[Samba] Joining Windows 10 Domain Member to Samba AD/DC

Mark Foley mfoley at novatec-inc.com
Sat Feb 10 19:19:00 UTC 2024 

On Sat Feb 10 04:36:35 2024 Peter Milesson via samba <samba at lists.samba.org> wrote:
>
> Hi Mark,
>
> The NTP requests from linux hosts to time servers do not contain extra 
> fields, just the basic fields that are required. Windows clients tack 
> another 20 bytes to the NTP request. See the following article from M$:
>
> https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sntp/824d0b97-59e7-405c-8e0d-7b18b6304d10
>
> chrony should work without any problems. Below, I have listed the 
> contents of my chrony.conf file, just for comparison. This configuration 
> works in several domains at the moment. I do not use any chrony keys, 
> though there is an empty file. The file is owned by root:_chrony 0640.
>
> You will probably need to assign user _chrony and group _chrony. 
> /var/lib/chrony is owned by _chrony:_chrony 0750. There is also 
> /var/run/chrony owned by _chrony:_chrony 0700.
>
> Hope that you sort it out.
>
> Peter
>
>
> # Welcome to the chrony configuration file. See chrony.conf(5) for more
> # information about usable directives.
>
> # Include configuration files found in /etc/chrony/conf.d.
> confdir /etc/chrony/conf.d
>
> # Use Debian vendor zone.
> pool 2.debian.pool.ntp.org iburst
>
> # Use time sources from DHCP.
> sourcedir /run/chrony-dhcp
>
> # Use NTP sources found in /etc/chrony/sources.d.
> sourcedir /etc/chrony/sources.d
>
> # This directive specify the location of the file containing ID/key 
> pairs for
> # NTP authentication.
> keyfile /etc/chrony/chrony.keys
>
> # This directive specify the file into which chronyd will store the rate
> # information.
> driftfile /var/lib/chrony/chrony.drift
>
> # Save NTS keys and cookies.
> ntsdumpdir /var/lib/chrony
>
> # Uncomment the following line to turn logging on.
> #log tracking measurements statistics
>
> # Log files location.
> logdir /var/log/chrony
>
> # Stop bad estimates upsetting machine clock.
> maxupdateskew 100.0
>
> # This directive enables kernel synchronisation (every 11 minutes) of the
> # real-time clock. Note that it can't be used along with the 'rtcfile' 
> directive.
> rtcsync
>
> # Step the system clock instead of slewing it if the adjustment is 
> larger than
> # one second, but only in the first three clock updates.
> makestep 1 3
>
> # Get TAI-UTC offset and leap seconds from the system tz database.
> # This directive must be commented out when using time sources serving
> # leap-smeared time.
> leapsectz right/UTC
>
> bindcmdaddress 172.16.0.100
>
> allow 172.16.0.0/24
>
> ntpsigndsocket  /var/lib/samba/ntp_signd
>

Thanks Peter. It's clear that ntpd is not responding to the signing requests from
the Windows computers, though I am certain I built it with --enable-ntp-signd.
Unfortnately, there is no way to verify it was built that way.

However, chrony just isn't working for me. Here's my /etc/chrony/chrony.conf:

----------------------------
bindcmdaddress 192.168.0.2

server 0.pool.ntp.org     iburst
server 1.pool.ntp.org     iburst
server 2.pool.ntp.org     iburst

allow 192.168.0.0/24
logdir /var/log/chrony
keyfile /etc/chrony/chrony.keys
makestep 1 3
hwclockfile /etc/adjtime
ntpsigndsocket  /var/lib/samba/ntp_signd
-----------------------------

/var/lib/samba/ntp_signd is owned by group chrony. It's timestamp is unchanged
after starting chrony.

/var/lib/chrony is owned by chrony.chrony.
/var/run/chrony owned by chrony.chrony.

I start chrony with:

/usr/sbin/chronyd -f /etc/chrony/chrony.conf

chrony responds fine to the pool.ntp.org servers, but running tcpdump, shows
that chrony simply doesn't respond to queries from the Windows domain members:

# tcpdump -v -l -i eth0 port 123
13:37:05.687333 IP (tos 0x0, ttl 128, id 13312, offset 0, flags [none], proto UDP (17), length 96)
    192.168.0.52.ntp > mail.hprs.local.ntp: NTPv3, Client, length 68
        Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 7 (128s), precision -23
        Root Delay: 0.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
          Reference Timestamp:  3916134665.288999699 (2024-02-05T15:11:05Z)
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3916579000.023001399 (2024-02-10T18:36:40Z)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3916579000.023001399 (2024-02-10T18:36:40Z)
        Key id: 1694760960
        Authentication: 00000000000000000000000000000000

The "Key id:" and "Authentication:" fields have to do with the ntp-signd
authentication. chrony sends no response back to 192.168.0.52 or any other
Windows computer.

Is there something wrong with my config?

Does chrony have to be built in some special way to enable ntp-signd?

If you run 'tcpdump -v -l -i ethX port 123' on your DC, does it show sending a
response back to your Windows computers?

Thanks --Mark

More information about the samba mailing list