Web lists-archives.com

[Samba] NTP/Chrony + samba-AD-DC




Hai Rowland and all happy campers on the samba list ofcourse ;-) 

Can you/someone verify this? 

Just read it. no need to setup ubuntu. 
I think its ok, you see what i mean, below the 2x winbind part in apparmor. 

(samba -b the needed part) 
   WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd

After some checking i notice (posible) problems in both packages. 
And take note of how i make this change.! 

The NTP part (apt install ntp)
And Yes, we have an apparmor bug in NTPD and Chrony. 

 # samba4 ntp signing socket
  /{,var/}run/samba/ntp_signd/socket rw,	<< incorrect path. 

  # samba4 winbindd pipe
  /run/samba/winbindd/pipe rw,	< can better.. But not wrong. 

For Chrony. (apt install chrony)
  # To sign replies to MS-SNTP clients by the smbd daemon
  /var/lib/samba/ntp_signd r,
  /var/lib/samba/ntp_signd/{,*} rw,

Thats missing the winbindd pipe part. 

Im only questioning, /var/lib/samba/winbindd_privileged/ and/or /var/run/samba/winbindd/pipe ? 
Since im not sure here, i've added the winbindd_privileged also. 

I suggest this, should be easy and quick fix. 
First we enble the LOCAL file to include our personal settings.

# enable the local file part for ntpd. 
sed -i 's[#include <local/usr.sbin.ntpd>[include <local/usr.sbin.ntpd>[g' /etc/apparmor.d/usr.sbin.ntpd

# NTPD fix. 
echo "
  # To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
  /var/lib/samba/ntp_signd r,
  /var/lib/samba/ntp_signd/{,*} rw,

  # samba4 winbindd pipe 
  /{,var/}run/samba/winbindd r,
  /{,var/}run/samba/winbindd/pipe rw,

  # samba4 winbindd privileged pipe ? Needed? 
  /var/lib/samba/winbindd r,
  /var/lib/samba/winbindd/pipe rw,

" >> /etc/apparmor.d/local/usr.sbin.ntpd

# Chrony fix 
sed -i 's[#include <local/usr.sbin.chronyd>[include <local/usr.sbin.chronyd>[g' /etc/apparmor.d/usr.sbin.chronyd
echo "
  # To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
  /var/lib/samba/ntp_signd r,
  /var/lib/samba/ntp_signd/{,*} rw,

  # samba4 winbindd pipe 
  /{,var/}run/samba/winbindd r,
  /{,var/}run/samba/winbindd/pipe rw,

  # samba4 winbindd privileged pipe ? Needed? 
  /var/lib/samba/winbindd r,
  /var/lib/samba/winbindd/pipe rw,

" >> /etc/apparmor.d/local/usr.sbin.chronyd


Now both should work fine again, but someone needs to verify this. 
I dont use apparmor myself on my servers. 

Personaly, I advice to use NTPD for the AD-DCs only. 
Why, ntp supports all operating modes from RFC 5905, including broadcast, multicast, and manycast server/client.
But if you dont need that, then chrony should be fine also. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> L.P.H. van Belle via samba
> Verzonden: vrijdag 26 april 2019 8:33
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Windows clients require reboot once a 
> day in order to access mapped drives
> 
> I'll fire up the ubuntu test vm..  
> Report back later.. 
> I.. Need... More... Cofee.....First  ;-)
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: Rowland Penny [mailto:rpenny@xxxxxxxxx] 
> > Verzonden: donderdag 25 april 2019 20:08
> > Aan: samba@xxxxxxxxxxxxxxx
> > CC: L.P.H. van Belle
> > Onderwerp: Re: [Samba] Windows clients require reboot once a 
> > day in order to access mapped drives
> > 
> > On Thu, 25 Apr 2019 10:34:24 -0700
> > Mason Schmitt <mason@xxxxxxxxxxxxxxxx> wrote:
> > 
> > > >
> > > >
> > > > Forgot to mention, are sure your time sync over AD is working
> > > > correctly. One to add to you list, check times of server and
> > > > clients, (* yes again, if needed just to be sure).
> > > >  
> > > 
> > > Yes, I have double check that time is correctly being synced.
> > > 
> > > FYI, Rowland, the process outlined in the wiki for using 
> > chronyd does
> > > not work on Ubuntu 18.04 (my AD DC is on Ubuntu, but my 
> > file server is
> > > CentOS).  I can only successfully sync windows clients with ntpd
> > > running on the DC.  Also, if using apparmor, the default apparmor
> > > rules don't work. Here's what I had to do to get windows 
> clients to
> > > successfully sync with my Ubuntu DC.
> > > 
> > > # Install ntp (if chrony is installed, this will disable and mask
> > > chrony in systemd)
> > > apt install ntp
> > > 
> > > # First comment out the default NTP ACLs
> > > sed -i 's/^restrict -/#restrict -/g' /etc/ntp.conf
> > > 
> > > # Then add some samba specific settings to /etc/ntp.conf
> > > cat << EOF >> /etc/ntp.conf
> > > 
> > > # Use AD for authenticanting Windows NTP clients
> > > ntpsigndsocket /var/lib/samba/ntp_signd
> > > 
> > > # Acess control
> > > # Default restriction: Allow clients to only query the time
> > > restrict -4 default kod notrap nomodify nopeer noquery mssntp
> > > restrict -6 default kod notrap nomodify nopeer noquery mssntp
> > > 
> > > # We're running in a VM, so we need to protect ntpd from waking up
> > > # in a panic, in a situation where a VM has been shutdown for an
> > > # extended period of time
> > > tinker panic 0
> > > EOF
> > > 
> > > # There is a bug in Ubuntu's apparmor config for ntp, so 
> > this fixes it
> > > sed -i /ntp_signd/c'\  /var/lib/samba/ntp_signd/socket rw,'
> > > /etc/apparmor.d/usr.sbin.ntpd
> > > apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd
> > > 
> > > # Set the necessary permissions on the ntp signed socket
> > > chmod 750 /var/lib/samba/ntp_signd
> > > chown root:ntp /var/lib/samba/ntp_signd
> > > systemctl enable ntp.service
> > > systemctl restart ntp.service
> > > 
> > > 
> > > # Test to make sure NTP is working
> > > ntpq -p
> > 
> > Louis, you use Ubuntu 18.04, can you confirm this ? (note 
> to Mason: I
> > do not disbelieve you, I just need confirmation before changing the
> > wiki, I do not use Ubuntu so cannot confirm the changes)
> > 
> > Rowland
> > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba