[Samba] running ntpd with samba DC: containers?

Michael Tokarev mjt at tls.msk.ru
Mon Oct 31 09:11:38 UTC 2022


As it often happens these days, more and more often a DS (primary or not)
is run in a linux container of one sort or another, because samba DC needs
its own unique configuration which is not compatible with file services.

But now there's a question: what to do with NTP and w32time in this case?

The problem is that running ntpd within a container is usually a bad idea,
and actually it doesn't even work, since only the host system does the
timekeeping, containers aren't even allowed to touch system time, and it
would be a conflict anyway.  Running a DC inside a virtual machine (e.g.
qemu) where it's possible to run ntpd, will be even worse, since accurate
time and a virtual machine is not well-compatible.

  windowsclient $> w32tm /monitor
  PDC.domain *** PDC *** []:
      ICMP: 0ms delay
      NTP: error WSAECONNRESET - no server listening NTP-port

It looks like the clock on the client machines is not syncronized, even
if w32tm /resync says "Command is completed successfully" - on at least
one of our machines it is ~4sec different than on the PDC.

More, when windows client is joined to a domain, it can't use regular
NTP (with given ntp server) anymore, the NTP configuration is grayed
out with a message "some parameters are disabled by your organization"
or something like that.

What's the right way to syncronize time for windows clients in this case?



More information about the samba mailing list