2010-12-08

Configuration of NTP for Samba4

In an Active Directory domain, which is a Kerberos domain, time-synchronization is critical.  If a workstation or servers clock drifts to much from the clock of the KDC neither users or services will be able to participate in the domain.  But Active Directory clients [such as Windows 7] require an MS-SNTP server that cryptographically signs the response.  This means that the NTP server shipped with almost all current distributions cannot provide time services to these devices - support for this interoperability was added in NTP 4.2.6 (see NTP Bug#1028).  Appropriately versioned NTP packages are available for openSUSE 11.3 from namtrac's repository and will be included in openSUSE 11.4 (see openSUSE Bug#657194)..
With a good version of NTP the required NTP configuration is:
ntpsigndsocket /opt/ad/samba4/var/run/ntp_signd/
restrict default mssntp
Samba4 will create a socket which NTP can use to have its responses signed - the location of this socket is what is indicated by the NTP directive "ntpsigndsocket".  Note that this is a directory path to where NTP will expect to find a domain socket named "socket" (not intuitive!).  It is Samba which creates and listens to this socket; NTP uses the socket as a consumer and only opens the socket when it needs signing services.  The default location where Samba will initially create this socket is controlled via the "ntp signd socket directory" directive in Samba's "smb.conf".  In most cases this won't be set explictely.  You can verify the default value using the Samba "testparams" command with the "--verbose" option which will list both defined directives and the default values of undefined directives [including "ntp signd socket directory"].
Running the NTP daemon as "strace ntpd -n" will keep ntpd in the foreground and allow you to see the files and sockets that it opens and closes.  Once properly configured issue the "w32tm /resync /rediscover" option on a Windows 7 AD member and you should receive the response:
Sending resync command to local computer
The command completed successfully.
On the server you will see (in the strace output) and exchange between NTP and Samba4 via the signing socket.  It will look something like:
recvmsg(21, {msg_name(-1734344)={...},
msg_iov(17832102453714092032)=0x14ffe5894c, msg_controllen=120259084288,
msg_control=0x848, msg_flags=MSG_DONTROUTE|MSG_PROXY}, 0) = 68
recvmsg(21, 0xffe5891c, 0)              = -1 EAGAIN (Resource
temporarily unavailable)
clock_gettime(CLOCK_REALTIME, {1291827449, 637483079}) = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
connect(4, {sa_family=AF_FILE,
path="/opt/ad/samba4/var/run/ntp_signd//socket"}, 110) = 0
write(4, "\0\0\0@", 4)                  = 4
write(4, "\0\0\0\0\0\0\0\0\1\0\0\0P\4\0\0\34\v\21\360\0\0\0\0\0\0002\337
\177\177\1\0"..., 64) = 64
read(4, "\0\0\0P", 4)                   = 4
read(4, "\0\0\0\0\0\0\0\3\0\0\1\0\34\v\21\360\0\0\0\0\0\0002\337\177\177
\1\0\320\2527c"..., 80) = 80
sendto(21, "\34\v\21\360\0\0\0\0\0\0002\337\177\177\1\0\320\2527c>\360
\220\303\320\2527\201\3478 \330"..., 68, 0, {sa_family=AF_INET,
sin_port=htons(123), sin_addr=inet_addr("10.66.77.102")}, 16) = 68
close(4)
If that doesn't happen verify that both Samba4 and NTP have access to the socket; this may include permissions issues as well as SELinux / AppArmour policies.  Once it works just run NTP normally - you have working secure time synchronization.

Manually Adding an ACL To An Object

In OpenGroupware the ACLs applied to an object are stored in the "object_acl" table.  If, for example, I want to add the list, view, read, write, and administer privileges for the team 11,530 for object 1,6829,810 the correct SQL to execute is:
INSERT INTO object_acl
  (object_acl_id, sort_key, action, object_id, auth_id, permissions)
VALUES (nextval('key_generator'), 0, 'allowed', 16829810, 11530, 'lvrwa')
The important points are:
  1. Use the "key_generator" sequence to assign the "object_acl_id" value.  This is the object id of the ACL itself;  all object ids are assigned from the key_generator sequence.
  2. The value of "sort_key" is always 0.  This value isn't actually used for anything.
  3. The value of "action" must be either "allowed" or "denied".  In most cases "allowed" is what you want in order to grant access.
  4. "object_id" is the object id of the object to which the ACL is applied in contrast to "auth_id" is the context to which the privileges, specified in "permissions", are either granted [if "action" is "allowed"] or revoked [if "action" is "denied"].  The value of "auth_id" should be the object id of an account or a team.
  5. The permissions string is always lower case.  Permission flags are documented in WMOGAG.
The ACLs in "object_acl" are the primary access control mechanism for all entities excepting Projects and Appointments.