Configuration of NTP for Samba4

In an Active Directory domain, which is a Kerberos domain, time-synchronization is critical.  If a workstation or servers clock drifts to much from the clock of the KDC neither users or services will be able to participate in the domain.  But Active Directory clients [such as Windows 7] require an MS-SNTP server that cryptographically signs the response.  This means that the NTP server shipped with almost all current distributions cannot provide time services to these devices - support for this interoperability was added in NTP 4.2.6 (see NTP Bug#1028).  Appropriately versioned NTP packages are available for openSUSE 11.3 from namtrac's repository and will be included in openSUSE 11.4 (see openSUSE Bug#657194)..
With a good version of NTP the required NTP configuration is:
ntpsigndsocket /opt/ad/samba4/var/run/ntp_signd/
restrict default mssntp
Samba4 will create a socket which NTP can use to have its responses signed - the location of this socket is what is indicated by the NTP directive "ntpsigndsocket".  Note that this is a directory path to where NTP will expect to find a domain socket named "socket" (not intuitive!).  It is Samba which creates and listens to this socket; NTP uses the socket as a consumer and only opens the socket when it needs signing services.  The default location where Samba will initially create this socket is controlled via the "ntp signd socket directory" directive in Samba's "smb.conf".  In most cases this won't be set explictely.  You can verify the default value using the Samba "testparams" command with the "--verbose" option which will list both defined directives and the default values of undefined directives [including "ntp signd socket directory"].
Running the NTP daemon as "strace ntpd -n" will keep ntpd in the foreground and allow you to see the files and sockets that it opens and closes.  Once properly configured issue the "w32tm /resync /rediscover" option on a Windows 7 AD member and you should receive the response:
Sending resync command to local computer
The command completed successfully.
On the server you will see (in the strace output) and exchange between NTP and Samba4 via the signing socket.  It will look something like:
recvmsg(21, {msg_name(-1734344)={...},
msg_iov(17832102453714092032)=0x14ffe5894c, msg_controllen=120259084288,
msg_control=0x848, msg_flags=MSG_DONTROUTE|MSG_PROXY}, 0) = 68
recvmsg(21, 0xffe5891c, 0)              = -1 EAGAIN (Resource
temporarily unavailable)
clock_gettime(CLOCK_REALTIME, {1291827449, 637483079}) = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
connect(4, {sa_family=AF_FILE,
path="/opt/ad/samba4/var/run/ntp_signd//socket"}, 110) = 0
write(4, "\0\0\0@", 4)                  = 4
write(4, "\0\0\0\0\0\0\0\0\1\0\0\0P\4\0\0\34\v\21\360\0\0\0\0\0\0002\337
\177\177\1\0"..., 64) = 64
read(4, "\0\0\0P", 4)                   = 4
read(4, "\0\0\0\0\0\0\0\3\0\0\1\0\34\v\21\360\0\0\0\0\0\0002\337\177\177
\1\0\320\2527c"..., 80) = 80
sendto(21, "\34\v\21\360\0\0\0\0\0\0002\337\177\177\1\0\320\2527c>\360
\220\303\320\2527\201\3478 \330"..., 68, 0, {sa_family=AF_INET,
sin_port=htons(123), sin_addr=inet_addr("")}, 16) = 68
If that doesn't happen verify that both Samba4 and NTP have access to the socket; this may include permissions issues as well as SELinux / AppArmour policies.  Once it works just run NTP normally - you have working secure time synchronization.

No comments:

Post a Comment