[Samba] Samba domain time sync woes (Debian Bookworm)
Rowland Penny
rpenny at samba.org
Wed Aug 9 09:29:21 UTC 2023
On 09/08/2023 10:13, Michael Tokarev via samba wrote:
> 09.08.2023 12:05, Rowland Penny via samba wrote:
>
>> ... All DCs get their time from the DC that holds the PDC_Emulator
>> FSMO role...
>
> What do you mean by that? Are you saying that if I run a samba AD-DC,
> samba will mess with system time? There are so many questions here...
>
> We already run ntp on all linux machines, including the ones where samba
> ad-dc is running.
>
> Does samba mess with system time?
> Can't other (not holding PDC_Emulator role) DCs just use the system time?
> What if the PDC_Emulator DC is not available or is on a remote site?
>
> This sounds.. wrong.
>
> /mjt
>
Samba itself doesn't care about time, it is AD and more importantly
kerberos that does. The time doesn't really need to be accurate, just as
long as all AD members use the same time.
The way it works is basically every domain member must run a 'time'
client that can ask a DC for the time, then all DCs get their time from
the DC with PDC_Emulator FSMO role, which gets its time from an external
source. This wasn't designed by Samba, it is how Microsoft designed it.
So, if the DC with the PDC_Emulator role goes offline, you need to
either get it back on line quickly, or move the PDC_Emulator role to
another DC. As for remote sites, this is yet another reason to have at
least one DC at every site.
Rowland
More information about the samba
mailing list