[Samba] DC Time Problems

Rowland Penny rpenny at samba.org
Wed Oct 25 18:33:21 UTC 2023 

On Wed, 25 Oct 2023 11:25:14 -0700 (PDT)
James Browning via samba <samba at lists.samba.org> wrote:

> > On 10/25/2023 11:16 AM PDT Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > 
> >  
> > On Wed, 25 Oct 2023 11:53:07 -0500
> > Ham via samba <samba at lists.samba.org> wrote:
> > 
> > > It appears that none of our windows clients are syncing their time
> > > with the samba DC.    From what I can tell they are not able to
> > > get a response from the DC.  For example, where the DC is named
> > > athena:
> > > 
> > >      >w32tm /monitor /computers:athena
> > > 
> > >     athena[10.10.1.10:123]
> > > 
> > >        ICMP: 0ms delay
> > > 
> > >        NTP: error ERROR_TIMEOUT - no response from server in
> > > 1000ms
> > > 
> > >  From a Linux machine there is also no response:
> > > 
> > >     ntpdate -q athena
> > >     24 Oct 16:47:41 ntpdate[33581]: no server suitable for
> > >     synchronization found
> > > 
> > > 
> > > Here is the DC /etc/ntpsec/ntp.conf:
> > > 
> > > # Where to retrieve the time from
> > > server 0.pool.ntp.org     iburst prefer
> > > server 1.pool.ntp.org     iburst prefer
> > > server 2.pool.ntp.org     iburst prefer
> > > 
> > > driftfile       /var/lib/ntpsec/ntp.drift
> > > logfile         /var/log/ntp.log
> > > #logconfig =all
> > > ntpsigndsocket  /var/lib/samba/ntp_signd/
> > > 
> > > # Access control
> > > # Default restriction: Allow clients only to query the time
> > > #restrict default kod nomodify notrap nopeer limited mssntp
> > > restrict -4 default kod limited nomodify notrap nopeer noquery
> > > mssntp # No restrictions for "localhost"
> > > restrict 127.0.0.1
> > > # Enable the time sources to only provide time to this host
> > > restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap
> > > nopeer noquery
> > > restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap
> > > nopeer noquery
> > > restrict 2.pool.ntp.org   mask 255.255.255.255    nomodify notrap
> > > nopeer noquery
> > > 
> > > 
> > > My DC is using Debian 11 and the Samba package from Debian.
> > > 
> > > Any ideas on what the problem is?
> > > 
> > 
> > Yes, ntpsec has replaced ntp and they (ntpsec) seem to have broken
> > ntp_signd. They also do not seem to be able to fix it. I also found
> > out that when the code was written to connect ntp and Samba, a
> > Linux client was never written.
> > 
> > Just use Chrony.
> 
> The code to separate mssntp packets from everything else is back in,
> there are actually error logging messages now which no-one else seems
> to think are important. No, let's all crap on NTPsec because it's
> easier.
> 

If, ntpsec is now working again with Samba AD, then great, but it
doesn't seem to have percolated down to Debian.

Rowland

More information about the samba mailing list