[Samba] Correct NTP Settings for Samba 4.0.6?

Andrew Martin amartin at xes-inc.com
Thu Aug 1 09:06:38 MDT 2013



----- Original Message -----
> From: "Jason MacChesney" <jason.macchesney at ecacs16.ab.ca>
> To: "Andrew Martin" <amartin at xes-inc.com>
> Cc: "Thomas Simmons" <twsnnva at gmail.com>, samba at lists.samba.org
> Sent: Wednesday, July 31, 2013 2:24:35 PM
> Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> 
> Hi Andrew, I've been struggling silently with this for quite awhile.
> With pretty much an identical set-up (save for my W7 machines being
> handled by Virtual Box) I'm at my wit's end. A tcpdump initially
> revealed that the server with Samba4(.0.7) and NTP was being sent
> packets, but never returning them. Similarly, a Linux box was caught
> in stratum 16. Both of these problems were resolved after amending
> the ntp.conf file to allow IP's from a specified subnet. So in my
> case:
> restrict 192.168.1.128 mask 255.255.255.128 nomodify notrap nopeer
> 
> 
> Now I get this:
> 
> C:\Users\administrator>w32tm /monitor
> sambaf.sambafour. LOCAL *** PDC ***[ 192.168.1.131:123 ]:
> ICMP: 0ms delay
> NTP: +0.0000000s offset from sambaf.sambafour. LOCAL
> RefID: mx2.trentu.ca [192.75.12.11]
> Stratum: 3
> Warning:
> Reverse name resolution is best effort. It may not be
> correct since RefID field in time packets differs across
> NTP implementations and may not be using IP addresses.
> 
> 
> BUT, I still get this:
> 
> C:\Users\administrator>w32tm /resync /rediscover
> Sending resync command to local computer
> The computer did not resync because no time data was available.
> C:\Users\administrator>w32tm /config /syncfromflags:DOMHIER /update
> The command completed successfully.
> C:\Users\administrator>w32tm /query /source
> Local CMOS Clock
> 
> 
> Tried it all. Disabled Windows firewalls, set iptables, net
> stop/start, register/unregister, included the signdsocket directory
> in both the smb and ntp configuration files.
> I'm really surprised to hear that you received mixed results based on
> how you launched the ntp service. I've had no such luck.
> So I'm pretty baffled. Time drift is potentially a massive issue
> where we deploy machines due to PEBKAC. I hate to piggyback on an
> issue, but any insight anyone might have would be appreciated.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Sat, Jul 27, 2013 at 10:43 PM, Andrew Martin < amartin at xes-inc.com
> > wrote:
> 
> 
> 
> ----- Original Message -----
> > From: "Thomas Simmons" < twsnnva at gmail.com >
> > To: "Andrew Martin" < amartin at xes-inc.com >
> > Cc: samba at lists.samba.org
> 
> 
> > Sent: Saturday, July 27, 2013 7:07:59 PM
> > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > 
> > Your Windows client is not able to access the NTP server, which is
> > why
> > w32tm /resync fails and the reason for the "NTP: ERROR_TIMEOUT - no
> > response from server in 1000ms" error when running w32tm /monitor.
> > Why? I
> > can't say. Can you setup a Linux box to use this server for NTP and
> > run
> > ntpdate as a test? I've seen this when there is a flaky network
> > connection
> > (traffic, wifi, or when the DC is a VMware VM under certain
> > situations).
> > Your DC is not a VM is it?
