A system with non-global zones will share one kernel for all zones (the global zone as well as all configured non-global zone). As a result, there is only one date/time on the entire setup and this time is usually controlled by the global zone only. By default, the privilege to change the date and time is not available inside a non-global zone and therefore the NTP service will fail to adjust the time.
The default configuration for non-global zones assumes that the time synchronization is done in the global zone and that there is no need to adjust the system time from inside a non-global zone. If the administrator of a non-global zone is able to change the system time then these changes will affect all running zones (including the global zone) and this may be considered a security risk.
The time synchronization can be delegated to a non-global zone if required. Please keep in mind that multiple time adjustments from different sources will likely cause problems and that only one zone should run the NTP service. If you want to delegate the NTP synchronization to a non-global zone then it is recommended to disable the NTP service in the global zone.
As mentioned above, the ability to adjust the time is controlled by a Solaris privilege. The privilege name for this is called sys_time and the information for this privilege can be viewed by using the ppriv command:
# ppriv -lv sys_time sys_time Allows a process to manipulate system time using any of the appropriate system calls: stime, adjtime, ntp_adjtime and the IA specific RTC calls.
If you are unsure whether the sys_time privilege is currently available to you then you can use the following command (as root) to check whether the privilege is available:
# ppriv -v $$ | grep sys_time
By default the command will only show output in the global zone but not in any non-global zone. By default the sys_time privilege is not assigned to a non-global zone. Starting with Solaris 10 Update 3 (11/06) the available privileges of a non-global zone can be changed by using the limitpriv option of the zonecfg command. In the default configuration the limitpriv setting would be empty:
global-zone# zonecfg -z zonename info limitpriv limitpriv:
If you want to add the sys_time privilege to a zone then you can use the zonecfg command to modify the property and reboot the zone to activate the change:
global-zone# zonecfg -z zonename set limitpriv="default,sys_time" global-zone# zoneadm -z zonename reboot
Once the sys_time privilege is available in the non-global zone you can continue to setup NTP as usual, i.e. configure the /etc/ntp.conf file and enable the ntp service.