[Samba] Correct NTP Settings for Samba 4.0.6?

Andrew Martin amartin at xes-inc.com
Sat Jul 27 10:58:24 MDT 2013


----- Original Message -----
> From: "Thomas Simmons" <twsnnva at gmail.com>
> To: "Andrew Martin" <amartin at xes-inc.com>
> Cc: samba at lists.samba.org
> Sent: Saturday, July 27, 2013 11:03:49 AM
> Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> 
> 
> The ls -l command you ran shows the ntp_signd directory is empty, so
> it looks like samba is not creating the socket (at least in that
> location). Do you have the "ntp signd socket directory" option in
> your smb.conf? If not, try manually it to smb.conf:
> 
> ntp signd socket directory = /var/run/samba/ntp_signd
> 
> 
> Apart from that, my suggestion would be to stop apparmor and iptables
> for testing and run ntp and samba with verbose logging on and see
> what it says. Also, what does "w32tm /query /source" and "w32tm
> /monitor" show on the client?
> 
> 
> 
> On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin < amartin at xes-inc.com
> > wrote:
> 
> 
> 
> ----- Original Message -----
> > From: "Thomas Simmons" < twsnnva at gmail.com >
> > To: "Andrew Martin" < amartin at xes-inc.com >
> > Cc: samba at lists.samba.org
> > Sent: Saturday, July 27, 2013 10:33:49 AM
> > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > 
> > 
> > 
> > 
> > 
> 
> 
> > On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin <
> > amartin at xes-inc.com
> > > wrote:
> > 
> > 
> > Hello,
> > 
> > I recently compiled Samba 4.0.6 (as an AD DC) and am running it on
> > Ubuntu 12.04.
> > I followed the instructions on the Samba wiki (
> > https://wiki.samba.org/index.php/Configure_NTP )
> > for how to configure ntp, however the domain clients are rejecting
> > the DCs as
> > being acceptable time sources. Below is my ntp.conf:
> > 
> > server 127.127.1.0
> > fudge 127.127.1.0 stratum 10
> > server 0.pool.ntp.org iburst prefer
> > server 1.pool.ntp.org iburst prefer
> > driftfile /var/lib/ntp/ntp.drift
> > logfile /var/log/ntp
> > ntpsigndsocket /var/run/samba/ntp_signd
> > restrict default kod nomodify notrap nopeer mssntp
> > restrict 127.0.0.1
> > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> > noquery
> > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> > noquery
> > 
> > Using Ubuntu, I am not using SELinux. I do not believe there to be
> > any problems
> > with apparmor, as it contains these lines in
> > /etc/apparmor.d/usr.sbin.ntpd:
> > # samba4 ntp signing socket
> > /{,var/}run/samba/ntp_signd/socket rw,
> > 
> > What is the correct procedure for configuring NTP for a Samba4 AD
> > DC?
> > 
> > Thanks,
> > 
> > Andrew
> > 
> > 
> > When you compiled Samba, did you not use the standard install path
> > (/usr/local/samba) or did you add an entry in smb.conf to use
> > /var/run/samba/ntp_signd for the socket?
> > 
> Thomas,
> 
> When compiling Samba, I specified custom paths to be in line with
> Debian's
> conventions for file locations:
> conf_args = \
> --prefix=/usr \
> --enable-fhs \
> --sysconfdir=/etc \
> --localstatedir=/var \
> --with-privatedir=/var/lib/samba/private \
> --with-smbpasswd-file=/etc/samba/smbpasswd \
> --with-piddir=/var/run/samba \
> --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
> --with-pam \
> --with-syslog \
> --with-utmp \
> --with-pam_smbpass \
> --with-winbind \
> --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
> \
> --with-automount \
> --with-ldap \
> --with-ads \
> --with-dnsupdate \
> --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
> --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
> --datadir=/usr/share \
> --with-lockdir=/var/run/samba \
> --with-statedir=/var/lib/samba \
> --with-cachedir=/var/cache/samba \
> --disable-avahi \
> --with-ctdb=/usr \
> --disable-rpath \
> --disable-ntdb \
> --disable-rpath-install \
> --bundled-libraries=NONE,pytevent,iniparser \
> --builtin-libraries=replace,ccan \
> --minimum-library-version="$(shell ./debian/autodeps.py
> --minimum-library-version)" \
> --without-getpass-replacement \
> --enable-debug
> 
> 
> Thanks,
> 
> Andrew
> 
> 
Thomas,

Adding that parameter to the smb.conf file, as well as removing the ntp_signd directory
so that samba itself could create it appears to have worked:
root at dc0:/# ls -l /var/run/samba/ntp_signd/
total 0
srwxrwxrwx 1 root root 0 Jul 27 11:41 socket

I also needed a few extra lines in ntp.conf, otherwise the Windows client would fail
with the error "The computer did not resync beacuse no time data was available":
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org
server 127.127.1.0
fudge  127.127.1.0 stratum 10
server 0.pool.ntp.org  iburst prefer
server 1.pool.ntp.org  iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery


Do the Windows clients prefer ntp information from the DHCP lease, or from the DC that
they are connected to? My DHCP configuration currently is using an old NTP server until
I get Samba4's NTP up and running. Thus, when I run w32tm /query /source on the client,
it still shows the old server. I ran the following command to manually set it to one of the DCs:
w32tm /config /update /manualpeerlist:dc0 /syncfromflags:MANUAL

Then, running w32tm /resync succeeds and w32tm /query /source lists dc0 as the NTP source.

Are there any other tests I should run to verify that NTP is working correctly?

Thanks,

Andrew


More information about the samba mailing list