[Samba] Time sync not working with Windows 10

Mark Foley mfoley at ohprs.org
Sun Nov 22 02:04:09 UTC 2020 

From: Mark Foley via samba <samba at lists.samba.org>
To: "samba at lists.samba.org" <samba at lists.samba.org>
Subject: Re: [Samba] Time sync not working with Windows 10
Date: Thu, 19 Nov 2020 22:13:40 +0000

>
> On Wed, 18 Nov 2020 08:41:03 -0500 me at tdiehl.org wrote:
> >
> > On Wed, 18 Nov 2020, Mark Foley via samba wrote:
> >
> > > After our office upgraded to Windows 10, time sync stopped working with the Windows
> > > workstations. This used to work fine with Windows 7 and still works with linux domain members
> > > (although that's not surprising).
> > >
> > > The Windows 10 workstations ended up operating off the CMOS clock. We didn't notice this for a long
> > > time since the CMOS clock drift is slow, but after several months users started noticing up to
> > > +/-6 minutes difference between their computers and the *real* time.
> > >
> > > Going to 'Date & Time settings > Sync Now' always gives "Time synchronization failed".
> > >
> > > For Windows 7 workstations, several years ago, I followed the advice in
> > > https://www.meinbergglobal.com/english/info/ntp-w32time.htm which was to do the following on
> > > the Windows 7 workstations:
> > >
> > >
> > > w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
> > > w32tm /config /update
> > >
> > > Check the configuration:
> > >
> > > w32tm /query /source
> > >
> > > This worked and time was in-sync on the WIN7 computers for many years.  I did this after
> > > upgrading/installing each Windows 10 workstation during 2019 Q4 and 2020 Q1, but apparently
> > > that didn't work.
> > >
> > > For the Windows 10 workstations I create the "Time Source" group policy per the instructions in
> > > https://wiki.samba.org/index.php/Time_Synchronisation. That didn't help either.
> > >
> > > Is it possible that the version of Samba I am using (Version 4.8.2) is too old for Windows 10?
> > > I could upgrade to 4.13.2, but that is in the "experimental" release of Slackware and may or
> > > may not install properly.
> >
> > I do not think 4.8.2 is too old for time sync to work with win 10. However
> > 4.8.2 is EOL as far as samba is concerned.
> >
> > A couple of weeks ago I was still running 4.8.x on 2 different Ad domains
> > and time sync was working fine on all of the clients, including the win 10.
> >
> > I would suggest you have a look at https://wiki.samba.org/index.php/Time_Synchronisation
> > In particular make sure the symlink points to the correct place.
> >
> > After we upgraded the DC's to 4.12.x the symlinks got b0rked and that killed time sync
> > for us. Fixing the symlinks and restarting chronyd and samba fixed the problem.
> >
> > FWIW, there is no extra configuration required on windows domain members assuming
> > that the DC's are configured correctly. Just use w32tm /query /source to make sure
> > the clients are using one of the DC's to sync from. If they are not then there is
> > a problem with the DC configuration.
> >
> > Regards,
> >
> > -- 
> > Tom			me at tdiehl.org
> >
>
> Tom - thanks for your reply.  Question: on your Windows 10 workstation when you go to the Date
> & Time setting, what does it show for Time Server? After doing the steps described below on two
> of the WIN10 worstations, one shows "Time Server: unspecified" and the other shows "Local CMOS
> Clock". 
>
> Can you click on "Sync Now" and have it work? I continue to get "Time synchronization failed".
>
> I've put these questions up-front so they don't get buried below.
>
> Your post was useful (though things still don't appear to be competely working). I'm using
> ntpd, not chrony. Rechecking the
> https://wiki.samba.org/index.php/Time_Synchronisation link I noted that it said, "Requirements:
> ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support
> (--enable-ntp-signd)". I didn't know if my version of ntpd was compile with --enable-ntp-signd.
>
> While trying to figure that out I came across the potentially very useful webpage
> https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain. It gave the following
> instruction to see where Samba wants to put the ntp_signd socket:
>
> # netstat -xpln | grep signd
