Main page » Domain Controller on Ubuntu 18.04 – Time Synchronization – NTP

Domain Controller on Ubuntu 18.04 – Time Synchronization – NTP

by Belfigor
11 views
Domain Controller on Ubuntu 18.04 – Time Synchronization – NTP Server

Time is the cornerstone of all “these internets.” The domain controller on Ubuntu 18.04 is no exception. If in your local network, the time difference between the controller and the devices exceeds 5 minutes, you have a problem. AD uses time to resolve replication conflicts. Some workstations will not be able to log in to the domain. Some of the devices that were authorized in the domain previously will not be able to access folders within the network. Chaos and unrest will begin.

All articles in best to study order:

  1. Configuring BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 1

  2. Linux AD-DC on Ubuntu 18.04 – Setting Samba4 – Part 1

  3. Set up BIND9 for Linux AD-DC on Ubuntu 18.04 – Part 2

  4. Linux Samba4 AD-DC on Ubuntu 18.04 – Settings – Part 2

  5. DHCP server for Linux AD-DC Ubuntu 18.04. Integration with BIND9

  6. Domain Controller on Ubuntu 18.04 – Time Synchronization – NTP

  7. Administering the Linux domain controller

A little bit of theory

Samba’s website lists the following scheme as the recommended best solution:

internet time server
          ^
          |
          |
  PDC Emulator DC
   ^         ^
   |         |
   |         | 
Other DC <----Workstation

Primary Domein Cotroller gets time from the internet, the rest of D.C. gets time from PDC, workstations get time from any DC on the network. However, there is a problem with vends. Customers are vending, get time exclusively from PDC and if PDC is offline, they stop updating their time. At the same time, DC stops updating its time until PDC is included. The actual solution to the problem at the moment will be to set up both PDC and DC to get time from the same external servers. And in the event of a fall of PDC without the ability to put it into service as soon as possible – the transfer of the role of PDC to another DC within the network. It is clear that both PDC and backup DC must already operate on the network to implement this scenario.

Windows customers in the domain synchronize their time under the NT5DC protocol with AD-DC. The NT5DC protocol uses digital signatures. If Samba has a server and a time server located on the same machine, all this functionality can be provided by Samba. You can also reconfigure all machines to use regular NTP, but it is not recommended.

Domain Controller on Ubuntu 18.04 – Time Synchronization with ntpd

  1. Requirements

    ntpd > q 4.2.6 compiled with parameters –enable-ntpd-signd

  2. Installing a package

    sudo apt install ntp
  3. Checking the rights to the socket

    The demon must have the right to read the directory of the ntp_signd

    1. Looking for a directory ntp_signd

      sudo find / -name ntp_signd
      Domain Controller on Ubuntu 18.04 - Time Synchronization - ntp_signd

      Result sudo find / -name ntp_signd
      A

      s a result, we see that the ntp_signd folder is located in /var/lib/samba/ntp_signd

    2. Looking at the rights to the directory

      ls -ld /var/lib/samba/ntp_signd

      We need to see the following:

      drwxr-x--- 2 root 4096 Sep 24 12:33 /var/lib/samba/ntp_signd
    3. Setting up the rights to the directory

      1. Changing the directory owner’s group to ntp

        sudo chown root:ntp /var/lib/samba/ntp_signd/
      2. Set the rights to the directory 750

        Despite the fact that most likely initially the rights to this directory exhibited 750, it is not superfluous to show the team with which it can be done:

        sudo chmod 750 /var/lib/samba/ntp_signd/

        This command, for the directory /var/lib/samba/ntp_signd/ will establish the following rights:
        Owner – root – 7 – any action
        Ownership Group – ntp – 5 – reading and performing
        For guest – 0 – ban on any actions

    4. Checking the rights to the directory

      ls -ld /var/lib/samba/ntp_signd

      As a result, after all the manipulations, the following should appear:

      drwxr-x--- 2 root ntp 4096 Sep 24 12:33 /var/lib/samba/ntp_signd

      Access rights: drwxr-x— , which means 750
      Owner: root
      Ownership Group: ntp

