[Samba] Correct NTP Settings for Samba 4.0.6?

Andrew Martin amartin at xes-inc.com
Sat Jul 27 13:31:21 MDT 2013 

----- Original Message -----
> From: "Thomas Simmons" <twsnnva at gmail.com>
> To: "Andrew Martin" <amartin at xes-inc.com>
> Cc: samba at lists.samba.org
> Sent: Saturday, July 27, 2013 12:26:57 PM
> Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> 
> Running "w32tm /config /update /syncfromflags:DOMHIER && net stop
> w32time
> && net start w32time" should make the client query the directory for
> it's
> time server. You can verify the configuration with "w32tm /query
> /configuration" and look for the "Type" to be NT5DS. This means it's
> using
> AD. You can also run w32tm /monitor and the Windows time service will
> go
> through the processes of querying the directory to find a time
> server, then
> verify it's accessible. If that works, all is working. I found w32tm
> /monitor will fail if you have your domain functional level at 2008
> or
> 2008_R2. I don't know if this is a bug in Samba as I haven't had time
> to
> test against a real 2008+ server. Just know it's to be expected.
> 
> 
> On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin <amartin at xes-inc.com>
> wrote:
> 
> > ----- Original Message -----
> > > From: "Thomas Simmons" <twsnnva at gmail.com>
> > > To: "Andrew Martin" <amartin at xes-inc.com>
> > > Cc: samba at lists.samba.org
> > > Sent: Saturday, July 27, 2013 11:03:49 AM
> > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > >
> > >
> > > The ls -l command you ran shows the ntp_signd directory is empty,
> > > so
> > > it looks like samba is not creating the socket (at least in that
> > > location). Do you have the "ntp signd socket directory" option in
> > > your smb.conf? If not, try manually it to smb.conf:
> > >
> > > ntp signd socket directory = /var/run/samba/ntp_signd
> > >
> > >
> > > Apart from that, my suggestion would be to stop apparmor and
> > > iptables
> > > for testing and run ntp and samba with verbose logging on and see
> > > what it says. Also, what does "w32tm /query /source" and "w32tm
> > > /monitor" show on the client?
> > >
> > >
> > >
> > > On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin <
> > > amartin at xes-inc.com
> > > > wrote:
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Thomas Simmons" < twsnnva at gmail.com >
> > > > To: "Andrew Martin" < amartin at xes-inc.com >
> > > > Cc: samba at lists.samba.org
> > > > Sent: Saturday, July 27, 2013 10:33:49 AM
> > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > > On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin <
> > > > amartin at xes-inc.com
> > > > > wrote:
> > > >
> > > >
> > > > Hello,
> > > >
> > > > I recently compiled Samba 4.0.6 (as an AD DC) and am running it
> > > > on
> > > > Ubuntu 12.04.
> > > > I followed the instructions on the Samba wiki (
> > > > https://wiki.samba.org/index.php/Configure_NTP )
> > > > for how to configure ntp, however the domain clients are
> > > > rejecting
> > > > the DCs as
> > > > being acceptable time sources. Below is my ntp.conf:
> > > >
> > > > server 127.127.1.0
> > > > fudge 127.127.1.0 stratum 10
> > > > server 0.pool.ntp.org iburst prefer
> > > > server 1.pool.ntp.org iburst prefer
> > > > driftfile /var/lib/ntp/ntp.drift
> > > > logfile /var/log/ntp
> > > > ntpsigndsocket /var/run/samba/ntp_signd
> > > > restrict default kod nomodify notrap nopeer mssntp
> > > > restrict 127.0.0.1
> > > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap
> > > > nopeer
> > > > noquery
> > > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap
> > > > nopeer
> > > > noquery
> > > >
> > > > Using Ubuntu, I am not using SELinux. I do not believe there to
> > > > be
> > > > any problems
> > > > with apparmor, as it contains these lines in
> > > > /etc/apparmor.d/usr.sbin.ntpd:
> > > > # samba4 ntp signing socket
> > > > /{,var/}run/samba/ntp_signd/socket rw,
> > > >
> > > > What is the correct procedure for configuring NTP for a Samba4
