[Samba] Joining Windows 10 Domain Member to Samba AD/DC

Luis Peromarta lperoma at icloud.com
Fri Feb 9 09:22:45 UTC 2024 

Are your clients talking to the DCs re. Time at all ?

This is an example in one of my DCs: Run tcpdump on your DC:

root at dwing:~# tcpdump  port 123 -v
tcpdump: listening on enp1s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:20:41.655081 IP (tos 0x0, ttl 128, id 32113, offset 0, flags [none], proto UDP (17), length 96)
    192.168.3.52.ntp > dwing.mad.mater.int.ntp: NTPv3, Client, length 68
	Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 17 (131072s), precision -23
	Root Delay: 0.017257, Root dispersion: 16.000000, Reference-ID: (unspec)
	  Reference Timestamp:  3916459101.490509499 (2024-02-09T09:18:21Z)
	  Originator Timestamp: 0.000000000
	  Receive Timestamp:    0.000000000
	  Transmit Timestamp:   3916459255.755510199 (2024-02-09T09:20:55Z)
	    Originator - Receive Timestamp:  0.000000000
	    Originator - Transmit Timestamp: 3916459255.755510199 (2024-02-09T09:20:55Z)
	Key id: 4010278912
	Authentication: 00000000000000000000000000000000
10:20:41.656262 IP (tos 0x0, ttl 64, id 43189, offset 0, flags [DF], proto UDP (17), length 96)
    dwing.mad.mater.int.ntp > 192.168.3.52.ntp: NTPv3, Server, length 68
	Leap indicator:  (0), Stratum 3 (secondary reference), poll 17 (131072s), precision -25
	Root Delay: 0.032394, Root dispersion: 0.002304, Reference-ID: 0x5e8f8bdb
	  Reference Timestamp:  3916458550.943342981 (2024-02-09T09:09:10Z)
	  Originator Timestamp: 3916459255.755510199 (2024-02-09T09:20:55Z)
	  Receive Timestamp:    3916459241.655292751 (2024-02-09T09:20:41Z)
	  Transmit Timestamp:   3916459241.655478940 (2024-02-09T09:20:41Z)
	    Originator - Receive Timestamp:  -14.100217447
	    Originator - Transmit Timestamp: -14.100031259
	Key id: 4010278912
	Authentication: 7a1ea93ca4a938744e51383001283caa

Might be work examining that traffic for clues.

Regards, LP
On Feb 9, 2024 at 05:31 +0100, Mark Foley via samba <samba at lists.samba.org>, wrote:
> On Thu Jan 4 19:46:02 2024 Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > I've added a Windows 10 domain member to my Domain. I'm now following the
> > procedure in https://wiki.samba.org/index.php/Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Windows_Domain_Member.
> >
> > [deleted]
>
> The above references the first in a long thread I started having to do with
> getting a Windows domain member to time-sync with a new DC, Samba 4.18.9.
>
> None of my Windows domain members sync with the new domain controller.
>
> None of these same Windows workstation had any problem syncing with the previous
> Samba 4.8.2 DC which ran for the past 10-ish years.
>
> On th DC I've tried both chrony and ntp-4.2.8. In the ntp case I used the same
> 4.8.2 version on the old DC; in both cases built with --enable-ntp-signd.
>
> One possible issue was that these Windows domain members were unjoined from the
> 4.8.2 domain, rejoined to the new 4.18.9, and had Profwiz.exe run on each member
> to migrate the domain user's profile. None of that was done when they were
> first joined to the old 4.8.2 domain. One participant in this thread suggested
> I try joining a "virgin" Windows computer. I did that today with a scratch
> install of Windows 10.
>
> After joining the domain I got:
>
> w32tm /query /source
> Local CMOS Clock
>
> I hoping for the FQDN of the DC: 'mail.hprs.local', like I used to get with
> Samba 4.8.2.
>
> This is the same thing I have been getting from the beginning with the new
> 4.18.9 DC. Several thread participants said I shouldn't need to do any group
> policies or anything special. Apparently in my case this is not true.
>
> Everything configured is strictly "vanilla". The DC was provisioned as:
>
> samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCAL --domain=HPRS \
> --server-role=dc --dns-backend=SAMBA_INTERNAL \
> --option=interfaces="lo eth0" --option="bind interfaces only=yes"
>
> Nothing else was done on the DC. The "test" Windows 10 computer was clean
> installed today, nothing left over from any previous domain joins or old domain
> user profiles.
>
> I've tried with and without a "Time Sources" GPO. At the moment, I have a GPO
> configured.
>
> There are only two differences I can identify between when this worked and when
> it did not:
>
> 1. It worked with Samba 4.8.2 and does not work with Samba 4.18.9.
>
> 2. Samba 4.8.2 was provisioned with --dns-backend=BIND9_FLATFILE and Samba
> 4.18.9 was provisioned with --dns-backend=SAMBA_INTERNAL.
>
> Those, I believe, are the only differences. Something must not be working
> correctly with Samba 4.18.9.
>
> As time-sync among domain members is supposed to be critical, I am about to get
> Microsoft involved.
>
> Before I do that (and before I retry a bunch of the w32tm commands), I'd like to
> see if any of the experts on this list have any additional suggestion.
>
> Thanks --Mark
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list