[Samba] Samba domain time sync woes (Debian Bookworm)

Wed Aug 9 09:48:17 UTC 2023

On 09.08.2023 11:29, Rowland Penny via samba wrote:
>
>
> On 09/08/2023 10:13, Michael Tokarev via samba wrote:
>> 09.08.2023 12:05, Rowland Penny via samba wrote:
>>
>>> ... All DCs get their time from the DC that holds the PDC_Emulator 
>>> FSMO role...
>>
>> What do you mean by that?  Are you saying that if I run a samba AD-DC,
>> samba will mess with system time?  There are so many questions here...
>>
>> We already run ntp on all linux machines, including the ones where samba
>> ad-dc is running.
>>
>> Does samba mess with system time?
>> Can't other (not holding PDC_Emulator role) DCs just use the system 
>> time?
>> What if the PDC_Emulator DC is not available or is on a remote site?
>>
>> This sounds.. wrong.
>>
>> /mjt
>>
>
> Samba itself doesn't care about time, it is AD and more importantly 
> kerberos that does. The time doesn't really need to be accurate, just 
> as long as all AD members use the same time.
>
> The way it works is basically every domain member must run a 'time' 
> client that can ask a DC for the time, then all DCs get their time 
> from the DC with PDC_Emulator FSMO role, which gets its time from an 
> external source. This wasn't designed by Samba, it is how Microsoft 
> designed it.
>
> So, if the DC with the PDC_Emulator role goes offline, you need to 
> either get it back on line quickly, or move the PDC_Emulator role to 
> another DC. As for remote sites, this is yet another reason to have at 
> least one DC at every site.
>
> Rowland
>
>
Hi,

I just looked up information about this, and it unfortunately looks that 
way. In the article it was even recommended to disable all time 
synchronization on DCs, except for synchronization with the DC holding 
the PDC emulator role. IMHO, the whole concept seems quite shaky and 
vulnerable.

Here's a link to the article:

https://www.ravenswoodtechnology.com/in-sync-proper-time-configuration-in-ad/

Best regards,

Peter