> > 
> > 
> > On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin <
> > amartin at xes-inc.com >
> > wrote:
> > 
> > > ----- Original Message -----
> > > > From: "Andrew Martin" < amartin at xes-inc.com >
> > > > To: "Thomas Simmons" < twsnnva at gmail.com >
> > > > Cc: samba at lists.samba.org
> > > > Sent: Saturday, July 27, 2013 2:31:21 PM
> > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Thomas Simmons" < twsnnva at gmail.com >
> > > > > To: "Andrew Martin" < amartin at xes-inc.com >
> > > > > Cc: samba at lists.samba.org
> > > > > Sent: Saturday, July 27, 2013 12:26:57 PM
> > > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > > > > 
> > > > > Running "w32tm /config /update /syncfromflags:DOMHIER && net
> > > > > stop
> > > > > w32time
> > > > > && net start w32time" should make the client query the
> > > > > directory
> > > > > for
> > > > > it's
> > > > > time server. You can verify the configuration with "w32tm
> > > > > /query
> > > > > /configuration" and look for the "Type" to be NT5DS. This
> > > > > means
> > > > > it's
> > > > > using
> > > > > AD. You can also run w32tm /monitor and the Windows time
> > > > > service
> > > > > will
> > > > > go
> > > > > through the processes of querying the directory to find a
> > > > > time
> > > > > server, then
> > > > > verify it's accessible. If that works, all is working. I
> > > > > found
> > > > > w32tm
> > > > > /monitor will fail if you have your domain functional level
> > > > > at
> > > > > 2008
> > > > > or
> > > > > 2008_R2. I don't know if this is a bug in Samba as I haven't
> > > > > had
> > > > > time
> > > > > to
> > > > > test against a real 2008+ server. Just know it's to be
> > > > > expected.
> > > > > 
> > > > > 
> > > > > On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin
> > > > > < amartin at xes-inc.com >
> > > > > wrote:
> > > > > 
> > > > > > ----- Original Message -----
> > > > > > > From: "Thomas Simmons" < twsnnva at gmail.com >
> > > > > > > To: "Andrew Martin" < amartin at xes-inc.com >
> > > > > > > Cc: samba at lists.samba.org
> > > > > > > Sent: Saturday, July 27, 2013 11:03:49 AM
> > > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba
> > > > > > > 4.0.6?
> > > > > > > 
> > > > > > > 
> > > > > > > The ls -l command you ran shows the ntp_signd directory
> > > > > > > is
> > > > > > > empty,
> > > > > > > so
> > > > > > > it looks like samba is not creating the socket (at least
> > > > > > > in
> > > > > > > that
> > > > > > > location). Do you have the "ntp signd socket directory"
> > > > > > > option
> > > > > > > in
> > > > > > > your smb.conf? If not, try manually it to smb.conf:
> > > > > > > 
> > > > > > > ntp signd socket directory = /var/run/samba/ntp_signd
> > > > > > > 
> > > > > > > 
> > > > > > > Apart from that, my suggestion would be to stop apparmor
> > > > > > > and
> > > > > > > iptables
> > > > > > > for testing and run ntp and samba with verbose logging on
> > > > > > > and
> > > > > > > see
> > > > > > > what it says. Also, what does "w32tm /query /source" and
> > > > > > > "w32tm
> > > > > > > /monitor" show on the client?
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin <
> > > > > > > amartin at xes-inc.com
> > > > > > > > wrote:
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Thomas Simmons" < twsnnva at gmail.com >
> > > > > > > > To: "Andrew Martin" < amartin at xes-inc.com >
> > > > > > > > Cc: samba at lists.samba.org
> > > > > > > > Sent: Saturday, July 27, 2013 10:33:49 AM
> > > > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba
> > > > > > > > 4.0.6?
> > > > > > > > 
> > > > > > > > 
> > > > > > > > 
> > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > > On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin <
> > > > > > > > amartin at xes-inc.com
> > > > > > > > > wrote:
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Hello,
> > > > > > > > 
> > > > > > > > I recently compiled Samba 4.0.6 (as an AD DC) and am
> > > > > > > > running
> > > > > > > > it
> > > > > > > > on
> > > > > > > > Ubuntu 12.04.