> > > > AD
> > > > DC?
> > > >
> > > > Thanks,
> > > >
> > > > Andrew
> > > >
> > > >
> > > > When you compiled Samba, did you not use the standard install
> > > > path
> > > > (/usr/local/samba) or did you add an entry in smb.conf to use
> > > > /var/run/samba/ntp_signd for the socket?
> > > >
> > > Thomas,
> > >
> > > When compiling Samba, I specified custom paths to be in line with
> > > Debian's
> > > conventions for file locations:
> > > conf_args = \
> > > --prefix=/usr \
> > > --enable-fhs \
> > > --sysconfdir=/etc \
> > > --localstatedir=/var \
> > > --with-privatedir=/var/lib/samba/private \
> > > --with-smbpasswd-file=/etc/samba/smbpasswd \
> > > --with-piddir=/var/run/samba \
> > > --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
> > > --with-pam \
> > > --with-syslog \
> > > --with-utmp \
> > > --with-pam_smbpass \
> > > --with-winbind \
> > >
> > --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
> > > \
> > > --with-automount \
> > > --with-ldap \
> > > --with-ads \
> > > --with-dnsupdate \
> > > --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
> > > --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
> > > --datadir=/usr/share \
> > > --with-lockdir=/var/run/samba \
> > > --with-statedir=/var/lib/samba \
> > > --with-cachedir=/var/cache/samba \
> > > --disable-avahi \
> > > --with-ctdb=/usr \
> > > --disable-rpath \
> > > --disable-ntdb \
> > > --disable-rpath-install \
> > > --bundled-libraries=NONE,pytevent,iniparser \
> > > --builtin-libraries=replace,ccan \
> > > --minimum-library-version="$(shell ./debian/autodeps.py
> > > --minimum-library-version)" \
> > > --without-getpass-replacement \
> > > --enable-debug
> > >
> > >
> > > Thanks,
> > >
> > > Andrew
> > >
> > >
> > Thomas,
> >
> > Adding that parameter to the smb.conf file, as well as removing the
> > ntp_signd directory
> > so that samba itself could create it appears to have worked:
> > root at dc0:/# ls -l /var/run/samba/ntp_signd/
> > total 0
> > srwxrwxrwx 1 root root 0 Jul 27 11:41 socket
> >
> > I also needed a few extra lines in ntp.conf, otherwise the Windows
> > client
> > would fail
> > with the error "The computer did not resync beacuse no time data
> > was
> > available":
> > server 0.us.pool.ntp.org
> > server 1.us.pool.ntp.org
> > server 2.us.pool.ntp.org
> > server 3.us.pool.ntp.org
> > server 127.127.1.0
> > fudge  127.127.1.0 stratum 10
> > server 0.pool.ntp.org  iburst prefer
> > server 1.pool.ntp.org  iburst prefer
> > driftfile /var/lib/ntp/ntp.drift
> > logfile /var/log/ntp
> > ntpsigndsocket /var/run/samba/ntp_signd
> > restrict default kod nomodify notrap nopeer mssntp
> > restrict 127.0.0.1
> > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> > noquery
> > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> > noquery
> >
> >
> > Do the Windows clients prefer ntp information from the DHCP lease,
> > or from
> > the DC that
> > they are connected to? My DHCP configuration currently is using an
> > old NTP
> > server until
> > I get Samba4's NTP up and running. Thus, when I run w32tm /query
> > /source
> > on the client,
> > it still shows the old server. I ran the following command to
> > manually set
> > it to one of the DCs:
> > w32tm /config /update /manualpeerlist:dc0 /syncfromflags:MANUAL
> >
> > Then, running w32tm /resync succeeds and w32tm /query /source lists
> > dc0 as
> > the NTP source.
> >
> > Are there any other tests I should run to verify that NTP is
> > working
> > correctly?
> >
> > Thanks,
> >
> > Andrew
> >
> 

Thomas,

After following your instructions, I have verified that the type is listed
as NT5DS. Thanks again for your help in getting this working!

Regarding DHCP settings, is it okay to have the DHCP lease push out
NTP settings (e.g. they'll just get overridden by the DC), or should I 
completely remove NTP settings in dhcpd.conf for all domain members?

Thanks,

Andrew

More information about the samba mailing list