Time is the cornerstone of all “these internets.” The domain controller on Ubuntu 18.04 is no exception. If in your local network, the time difference between the controller and the devices exceeds 5 minutes, you have a problem. AD uses time to resolve replication conflicts. Some workstations will not be able to log in to the domain. Some of the devices that were authorized in the domain previously will not be able to access folders within the network. Chaos and unrest will begin.
All articles in best to study order:
Configuring BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 1
Linux AD-DC on Ubuntu 18.04 – Setting Samba4 – Part 1
Set up BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 2
Linux Samba4 AD-DC on Ubuntu 18.04 – Settings – Part 2
DHCP server for Linux AD-DC Ubuntu 18.04. Integration with BIND9
Domain Controller on Ubuntu 18.04 – Time Synchronization – NTP
Administering the Linux domain controller
A little bit of theory
Samba’s website lists the following scheme as the recommended best solution:
internet time server ^ | | PDC Emulator DC ^ ^ | | | | Other DC <----Workstation
Primary Domein Cotroller gets time from the internet, the rest of D.C. gets time from PDC, workstations get time from any DC on the network. However, there is a problem with vends. Customers are vending, get time exclusively from PDC and if PDC is offline, they stop updating their time. At the same time, DC stops updating its time until PDC is included. The actual solution to the problem at the moment will be to set up both PDC and DC to get time from the same external servers. And in the event of a fall of PDC without the ability to put it into service as soon as possible – the transfer of the role of PDC to another DC within the network. It is clear that both PDC and backup DC must already operate on the network to implement this scenario.
Windows customers in the domain synchronize their time under the NT5DC protocol with AD-DC. The NT5DC protocol uses digital signatures. If Samba has a server and a time server located on the same machine, all this functionality can be provided by Samba. You can also reconfigure all machines to use regular NTP, but it is not recommended.
Domain Controller on Ubuntu 18.04 – Time Synchronization with ntpd
ntpd > q 4.2.6 compiled with parameters –enable-ntpd-signd
Installing a package
sudo apt install ntp
Checking the rights to the socket
The demon must have the right to read the directory of t
Looking for a directory ntp_signd
sudo find / -name ntp_signd
s a result, we see that the ntp_signd folder is located in
Looking at the rights to the directory
ls -ld /var/lib/samba/ntp_signd
We need to see the following:
drwxr-x--- 2 root 4096 Sep 24 12:33 /var/lib/samba/ntp_signd
Setting up the rights to the directory
Changing the directory owner’s group to ntp
sudo chown root:ntp /var/lib/samba/ntp_signd/
Set the rights to the directory 750
Despite the fact that most likely initially the rights to this directory exhibited 750, it is not superfluous to show the team with which it can be done:
sudo chmod 750 /var/lib/samba/ntp_signd/
This command, for the directory /var/lib/samba/ntp_signd/ will establish the following rights:
Owner – root – 7 – any action
Ownership Group – ntp – 5 – reading and performing
For guest – 0 – ban on any actions
Checking the rights to the directory
ls -ld /var/lib/samba/ntp_signd
As a result, after all the manipulations, the following should appear:
drwxr-x--- 2 root ntp 4096 Sep 24 12:33 /var/lib/samba/ntp_signd
Access rights: drwxr-x— , which means 750
Ownership Group: ntp
Set up ntpd.conf
Create a ntpd.conf file
sudo nano /etc/ntpd.conf
And we make standard settings:
# Local clock. Note that is not the "localhost" address! server 127.127.1.0 fudge 127.127.1.0 stratum 10 # Where to retrieve the time from server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer server 2.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/lib/samba/ntp_signd # Access control # Default restriction: Allow clients only to query the time restrict default kod nomodify notrap nopeer mssntp # No restrictions for "localhost" restrict 127.0.0.1 # Enable the time sources to only provide time to this host restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
When you look at the line
ntpsigndsocket /var/lib/samba/ntp_signd, the path in it should be the same as found in paragraph 3.1. After the manipulations, we keep all of the
When you set up an NTP server in a virtual environment
Turn off the NTP panic
We bring tinker panic 0 to the end of the file/etc/ntp.conf
sudo sh -c "echo 'tinker panic 0' >> /etc/ntp.conf"
Do this on bash, because simply ec
ho "tinker panic 0" >> /etc/ntp.conf system most likely to reject
Why you need a tinker panic 0 team
If your ntp server is configured on a virtual machine, it doesn’t have a physical clock measuring time. The operation of the virtual machine for one reason or another can be suspended at any time and resumed after many hours. In this case, at the moment of time update from the Internet, if the local time and time from the Internet vary greatly, ntpd panics and will get drunk.
Paragraph 22.214.171.124 of official documentation
Ideally, the reference time around the world is the same. Once synchronized, there should be no unexpected differences between local and reference times. Therefore, the NTP does not have any mechanisms in place to resolve the problem.
However, the ntpd reaction will depend on the difference between local and reference time. With very little time difference, ntpd adjusts the local time as usual. With small and medium deviations, ntpd will ignore reference time for a short period. In the latter case, the local clock will continue to work with the time that was at the time of the last successful synchronization. The reference time received from the outside, containing a deviation from the local – will be ignored. At the same time, gradually, small deviations (much less than a second) will be aligned, by step-by-step adjustment of local clocks to the reference time. Average deviations will lead to the reset of the value of the time of local clocks on the reference, without step-by-step adjustment. Huge deviations will be ignored and will lead to the fact that ntpd self-sawing, being sure that in a world full of evil, something very incomprehensible is happening for him. The same action algorithm is used when ntpd is first launched after the restart.
Thus, on a virtual machine that has just come out of sleep, even after a short downtime by human standards, ntpd will fight in hysterics, which will lead to his premature demise. Without the set
-up of tinker panic 0, once it happens, this situation will not be resolved without human intervention.
We turn off time synchronization with the host
Hypervisors have a very convenient and beyond any doubt the right function. But when you set up the domain controller on Ubuntu 18.04, remember! By default, all the virtual machines working on it, get time from it. The problem is that the hypervisor may, for example, not be in the domain where the ntp server is located. And may not even be connected to an external source of time. In this case, he will impose his time ntp to a server located on one of his wirth machines. The next time synchronization, ntpd will see that the local clock and reference time are different for example by 5-10 minutes and it will have a seizure. The consequences of which may have to be raked with their own pens. Nitort.
- Start ntpd