> unix  2  [ ACC ]  STREAM  LISTENING  2071520535 19381/samba     /var/lib/samba/ntp_signd/socket
>
> This location is different from what the Samba wiki specified (/usr/local/samba/var/lib/ntp_signd),
> so I changed my ntp.conf to be the one found by netstat.
>
> That blog also advised adding "noquery" to the restrict config:
>
> restrict default kod limited nomodify notrap nopeer noquery mssntp
>
> His example had two lines with -4 and -6 after the "restrict" directive, respectively. I hope
> my not using those isn't a problem.
>
> Finally, the blog advised adding "listen":
>
> listen on 192.168.0.2
>
> This is the IP of the server running ntpd. Not sure why that would be needed, never was in the
> past, hope it doesn't hurt.
>
> I restarted ntpd and, according to the blog, checked syslog to confirm signd:
>
> Nov 19 01:40:33 mail ntpd[10076]: mssntp restrict bit ignored, this ntpd was configured without --enable-ntp-signd.
>
> So, there's my first problem! My ntpd is not compiled with --enable-ntp-signd. So, I downloaded
> ntpd 4.2.8p15 (same version as I already have) from ntp.org and built it. Turns out that
> --enable-ntp-signd is not a default for that either, so I re-config'd:
>
> ../configure --enable-ntp-signd
>
> When I restarted and checked the syslog I now have:
>
> Nov 19 01:50:14 mail ntpd[17169]: MS-SNTP signd operations currently block ntpd degrading service to all clients.
>
> which is what the blogs says should be there.
>
> However, as stated at top, the Windows 10 workstations are still not syncing. On 3 of the
> workstations I had manually set the time server to an external time server:
>
> w32tm /config /manualpeerlist:0.us.pool.ntp.org /syncfromflags:manual /reliable:YES /update
>
> and on several others I manually set the time server to the Samba AD server, per my O.P.:
>
> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
>
> Prior to fixing ntpd with signd the workstations set to the external server were syncing since
> the "Last successful time synchronization" kept updating. The ones set to the local Samba
> server were months out of date.
>
> In order to try and undo my manual settings, I did the following on both external time-sync and
> local Samba time-sync workstations:
>
> net stop w32time
> w32tm /unregister
> w32tm /register
> net start w32time
>
> and rebooted. That didn't help. Still not getting time to sync with Samba, and:
>
> w32tm /query /source
>
> still shows "Local CMOS Clock".
>
> My current ntp.conf is below. If you or anyone has any idea as to what could still be wrong,
> I'd greatly appreciate the help. This problem has been ongoing for several months.
>
> Below is my current ntp.conf:
> ----------------------------
> logfile /var/log/ntpd.log	# note, this file is empty!?
>
> server 0.pool.ntp.org iburst prefer
> server 1.pool.ntp.org iburst
> server  127.127.1.0     # local clock
> fudge   127.127.1.0 stratum 10
>
> driftfile /etc/ntp/drift
> ntpsigndsocket  /var/lib/samba/ntp_signd/socket
>
> listen on 192.168.0.2
>
> restrict default kod limited nomodify notrap nopeer noquery mssntp
>
> restrict 127.0.0.1
> restrict ::1
>
> restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
> restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
>

SOLVED!

The last problem was with my ntpsigndsocket setting. Based on the netstat command (described
above) I changed ntp.conf to:

ntpsigndsocket /var/lib/samba/ntp_signd/socket

The problem here is that "socket" from the netstat command is the actual socket. my setting
caused a sub-directory "socket" to be created. The solution was to change the setting to:

ntpsigndsocket  /var/lib/samba/ntp_signd

then stop ntp and samba and 'rm -r /var/lib/samba/ntp_signd' so Samba could create the
ntp_signd directory itself. All that remained was to undo the various experimental settings I
had done on the Windows 10 workstations. As admin on WIN10:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

On most workstations the net stop and net start failed and I had to reboot the workstations.

Of course, the Windows Group Policy had to be set according to the Samba wiki, but that had
already been done weeks ago. 

Whew! This has been a months long struggle!

--Mark

More information about the samba mailing list