.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Installing and configuring NTP Chrony for Samba-AD on Debian
  :keywords: Debian, Samba-AD, NTP, Network Time Protocol, documentation, chrony, chronyd

.. _server_install_ntp_debian:

#############################################################################
Installing and configuring NTP Chrony for Samba-AD Debian
#############################################################################

.. hint::

  Active Directory is based on the Kerberos protocol which requires near perfect clock synchronization between the domain member workstations and the Samba-AD domain controller.
  NTP is used to ensure synchronization between the clocks of the different devices on the network.

* Install the Chrony :program:`NTP` packages and choose a time server on the Internet (since bookworm, ntp is an alias of ntpsec. Chronyd is the new standard for Samba-AD installation):

  .. code-block:: bash

    apt install chrony -y

* Add the following lines to :file:`/etc/chrony/chrony.conf` to manage the signed NTP used by Windows workstations to automatically synchronize their clocks with the AD server:

  .. code-block:: bash

    allow 0.0.0.0/0 
    ntpsigndsocket  /var/lib/samba/ntp_signd

* Change the owner of the directory containing the samba socket used to authenticate the NTP service:

  .. code-block:: bash

    chown root:_chrony /var/lib/samba/ntp_signd/
    chmod 750 /var/lib/samba/ntp_signd/

.. hint::

  If your machine doesn't have access to the host time and the service tells you that `ConditionCapability=CAP_SYS_TIME` is missing.
  So edit the file :file:`/etc/default/chrony` and add `-x` to `DAEMON_OPTS="-F 1"`

* Restart Chrony:

  .. code-block:: bash

    systemctl restart chrony

* Enable Chrony:

  .. code-block:: bash

    systemctl enable chrony

.. include:: samba_config_server-samba_debug_ntp.rst.inc

Now we can :ref:`install Samba in Active Directory mode <server_install_samba_debian>`. We're progressing, that's good!