> > > > > > > > I followed the instructions on the Samba wiki (
> > > > > > > > https://wiki.samba.org/index.php/Configure_NTP )
> > > > > > > > for how to configure ntp, however the domain clients
> > > > > > > > are
> > > > > > > > rejecting
> > > > > > > > the DCs as
> > > > > > > > being acceptable time sources. Below is my ntp.conf:
> > > > > > > > 
> > > > > > > > server 127.127.1.0
> > > > > > > > fudge 127.127.1.0 stratum 10
> > > > > > > > server 0.pool.ntp.org iburst prefer
> > > > > > > > server 1.pool.ntp.org iburst prefer
> > > > > > > > driftfile /var/lib/ntp/ntp.drift
> > > > > > > > logfile /var/log/ntp
> > > > > > > > ntpsigndsocket /var/run/samba/ntp_signd
> > > > > > > > restrict default kod nomodify notrap nopeer mssntp
> > > > > > > > restrict 127.0.0.1
> > > > > > > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify
> > > > > > > > notrap
> > > > > > > > nopeer
> > > > > > > > noquery
> > > > > > > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify
> > > > > > > > notrap
> > > > > > > > nopeer
> > > > > > > > noquery
> > > > > > > > 
> > > > > > > > Using Ubuntu, I am not using SELinux. I do not believe
> > > > > > > > there
> > > > > > > > to
> > > > > > > > be
> > > > > > > > any problems
> > > > > > > > with apparmor, as it contains these lines in
> > > > > > > > /etc/apparmor.d/usr.sbin.ntpd:
> > > > > > > > # samba4 ntp signing socket
> > > > > > > > /{,var/}run/samba/ntp_signd/socket rw,
> > > > > > > > 
> > > > > > > > What is the correct procedure for configuring NTP for a
> > > > > > > > Samba4
> > > > > > > > AD
> > > > > > > > DC?
> > > > > > > > 
> > > > > > > > Thanks,
> > > > > > > > 
> > > > > > > > Andrew
> > > > > > > > 
> > > > > > > > 
> > > > > > > > When you compiled Samba, did you not use the standard
> > > > > > > > install
> > > > > > > > path
> > > > > > > > (/usr/local/samba) or did you add an entry in smb.conf
> > > > > > > > to
> > > > > > > > use
> > > > > > > > /var/run/samba/ntp_signd for the socket?
> > > > > > > > 
> > > > > > > Thomas,
> > > > > > > 
> > > > > > > When compiling Samba, I specified custom paths to be in
> > > > > > > line
> > > > > > > with
> > > > > > > Debian's
> > > > > > > conventions for file locations:
> > > > > > > conf_args = \
> > > > > > > --prefix=/usr \
> > > > > > > --enable-fhs \
> > > > > > > --sysconfdir=/etc \
> > > > > > > --localstatedir=/var \
> > > > > > > --with-privatedir=/var/lib/samba/private \
> > > > > > > --with-smbpasswd-file=/etc/samba/smbpasswd \
> > > > > > > --with-piddir=/var/run/samba \
> > > > > > > --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security
> > > > > > > \
> > > > > > > --with-pam \
> > > > > > > --with-syslog \
> > > > > > > --with-utmp \
> > > > > > > --with-pam_smbpass \
> > > > > > > --with-winbind \
> > > > > > > 
> > > > > > 
> > > --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
> > > > > > > \
> > > > > > > --with-automount \
> > > > > > > --with-ldap \
> > > > > > > --with-ads \
> > > > > > > --with-dnsupdate \
> > > > > > > --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
> > > > > > > --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
> > > > > > > --datadir=/usr/share \
> > > > > > > --with-lockdir=/var/run/samba \
> > > > > > > --with-statedir=/var/lib/samba \
> > > > > > > --with-cachedir=/var/cache/samba \
> > > > > > > --disable-avahi \
> > > > > > > --with-ctdb=/usr \
> > > > > > > --disable-rpath \
> > > > > > > --disable-ntdb \
