[Samba] NTP doesnt work for Win2000 clients + Samba 4.0.4 (see tcpdump)

Andrew Bartlett abartlet at samba.org
Tue Apr 9 20:51:51 MDT 2013 

On Tue, 2013-04-09 at 08:14 -0700, Gregory Sloop wrote:
> iM> I am using Samba 4.0.4 as AD DC on my test environment and
> iM> realized that all my W2k clients (default installation, no special
> iM> setups made on the clients) cannot receive the correct time of my
> iM> samba 4.0.4 AD domain controller. Windows XP and 7 work fine
> iM> though. The problem occurs at three W2k test clients I tried with.
> iM> The default behavior of Windows clients is to use the update type
> iM> "Nt5DS" which means, that the client tries to get the time of its
> iM> domain controller. Unfortunately this fails for my W2k clients in
> iM> conjunction with Samba 4.0.4 and also an error in event log
> iM> appears, that says that the time couldnt be retrieved of my samba4
> iM> server "mysmb4srv.ad.mycompany.com".
> 
> iM> As soon as I execute on win2000 clients cmd prompt "net time
> iM> /setsntp:mysmb4srv.ad.mycompany.com" it works. This command causes
> iM> the registry entries under HKLM\System\Current Control
> iM> Set\Services\W32Time\Parameters to change the default behavior
> iM> from type=Nt5DS to type=NTP and adds a line NTP
> iM> server=mysmb4srv.ad.mycompany.com". With this setting the time
> iM> sync works fine as soon as I restart the Windows Time Service. I
> iM> have logged the received ntp packets at samba4's side:
> 
> iM> Issue: Win2000 clients cannot update time through NTP of my samba 4.0.4 server which is installed
> iM> and configured like shown on the Samba4 HowTo (+NTP HowTo). Seems that the "Nt5DS" discovery mode
> iM> on win2000 clients doesnt interact fine with samba4 ??? Here are
> iM> the "tcpdump -vv udp port 123" logs
> 
> I'm sure someone will give you more data, but W2000 was completely out
> of maintenance mode, what, two+ years ago?
> 
> Making changes to the registry so it will use NTP for time updates is
> fairly easy - which will make it compatible with the AD server.
> 
> It would seem, to me at least, a bad use of resources to
> trouble-shoot/fix a Win2000 problem when there are work-around's and
> when Win2000 is not supported any more, and has multiple unpatched
> vulnerabilities.
> 
> Just my opinion of course.

I tend to agree.  The exception is that we do work to allow migration
from Windows 2000 servers (most folks go via temp 2003 installs, but it
has been known to work directly). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list