From owner-freebsd-questions@freebsd.org  Sat Sep 29 08:55:42 2018
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A174910C186C
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sat, 29 Sep 2018 08:55:42 +0000 (UTC) (envelope-from ml@netfence.it)
Received: from soth.netfence.it (net-2-44-121-52.cust.vodafonedsl.it
 [2.44.121.52])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "mailserver.netfence.it",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1897B73983
 for <freebsd-questions@freebsd.org>; Sat, 29 Sep 2018 08:55:41 +0000 (UTC)
 (envelope-from ml@netfence.it)
Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18])
 (authenticated bits=0)
 by soth.netfence.it (8.15.2/8.15.2) with ESMTPSA id w8T8tIpc036515
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Sat, 29 Sep 2018 10:55:27 +0200 (CEST) (envelope-from ml@netfence.it)
X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it
 [10.1.2.18] claimed to be alamar.ventu
Subject: Re: Starting ntpd in a jail
To: freebsd-questions@freebsd.org, doug@fledge.watson.org
References: <8a138f2e-11d4-d890-c28d-72717a9eed3a@netfence.it>
 <dc35e5fe09ae5358576089b49954bd69@dweimer.net>
 <alpine.BSF.2.20.1809281125360.39669@fledge.watson.org>
From: Andrea Venturoli <ml@netfence.it>
Message-ID: <f4228ae2-7950-a25a-9f95-436fa14e16e1@netfence.it>
Date: Sat, 29 Sep 2018 10:55:18 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101
 Thunderbird/60.0.1
MIME-Version: 1.0
In-Reply-To: <alpine.BSF.2.20.1809281125360.39669@fledge.watson.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Sep 2018 08:55:42 -0000

On 9/28/18 5:41 PM, doug@safeport.com wrote:

> I am missing something here. The jail share the kernel. Unless you want 
> the jail to be in a different time zone than the kernel, why run ntp in 
> a jail. It is interesting that even works.

Two cases at least:

A) you have multiple AD domains, so you have two Samba AD DCs, running 
in two jails.
You'll need two ntpd instances with two different "ntpdsigndsocket" 
parameters.

B) for security, you don't want clients to mess with base's ntpd, whose 
only task will be to set the host time.
A second ntpd in a jail (which of course cannot modify the host time) 
can serve untrusted clients, so if it gets compromised it will only 
affect that jail.

  bye
	av.