahher
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Getting the time to work with a DC inside an LXC
> container
> 
> The following, using chrony on Debian, works for me allowing the AD
> clients to sync with the Samba server:
> 
> Changes to chrony.conf -
> remove any server directives
> add:
> local stratum 8
> ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd (use your specific
> location)
> allow a.b.c.d/mm
> allow w.x.y.z/nn (use your allowed subnets)
> 
> My chrony.conf is:
> ===============================
> local stratum 8
> manual
> keyfile /etc/chrony/chrony.keys
> driftfile /var/lib/chrony/chrony.drift
> maxupdateskew 100.0
> allow a.b.c.d/mm
> allow w.x.y.z/nn
> ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd
> ===============================
> 
> Changes to chrony.service -
> remove or comment out "ConditionCapability=CAP_SYS_TIME"
> 
> My chrony.service is:
> ===============================
> [Unit]
> Description=chrony, an NTP client/server
> Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
> Conflicts=systemd-timesyncd.service openntpd.service ntp.service
> ntpsec.service
> After=network.target
> #ConditionCapability=CAP_SYS_TIME
> 
> [Service]
> Type=forking
> PIDFile=/run/chronyd.pid
> EnvironmentFile=-/etc/default/chrony
> ExecStart=/usr/sbin/chronyd $DAEMON_OPTS
> ExecStartPost=-/usr/lib/chrony/chrony-helper update-daemon
> PrivateTmp=yes
> ProtectHome=yes
> ProtectSystem=full
> 
> [Install]
> Alias=chronyd.service
> WantedBy=multi-user.target
> ===============================


Here i recommend to NOT change the system default service files.. 

The "correct" way of this edit should be:  systemctl edit chrony.service 
This creates an override file in /etc/systemd/chrony.service.d/overrided.conf
( dont know from head if that 100% correct but its in /etc/systemd )

Now add : 
[Unit]
ConditionCapability=

Save and done. 
Way better to keep track on if things changes and this helps with upgrades.

* systemctl edit --full chrony.service  copies this file to /etc/systemd fully and you can edit that. 
the other option. 

> 
> Changes to /etc/default/chrony -
> add -x to DAEMON_OPTS
> 
> My /etc/default/chrony is:
> ===============================
> DAEMON_OPTS="-F -1 -x"
> ===============================
> 
> Before I discovered the above as a working solution I used a GPO to
> set the time service for the clients.
> One example site: https://theitbros.com/configure-ntp-time-sync-group-
> policy/
> 
> Chris
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

and thanks for sharing this. 
It will help others.

Greetz, 

Louis

More information about the samba mailing list