2 PDC + Time Sync (ntp) problem

Daniele Dario d.dario76 at gmail.com
Fri Dec 12 08:07:34 MST 2014 

Hi Michai

On ven, 2014-12-12 at 14:28 +0100, Michał Półrolniczak wrote:
> im using samba 4.1.6-Ubuntu from repo (14.04.01)
> arne is PDC with SYSVOL (192.168.0.4)
> melanippe is Backup PDC with rsync (from wiki) replication of SYSVOL 
> (192.168.0.5)
> any modification to AD is made by arne
> domain is: domain.local
> 
> Windows Clients dosn't sync time from PDC (arne)
> when runing: w32tm /resync im getting "Access Denied. (0x80070005)
> w32tm /monitor im getting MELANIPPE.domain.local *** PDC 
> ***[192.168.0.5:123]:
> ICMP: 0ms delay
> NTP: error ERROR_TIMEOUT - no respond from server for 1000ms
> arne.domain.local *** PDC ***[192.168.0.4:123]:
> ICMP: 0ms delay
> NTP: +9.2623479s shift from MELANIPPE.domain.local
> RefID: (here is some strange host name with ip not from my pool)
> Layer: 3
> Warning:
> Reverse dns it optimal for the solution. (sorry im using translator to 
> give you english messages)
> 
> So looking into the problem I:
> nslookup arne.domain.local
> (root) ??? unnow type 41 ???
> Server: UnKnow
> Address: 192.168.0.4
> Name: arne.domain.local
> Address: 192.168.0.4
> 
> nslookup 192.168.0.4
> (root) ??? unnow type 41 ???
> Server: UnKnow
> Address: 192.168.0.4
> (root) ??? unnow type 41 ???
> *** No records availble internal type for both IPv4 and IPv6 Addresses 
> (A+AAAA) for 192.168.0.4
> 
> Same gose for 192.168.0.5
> Im using the build in DNS (not bind), ntp 4.2.6.p5+dfsg-3ubuntu2
> Using DNS Manager from Windows Admin Tools im getting Empty Reverse DNS
> 
> arne: cat /etc/ntp.conf
> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> server 127.127.1.0
> fudge 127.127.1.0 stratum 10
> 
> driftfile       /var/lib/ntp/ntp.drift
> logfile         /var/log/ntp
> ntpsigndsocket  /var/lib/ntp_signd/
> 
> server 0.pl.pool.ntp.org        iburst pref
> restrict default kod nomodify notrap nopeer mssntp
> 
> restrict 127.0.0.1
> 
> restrict 0.pl.pool.ntp.org      mask 255.255.255.255    nomodify notrap 
> nopeer noquery
> 
> 
> melanippe: cat /etc/ntp.conf
> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> server 127.127.1.0
> fudge 127.127.1.0 stratum 10
> 
> server arne.domain.local  iburst prefer
> 
> driftfile /var/lib/ntp/ntp.drift
> logfile /var/log/ntp
> 
> restrict default kod nomodify notrap nopeer mssntp
> 
> restrict 127.0.0.1
> 
> restrict arne.domain.local        mask 255.255.255.255    nomodify 
> notrap nopeer noquery

>From what I know you have to manually create the reverse DNS zone. You
can do it using samba-tool dns zonecreate <server> <zone> or using DNS
manager from Windows Admin Tools. Than you need to populate the zone
adding your hosts (again samba-tool dns add <server> <zone> <name> <A|
AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data> or using DNS manager from Windows
Admin Tools).

About ntp: I'm not using samba from ubuntu/debian package but I compiled
it myself so paths are different. In my case ntpsignedsocket is
in /usr/local/samba/var/run/ntp_signd/ and I had to
modify /etc/apparmor.d/usr.sbin.ntpd adding 

...
  # for signed ntp requests
  /usr/local/samba/var/run/ntp_signd/** rw,
  /usr/local/samba/var/run/ntp_signd/ rw,
...

and reload apparmor profiles

Another thing (but not sure if relevant 'cause can't find anything to
prove it) is that on ntp.conf of "master" DC I added the line
broadcast BROADCAST_ADDRESS_OF_YOUR_LAN (e.g. 192.168.0.255)

Hope this helps,
Daniele.

More information about the samba-technical mailing list