> > > > > > > --disable-rpath-install \
> > > > > > > --bundled-libraries=NONE,pytevent,iniparser \
> > > > > > > --builtin-libraries=replace,ccan \
> > > > > > > --minimum-library-version="$(shell ./debian/autodeps.py
> > > > > > > --minimum-library-version)" \
> > > > > > > --without-getpass-replacement \
> > > > > > > --enable-debug
> > > > > > > 
> > > > > > > 
> > > > > > > Thanks,
> > > > > > > 
> > > > > > > Andrew
> > > > > > > 
> > > > > > > 
> > > > > > Thomas,
> > > > > > 
> > > > > > Adding that parameter to the smb.conf file, as well as
> > > > > > removing
> > > > > > the
> > > > > > ntp_signd directory
> > > > > > so that samba itself could create it appears to have
> > > > > > worked:
> > > > > > root at dc0:/# ls -l /var/run/samba/ntp_signd/
> > > > > > total 0
> > > > > > srwxrwxrwx 1 root root 0 Jul 27 11:41 socket
> > > > > > 
> > > > > > I also needed a few extra lines in ntp.conf, otherwise the
> > > > > > Windows
> > > > > > client
> > > > > > would fail
> > > > > > with the error "The computer did not resync beacuse no time
> > > > > > data
> > > > > > was
> > > > > > available":
> > > > > > server 0.us.pool.ntp.org
> > > > > > server 1.us.pool.ntp.org
> > > > > > server 2.us.pool.ntp.org
> > > > > > server 3.us.pool.ntp.org
> > > > > > server 127.127.1.0
> > > > > > fudge 127.127.1.0 stratum 10
> > > > > > server 0.pool.ntp.org iburst prefer
> > > > > > server 1.pool.ntp.org iburst prefer
> > > > > > driftfile /var/lib/ntp/ntp.drift
> > > > > > logfile /var/log/ntp
> > > > > > ntpsigndsocket /var/run/samba/ntp_signd
> > > > > > restrict default kod nomodify notrap nopeer mssntp
> > > > > > restrict 127.0.0.1
> > > > > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify
> > > > > > notrap
> > > > > > nopeer
> > > > > > noquery
> > > > > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify
> > > > > > notrap
> > > > > > nopeer
> > > > > > noquery
> > > > > > 
> > > > > > 
> > > > > > Do the Windows clients prefer ntp information from the DHCP
> > > > > > lease,
> > > > > > or from
> > > > > > the DC that
> > > > > > they are connected to? My DHCP configuration currently is
> > > > > > using
> > > > > > an
> > > > > > old NTP
> > > > > > server until
> > > > > > I get Samba4's NTP up and running. Thus, when I run w32tm
> > > > > > /query
> > > > > > /source
> > > > > > on the client,
> > > > > > it still shows the old server. I ran the following command
> > > > > > to
> > > > > > manually set
> > > > > > it to one of the DCs:
> > > > > > w32tm /config /update /manualpeerlist:dc0
> > > > > > /syncfromflags:MANUAL
> > > > > > 
> > > > > > Then, running w32tm /resync succeeds and w32tm /query
> > > > > > /source
> > > > > > lists
> > > > > > dc0 as
> > > > > > the NTP source.
> > > > > > 
> > > > > > Are there any other tests I should run to verify that NTP
> > > > > > is
> > > > > > working
> > > > > > correctly?
> > > > > > 
> > > > > > Thanks,
> > > > > > 
> > > > > > Andrew
> > > > > > 
> > > > > 
> > > > 
> > > > Thomas,
> > > > 
> > > > After following your instructions, I have verified that the
> > > > type
> > > > is
> > > > listed
> > > > as NT5DS. Thanks again for your help in getting this working!
> > > > 
> > > > Regarding DHCP settings, is it okay to have the DHCP lease push
> > > > out
> > > > NTP settings (e.g. they'll just get overridden by the DC), or
> > > > should
> > > > I
> > > > completely remove NTP settings in dhcpd.conf for all domain
> > > > members?
