There's always time to play

Thursday, March 28, 2013

Setting up NTP signing (ntp_signd) with Samba 4 (in other words: providing time to Windows clients)

In an Active Directory domain, the focus usually is on Windows clients. One key aspect in an Active Directory domain is time synchronization. If you're here you probably know something about NTP, and maybe even that Windows won't just use the NTP server you specify using DHCP. The reason is that Windows wants a NTP server that provides signed NTP responses. ntpd actually supports providing these signed responses, but in order to do so it requires a signing provider. Samba 4 can provide this, by way of a socket specifically made for this purpose.

This post continues where I left off with Install Samba 4(.0.4) on Ubuntu 12.04 LTS, from source. It assumes Samba is already working properly, and that the ntp_signd task/service is enabled (which is by default). If you didn't install ntpd yet, do it with the following command:

$ sudo apt-get install ntp

The socket that is used for signing responses resides at /usr/local/samba/var/lib/ntp_signd/socket. The permissions on the socket should indicate that it's world writable, the permissions on the ntp_signd directory however only allow root (as user) full read/write and root (as group) read access. In order to allow ntpd to write to the socket it's necessary to grant it permissions on the ntp_signd directory, which we can do as follows:

$ sudo chgrp ntp /usr/local/samba/var/lib/ntp_signd

There's no need to change permissions of the socket file, if ntp can access it, it can write to it as well (remember, it's world writable).

There is an issue one might easily overlook. By default Ubuntu comes with apparmor enabled, which will prevent some programs from accessing files they normally shouldn't access. One of the programs that is actually configured to be restricted by apparmor, is ntp. Because Ubuntu by default doesn't know about our source-compiled Samba 4 installation, it also doesn't know about the ntp_signd socket. The fix for this is to edit /etc/apparmor.d/local/usr.sbin.ntpd:

# Site-specific additions and overrides for usr.sbin.ntpd.
# For more details, please see /etc/apparmor.d/local/README.
/usr/local/samba/var/lib/ntp_signd/socket rw,

Last but not least we need to configure ntpd so it knows that it is allowed to do signed responses and how it should sign them. This requires the addition of the following lines to /etc/ntp.conf (rest of file omitted for brevity):

ntpsigndsocket /usr/local/samba/var/lib/ntp_signd
restrict default mssntp

Now restart ntpd:

$ sudo service ntp restart

That should be it, but beware! ntpd needs some time to establish a reliable time for itself. Before it has established a reliable time it's useless. You can check if it has established time by running the following command:

$ ntpdate -q localhost
server, stratum 3, offset -0.000004, delay 0.02563
28 Mar 22:03:29 ntpdate[15015]: adjust time server offset -0.000004 sec

In the output above it shows stratum 3, if it shows a higher number I guess you can forget requesting time from the server. In my case it will start at 16 and jump back to 3, at which point it has established a reliable time for itself.

At this point you can test with a Windows client. Just open a command prompt and type the following:

C:\>w32tm /resync
Sending resync command to local computer...
The command completed successfully.


And that's it! If it doesn't work out this well for you, then I'd suggest you start by running ntpd in debug mode, which will at least show when it's receiving requests from clients:

$ sudo service ntp stop
$ sudo ntpd -d

If it doesn't work, or you want to thank me for the instructions, use the comments!

No comments: