[Samba] Samba4: W2k c­lients cannot set / sync ­time with samba4 AD DC

[L.P.H. van Belle]

Just hack the registry entry,
 
on the pc's policies add  "DOMAIN\Domain Users" to allow to sync time.
Under, Computer policy, Windows settings, Security, Local .. , user rights,  "systemtime change" 

With windows it works, because the time sync is done on pc level, not user level as far as i know
( how the homegroups work withing Windows 7 )  

and even better, add change the "time.windows.com" in time to ntp.yoursamba4server.local 
you can do this with registry level, then your always ok. 


Louis
 

>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com 
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: donderdag 25 april 2013 10:48
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Samba4: W2k c­lients cannot set / sync 
>­time with samba4 AD DC
>
>Hello,
>
>I HAVE sniffed the network traffic for this w2k client and
> provided the link via paste.ubuntu.com, so everybody can look inside 
>that without the need 
>of extra-tools like wireshark. And as I realized you have looked into 
>that sniffed result output. I did it this way, because I work on an 
>isolated test env which I cannot access through my computers 
>and do file
> transfers. And I dont have wireshark installed on samba4 host, so I 
>would not be able to transfer the .pcap file to my computer and upload 
>it. But if you really prefer a .PCAP sniff of tcpdump I could do that, 
>have to do some prerequisites for that network/switch to be able to 
>transfer these files additionally to my computer.
>
>> Finally, I would ask that you help yourself:
>
>> 
>> 08:28:00.436507 IP 172.16.200.66.3557 > 
>samba4srv.mysite.com.ntp: NTPv2,
>
>> Client, length 68
>
>> 08:28:00.436576 IP samba4srv.mysite.com > 172.16.200.66: 
>ICMP samba4srv
>
>> .mysite.com udp port ntp unreachable, length 104
>
>> 
>> Is the NTP server set up correctly?  If the clients can't contact the
>
>> NTP server, then it doesn't surprise me that they can't use it.
>
>Well, the NTP server on samba4 server is definitely (!) up and 
>running. I can triple-check that by "ps", "netstat" and of course by 
>getting the time of all my other clients (winxp, win7, linux, unix) so 
>NTP server is definitely running on samba4 host.
>
>> 08:28:00.436576 IP samba4srv.mysite.com > 172.16.200.66: 
>ICMP samba4srv
>
>> .mysite.com udp port ntp unreachable, length 104
>
>This was the last packet as I posted. Looks like samba4srv tried
> to reach the UDP:123 of w2k client, which of course will fail 
>as no NTP
> server is running on w2k client side? I cannot explain that, but I 
>definitely know that the NTP daemon is running fine on samba4 side.
>
>> I also don't understand why you can't use any number of other tools
>
>> (such as free NTP clients or forcing the NTP server with a script or
>
>> policy) to set the time for this specific deployment.
>
>Because I would prefer the raw way, as I would suppose from a 
>Microsoft client to do. The inital problem was, that w2k 
>clients are not
> able to perform dynamic updates, and one point that can cause this 
>error is that the w2k is not in time sync with its associated domain 
>controller (as it was in my case). I haved red carefully many tech and 
>white papers of Microsoft which explains that W2k clients are not 
>restricted on any way to do them because they CAN. But the problem is 
>TIME DIFFERENCE. So I have to focus on this time sync issue, 
>else I will
> not be able to do the final samba4 migration. As I said, I 
>have lots of
> W2k clients in prod. environment and one would expect that they can 
>sync their time. They can if a Microsoft Windows Server is 
>used. So why 
>the need to install, deploy or whatever, a 3rd party tool when 
>it should
> work on raw way normally?
>
>Cheers,
>Lucas.
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>