This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
requeriments [2015/09/10 19:07] cbustillo [File System Support] |
requeriments [2020/04/10 17:38] (current) |
||
---|---|---|---|
Line 308: | Line 308: | ||
** DDNS updates not working ** | ** DDNS updates not working ** | ||
- | Check that the file '/etc/krb5.conf' is readable by Bind. | + | * Check that the file '/etc/krb5.conf' is readable by Bind. |
+ | * Check that the configured samba4 dns.keytab been accessible by BIND and samba4. | ||
+ | * Check that deployed dns resolver been correctly set to samba4 AD server. | ||
+ | * Check at named.conf that the samba DLZ settings been correct at least for: | ||
+ | <code> | ||
+ | tkey-gssapi-keytab | ||
+ | tkey-domain | ||
+ | </code> | ||
+ | * Check that TLS/SSL are correctly deployed. | ||
+ | * Check that filesystems support acl. | ||
+ | * Check common settings for samba4 smb.conf: | ||
+ | <code> | ||
+ | kerberos method = system keytab | ||
+ | client ldap sasl wrapping = sign | ||
+ | allow dns updates = nonsecure and secure | ||
+ | nsupdate command = /usr/bin/nsupdate -g | ||
+ | </code> | ||
+ | The most important option is "allow dns updates = nonsecure and secure". | ||
====== Configure NTP ====== | ====== Configure NTP ====== | ||
---- | ---- | ||
Line 334: | Line 350: | ||
# Local clock | # Local clock | ||
server 127.127.1.0 | server 127.127.1.0 | ||
- | fudge 127.127.1.0 stratum 12 | + | fudge 127.127.1.0 stratum 8 |
# For signed NTP | # For signed NTP | ||
Line 348: | Line 364: | ||
# Default restriction: Only allow querying time (incl. ms-sntp) from this machine | # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | ||
restrict default kod nomodify notrap nopeer mssntp</code> | restrict default kod nomodify notrap nopeer mssntp</code> | ||
+ | |||
+ | A suitable configuration for ntp.conf maybe: | ||
+ | |||
+ | <code> | ||
+ | # Local clock (Note: This is not the localhost address!) | ||
+ | server 127.127.1.0 | ||
+ | fudge 127.127.1.0 stratum 10 | ||
+ | |||
+ | # The source, where we are receiving the time from | ||
+ | server 0.pool.ntp.org iburst prefer | ||
+ | |||
+ | driftfile /var/lib/ntp/ntp.drift | ||
+ | logfile /var/log/ntp | ||
+ | ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ | ||
+ | |||
+ | # Access control | ||
+ | # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | ||
+ | restrict default kod nomodify notrap nopeer mssntp | ||
+ | |||
+ | # Allow everything from localhost | ||
+ | restrict 127.0.0.1 | ||
+ | |||
+ | # Allow that our time source can only provide time and do nothing else | ||
+ | restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery | ||
+ | </code> | ||
Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: | Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: | ||
Line 369: | Line 410: | ||
<code> | <code> | ||
# ntpq -pn | # ntpq -pn | ||
+ | </code> | ||
+ | |||
+ | To view connected clients: | ||
+ | <code> | ||
+ | # ntpdc -c monlist | ||
</code> | </code> | ||