> > > > 
> > > > Thanks,
> > > > 
> > > > Andrew
> > > > --
> > > > To unsubscribe from this list go to the following URL and read
> > > > the
> > > > instructions: https://lists.samba.org/mailman/options/samba
> > > > 
> > > 
> > > Thomas,
> > > 
> > > I now notice that w32tm /resync does not work, failing with the
> > > error
> > > "The computer did not resync because no time data was available".
> > > As I
> > > mentioned in my last message, w32tm /monitor correctly shows all
> > > 3
> > > of my
> > > Samba4 DCs (although one of them is currently offline):
> > > dc0.mydomain.com *** PDC ***[ 192.168.0.101:123 ]:
> > > ICMP: 0ms delay
> > > NTP: +0.0000000s offset from dc0.x-es.com
> > > RefID: vimo.dorui.net [97.107.128.58]
> > > Stratum: 4
> > > 
> > > DC1.mydomain.com *** PDC ***[ 192.168.0.102:123 ]:
> > > ICMP: 0ms delay
> > > NTP: +0.0049947s offset from dc0.x-es.com
> > > RefID: 'INIT' [0x54494E49]
> > > Stratum: 0
> > > 
> > > DCT.mydomain.com *** PDC ***[ 192.168.0.103:123 ]:
> > > ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms
> > > NTP: ERROR_TIMEOUT - no response from server in 1000ms
> > > 
> > > Does the w32tm /resync command simply not operate correctly in a
> > > domain
> > > environment (even though it returns an error, domain time sync is
> > > working)?
> > > 
> > > Thanks,
> > > 
> > > Andrew
> > > 
> > 
> Thomas,
> 
> The "NTP: ERROR_TIMEOUT - no response from server in 1000ms" error
> from my previous
> message only occurred on 1 of 3 DCs, dct, because it is currently
> offline. I verified
> with "w32tm /query /source" that the Windows client I am using is
> connecting to dc1, which is online. The default parameters that ntpd
> is run with
> on dc1 are:
> /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:113
> 
> 106 and 113 are the ntp user and ntp group respectively. Running
> several variations of
> these arguments, I find that the Windows client can sync without
> error (using w32tm /resync)
> when the following arguments are used:
> /usr/sbin/ntpd -p /var/run/ntpd.pid -g (running as root:root)
> /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106 (running as the ntp
> user but not specifying the group)
> /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 0:113 (running as root:ntp)
> 
> However, running with "-g 106:113" causes the Windows client to be
> unable to connect. A
> linux client running ntpdate can connect under all of these
> circumstances. Running ntpd in
> the foreground did not print any errors or differing messages when
> run with these different arguments.
> 
> I believe the problem is that /var/run/samba/ntp_signd/socket is
> owned by root:root:
> root at dc1:# ls -l /var/run/samba/ntp_signd/socket
> srwxrwxrwx 1 root root 0 Jul 27 11:39 /var/run/samba/ntp_signd/socket
> 
> I can also verify that the samba process using the socket is running
> as root:root:
> root at dc1:# lsof | grep /var/run/samba/ntp_signd/socket
> samba 7401 root 21u unix 0xffff880130777400 0t0 739534
> /var/run/samba/ntp_signd/socket
> root at dc1:# ps -eo "%p %c %u %g" | grep 7401
> 7401 samba root root
> 
> Is it acceptable to run ntp as root:root instead of ntp:ntp? It seems
> that would solve
> this problem, though I am not aware of the full security implications
> of running the ntp
> daemon as root.
> 
> As a side note, these DCs are in fact VMs (KVM is the hypervisor).
> 
> 
> 
> Thanks,
> 
> Andrew
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> 
> 
Jason,

A couple things to test:
 - does it make any difference if you set it manually to point at one of your
   DCs using w32tm /config /update /manualpeerlist:192.168.xxx.xxx /syncfromflags:MANUAL
 - does the socket file actually exist on your DCs?
 - are you running ntpd as root?

Thanks,

Andrew


More information about the samba mailing list