      Domain Controller on Ubuntu 18.04 - Time Synchronization - Directory Rights ntp_signd


      Ntp_signd Directory Rights

  4. Set up ntpd.conf

    Create a ntpd.conf file

    sudo nano /etc/ntpd.conf

    And we make standard settings:

    # Local clock. Note that is not the "localhost" address!
    server 127.127.1.0
    fudge 127.127.1.0 stratum 10
    
    # Where to retrieve the time from
    server 0.pool.ntp.org iburst prefer
    server 1.pool.ntp.org iburst prefer
    server 2.pool.ntp.org iburst prefer
    
    driftfile /var/lib/ntp/ntp.drift
    logfile /var/log/ntp
    ntpsigndsocket /var/lib/samba/ntp_signd
    
    # Access control
    # Default restriction: Allow clients only to query the time
    restrict default kod nomodify notrap nopeer mssntp
    
    # No restrictions for "localhost"
    restrict 127.0.0.1
    
    # Enable the time sources to only provide time to this host
    restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
    restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
    restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

    When you look at the line ntpsigndsocket /var/lib/samba/ntp_signd, the path in it should be the same as found in paragraph 3.1. After the manipulations, we keep all of the team

  5. When you set up an NTP server in a virtual environment

    1. Turn off the NTP panic

      We bring tinker panic 0 to the end of the file/etc/ntp.conf

      sudo sh -c "echo 'tinker panic 0' >> /etc/ntp.conf"

      Do this on bash, because simply echo "tinker panic 0" >> /etc/ntp.conf system most likely to reject

    2. Why you need a tinker panic 0 team

      If your ntp server is configured on a virtual machine, it doesn’t have a physical clock measuring time. The operation of the virtual machine for one reason or another can be suspended at any time and resumed after many hours. In this case, at the moment of time update from the Internet, if the local time and time from the Internet vary greatly, ntpd panics and will get drunk.

    3. Paragraph 5.1.1.4 of official documentation

      Ideally, the reference time around the world is the same. Once synchronized, there should be no unexpected differences between local and reference times. Therefore, the NTP does not have any mechanisms in place to resolve the problem.

      However, the ntpd reaction will depend on the difference between local and reference time. With very little time difference, ntpd adjusts the local time as usual. With small and medium deviations, ntpd will ignore reference time for a short period. In the latter case, the local clock will continue to work with the time that was at the time of the last successful synchronization. The reference time received from the outside, containing a deviation from the local – will be ignored. At the same time, gradually, small deviations (much less than a second) will be aligned, by step-by-step adjustment of local clocks to the reference time. Average deviations will lead to the reset of the value of the time of local clocks on the reference, without step-by-step adjustment. Huge deviations will be ignored and will lead to the fact that ntpd self-sawing, being sure that in a world full of evil, something very incomprehensible is happening for him. The same action algorithm is used when ntpd is first launched after the restart.

      1. Output

        Thus, on a virtual machine that has just come out of sleep, even after a short downtime by human standards, ntpd will fight in hysterics, which will lead to his premature demise. Without the set-up of tinker panic 0, once it happens, this situation will not be resolved without human intervention.

    4. We turn off time synchronization with the host

      Hypervisors have a very convenient and beyond any doubt the right function. But when you set up the domain controller on Ubuntu 18.04, remember! By default, all the virtual machines working on it, get time from it. The problem is that the hypervisor may, for example, not be in the domain where the ntp server is located. And may not even be connected to an external source of time. In this case, he will impose his time ntp to a server located on one of his wirth machines. The next time synchronization, ntpd will see that the local clock and reference time are different for example by 5-10 minutes and it will have a seizure. The consequences of which may have to be raked with their own pens. Nitort.

  6. Start ntpd
    sudo ntpd

Text.ru - 100.00%

You may also like

Leave a Comment