[Samba] Correct NTP Settings for Samba 4.0.6?

Thomas Simmons twsnnva at gmail.com
Sat Jul 27 11:26:57 MDT 2013 

Running "w32tm /config /update /syncfromflags:DOMHIER && net stop w32time
&& net start w32time" should make the client query the directory for it's
time server. You can verify the configuration with "w32tm /query
/configuration" and look for the "Type" to be NT5DS. This means it's using
AD. You can also run w32tm /monitor and the Windows time service will go
through the processes of querying the directory to find a time server, then
verify it's accessible. If that works, all is working. I found w32tm
/monitor will fail if you have your domain functional level at 2008 or
2008_R2. I don't know if this is a bug in Samba as I haven't had time to
test against a real 2008+ server. Just know it's to be expected.


On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin <amartin at xes-inc.com> wrote:

> ----- Original Message -----
> > From: "Thomas Simmons" <twsnnva at gmail.com>
> > To: "Andrew Martin" <amartin at xes-inc.com>
> > Cc: samba at lists.samba.org
> > Sent: Saturday, July 27, 2013 11:03:49 AM
> > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> >
> >
> > The ls -l command you ran shows the ntp_signd directory is empty, so
> > it looks like samba is not creating the socket (at least in that
> > location). Do you have the "ntp signd socket directory" option in
> > your smb.conf? If not, try manually it to smb.conf:
> >
> > ntp signd socket directory = /var/run/samba/ntp_signd
> >
> >
> > Apart from that, my suggestion would be to stop apparmor and iptables
> > for testing and run ntp and samba with verbose logging on and see
> > what it says. Also, what does "w32tm /query /source" and "w32tm
> > /monitor" show on the client?
> >
> >
> >
> > On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin < amartin at xes-inc.com
> > > wrote:
> >
> >
> >
> > ----- Original Message -----
> > > From: "Thomas Simmons" < twsnnva at gmail.com >
> > > To: "Andrew Martin" < amartin at xes-inc.com >
> > > Cc: samba at lists.samba.org
> > > Sent: Saturday, July 27, 2013 10:33:49 AM
> > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > >
> > >
> > >
> > >
> > >
> >
> >
> > > On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin <
> > > amartin at xes-inc.com
> > > > wrote:
> > >
> > >
> > > Hello,
> > >
> > > I recently compiled Samba 4.0.6 (as an AD DC) and am running it on
> > > Ubuntu 12.04.
> > > I followed the instructions on the Samba wiki (
> > > https://wiki.samba.org/index.php/Configure_NTP )
> > > for how to configure ntp, however the domain clients are rejecting
> > > the DCs as
> > > being acceptable time sources. Below is my ntp.conf:
> > >
> > > server 127.127.1.0
> > > fudge 127.127.1.0 stratum 10
> > > server 0.pool.ntp.org iburst prefer
> > > server 1.pool.ntp.org iburst prefer
> > > driftfile /var/lib/ntp/ntp.drift
> > > logfile /var/log/ntp
> > > ntpsigndsocket /var/run/samba/ntp_signd
> > > restrict default kod nomodify notrap nopeer mssntp
> > > restrict 127.0.0.1
> > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> > > noquery
> > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> > > noquery
> > >
> > > Using Ubuntu, I am not using SELinux. I do not believe there to be
> > > any problems
> > > with apparmor, as it contains these lines in
> > > /etc/apparmor.d/usr.sbin.ntpd:
> > > # samba4 ntp signing socket
> > > /{,var/}run/samba/ntp_signd/socket rw,
> > >
> > > What is the correct procedure for configuring NTP for a Samba4 AD
> > > DC?
> > >
> > > Thanks,
> > >
> > > Andrew
> > >
> > >
> > > When you compiled Samba, did you not use the standard install path
> > > (/usr/local/samba) or did you add an entry in smb.conf to use
> > > /var/run/samba/ntp_signd for the socket?
> > >
> > Thomas,
> >
> > When compiling Samba, I specified custom paths to be in line with
> > Debian's
> > conventions for file locations:
> > conf_args = \
> > --prefix=/usr \
> > --enable-fhs \
> > --sysconfdir=/etc \
> > --localstatedir=/var \
> > --with-privatedir=/var/lib/samba/private \
> > --with-smbpasswd-file=/etc/samba/smbpasswd \
> > --with-piddir=/var/run/samba \
> > --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
> > --with-pam \
> > --with-syslog \
> > --with-utmp \
> > --with-pam_smbpass \
> > --with-winbind \
> >
> --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
> > \
> > --with-automount \
> > --with-ldap \
> > --with-ads \
> > --with-dnsupdate \
> > --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
> > --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
> > --datadir=/usr/share \
> > --with-lockdir=/var/run/samba \
> > --with-statedir=/var/lib/samba \
> > --with-cachedir=/var/cache/samba \
> > --disable-avahi \
> > --with-ctdb=/usr \
> > --disable-rpath \
> > --disable-ntdb \
> > --disable-rpath-install \
> > --bundled-libraries=NONE,pytevent,iniparser \
> > --builtin-libraries=replace,ccan \
> > --minimum-library-version="$(shell ./debian/autodeps.py
> > --minimum-library-version)" \
> > --without-getpass-replacement \
> > --enable-debug
> >
> >
> > Thanks,
> >
> > Andrew
> >
> >
> Thomas,
>
> Adding that parameter to the smb.conf file, as well as removing the
> ntp_signd directory
> so that samba itself could create it appears to have worked:
> root at dc0:/# ls -l /var/run/samba/ntp_signd/
> total 0
> srwxrwxrwx 1 root root 0 Jul 27 11:41 socket
>
> I also needed a few extra lines in ntp.conf, otherwise the Windows client
> would fail
> with the error "The computer did not resync beacuse no time data was
> available":
> server 0.us.pool.ntp.org
> server 1.us.pool.ntp.org
> server 2.us.pool.ntp.org
> server 3.us.pool.ntp.org
> server 127.127.1.0
> fudge  127.127.1.0 stratum 10
> server 0.pool.ntp.org  iburst prefer
> server 1.pool.ntp.org  iburst prefer
> driftfile /var/lib/ntp/ntp.drift
> logfile /var/log/ntp
> ntpsigndsocket /var/run/samba/ntp_signd
> restrict default kod nomodify notrap nopeer mssntp
> restrict 127.0.0.1
> restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> noquery
> restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> noquery
>
>
> Do the Windows clients prefer ntp information from the DHCP lease, or from
> the DC that
> they are connected to? My DHCP configuration currently is using an old NTP
> server until
> I get Samba4's NTP up and running. Thus, when I run w32tm /query /source
> on the client,
> it still shows the old server. I ran the following command to manually set
> it to one of the DCs:
> w32tm /config /update /manualpeerlist:dc0 /syncfromflags:MANUAL
>
> Then, running w32tm /resync succeeds and w32tm /query /source lists dc0 as
> the NTP source.
>
> Are there any other tests I should run to verify that NTP is working
> correctly?
>
> Thanks,
>
> Andrew
>

More information about the samba mailing list