[Samba] running ntpd with samba DC: containers?
samba at jonesmz.com
Mon Oct 31 21:34:58 UTC 2022
I use samba in a container with network time synced from the host machine.
This has been working fine with my windows hosts, as far as I can tell.
Note: I'm not claiming the following will work for you. I'm just
copy-pasting my own config files. Use at your own risk, so on and so forth.
host: uses systemd-timesyncd without configuration changes.
container tech: systemd-nspawn
config file for systemd-nspawn
mimir /etc/systemd/nspawn # cat dc1.nspawn
MachineID=Some UUID goes here
mimir /var/lib/machines/dc1-state/etc # cat ntp.conf
# This bizarre rule makes ntp fall back to reading from the
# bios clock if no network connection is available.
fudge 127.127.1.0 stratum 10
# Access control
# Default restriction: Allow clients only to query the time
restrict default nomodify notrap nopeer mssntp
# No restrictions for "localhost"
mimir /var/lib/machines/dc1-state/etc # cat samba/smb.conf
server role = active directory domain controller
allow dns updates = nonsecure
dns forwarder = 10.0.0.1
idmap_ldb:use rfc2307 = yes
workgroup = DOMAIN-GOES-HERE
realm = DOMAIN-GOES-HERE
# Hack hack hack
# This allows freeradius winbind auth to work
ntlm auth = mschapv2-and-ntlmv2-only
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
path = /var/lib/samba/sysvol
read only = no
path = /var/lib/samba/sysvol/DOMAIN-GOES-HERE/scripts
read only = no
On Mon, Oct 31, 2022 at 4:12 AM Michael Tokarev via samba <
samba at lists.samba.org> wrote:
> As it often happens these days, more and more often a DS (primary or not)
> is run in a linux container of one sort or another, because samba DC needs
> its own unique configuration which is not compatible with file services.
> But now there's a question: what to do with NTP and w32time in this case?
> The problem is that running ntpd within a container is usually a bad idea,
> and actually it doesn't even work, since only the host system does the
> timekeeping, containers aren't even allowed to touch system time, and it
> would be a conflict anyway. Running a DC inside a virtual machine (e.g.
> qemu) where it's possible to run ntpd, will be even worse, since accurate
> time and a virtual machine is not well-compatible.
> windowsclient $> w32tm /monitor
> PDC.domain *** PDC *** [192.168.177.6:123]:
> ICMP: 0ms delay
> NTP: error WSAECONNRESET - no server listening NTP-port
> It looks like the clock on the client machines is not syncronized, even
> if w32tm /resync says "Command is completed successfully" - on at least
> one of our machines it is ~4sec different than on the PDC.
> More, when windows client is joined to a domain, it can't use regular
> NTP (with given ntp server) anymore, the NTP configuration is grayed
> out with a message "some parameters are disabled by your organization"
> or something like that.
> What's the right way to syncronize time for windows clients in this case?
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba