[Samba] DC Time Problems

Rowland Penny rpenny at samba.org
Wed Oct 25 18:26:24 UTC 2023 

On Wed, 25 Oct 2023 11:10:57 -0700 (PDT)
James Browning via samba <samba at lists.samba.org> wrote:

> > On 10/25/2023 9:53 AM PDT Ham via samba <samba at lists.samba.org>
> > wrote:
> > 
> >  
> > It appears that none of our windows clients are syncing their time
> > with the samba DC.    From what I can tell they are not able to get
> > a response from the DC.  For example, where the DC is named athena:
> > 
> >      >w32tm /monitor /computers:athena
> > 
> >     athena[10.10.1.10:123]
> > 
> >        ICMP: 0ms delay
> > 
> >        NTP: error ERROR_TIMEOUT - no response from server in 1000ms
> > 
> >  From a Linux machine there is also no response:
> > 
> >     ntpdate -q athena
> >     24 Oct 16:47:41 ntpdate[33581]: no server suitable for
> >     synchronization found
> > 
> > 
> > Here is the DC /etc/ntpsec/ntp.conf:
> > 
> > # Where to retrieve the time from
> > server 0.pool.ntp.org     iburst prefer
> > server 1.pool.ntp.org     iburst prefer
> > server 2.pool.ntp.org     iburst prefer
> > 
> > driftfile       /var/lib/ntpsec/ntp.drift
> > logfile         /var/log/ntp.log
> > #logconfig =all
> > ntpsigndsocket  /var/lib/samba/ntp_signd/
> > 
> > # Access control
> > # Default restriction: Allow clients only to query the time
> > #restrict default kod nomodify notrap nopeer limited mssntp
> > restrict -4 default kod limited nomodify notrap nopeer noquery
> > mssntp # No restrictions for "localhost"
> > restrict 127.0.0.1
> > # Enable the time sources to only provide time to this host
> > restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap
> > nopeer noquery
> > restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap
> > nopeer noquery
> > restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap
> > nopeer noquery
> > 
> > 
> > My DC is using Debian 11 and the Samba package from Debian.
> > 
> > Any ideas on what the problem is?
> 
> The version of NTPsec that ships with Debian Bookworm has broken
> MS-SNTP support; no one here wants to help.

I wouldn't say that, I tried to help, but couldn't, I am sure that
someone else will be willing.

> I would suggest turning
> off the mssntp restrict in default before listening to the vitrololic
> shitstorm a couple of people here will unleash.

Whilst (it would seem) there was never a Linux ntp_signd client, NTP
worked with Windows and Samba AD DCs, ntpsec will not.

> 
> Or you can follow the bleating; using chrony and crapping on NTPsec.
> 

Samba needs something between the clients and DCs to set the time, at
the moment ntpsec doesn't do this.

Rowland

More information about the samba mailing list