[Samba] Correct NTP Settings for Samba 4.0.6?

Jason MacChesney jason.macchesney at ecacs16.ab.ca
Wed Jul 31 13:24:35 MDT 2013 

Hi Andrew, I've been struggling silently with this for quite awhile. With
pretty much an identical set-up (save for my W7 machines being handled by
Virtual Box) I'm at my wit's end. A tcpdump initially revealed that the
server with Samba4(.0.7) and NTP was being sent packets, but never
returning them. Similarly, a Linux box was caught in stratum 16. Both of
these problems were resolved after amending the ntp.conf file to allow IP's
from a specified subnet. So in my case:
restrict 192.168.1.128 mask 255.255.255.128 nomodify notrap nopeer

Now I get this:
C:\Users\administrator>w32tm /monitor
sambaf.sambafour. <http://sambaf.sambafour.co.ecacs16.ab.ca/>LOCAL *** PDC
***[192.168.1.131:123]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from
sambaf.sambafour.<http://sambaf.sambafour.co.ecacs16.ab.ca/>
LOCAL
        RefID: mx2.trentu.ca [192.75.12.11]
        Stratum: 3
Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.

BUT, I still get this:

C:\Users\administrator>w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
C:\Users\administrator>w32tm /config /syncfromflags:DOMHIER /update
The command completed successfully.
C:\Users\administrator>w32tm /query /source
Local CMOS Clock

Tried it all. Disabled Windows firewalls, set iptables, net stop/start,
register/unregister, included the signdsocket directory in both the smb and
ntp configuration files.
I'm really surprised to hear that you received mixed results based on how
you launched the ntp service. I've had no such luck.
So I'm pretty baffled. Time drift is potentially a massive issue where we
deploy machines due to PEBKAC. I hate to piggyback on an issue, but any
insight anyone might have would be appreciated.





On Sat, Jul 27, 2013 at 10:43 PM, Andrew Martin <amartin at xes-inc.com> wrote:

> ----- Original Message -----
> > From: "Thomas Simmons" <twsnnva at gmail.com>
> > To: "Andrew Martin" <amartin at xes-inc.com>
> > Cc: samba at lists.samba.org
> > Sent: Saturday, July 27, 2013 7:07:59 PM
> > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> >
> > Your Windows client is not able to access the NTP server, which is
> > why
> > w32tm /resync fails and the reason for the "NTP: ERROR_TIMEOUT - no
> > response from server in 1000ms" error when running w32tm /monitor.
> > Why? I
> > can't say. Can you setup a Linux box to use this server for NTP and
> > run
> > ntpdate as a test? I've seen this when there is a flaky network
> > connection
> > (traffic, wifi, or when the DC is a VMware VM under certain
> > situations).
> > Your DC is not a VM is it?
> >
> >
> > On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin <amartin at xes-inc.com>
> > wrote:
> >
> > > ----- Original Message -----
> > > > From: "Andrew Martin" <amartin at xes-inc.com>
> > > > To: "Thomas Simmons" <twsnnva at gmail.com>
> > > > Cc: samba at lists.samba.org
> > > > Sent: Saturday, July 27, 2013 2:31:21 PM
> > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > > >
> > > > ----- Original Message -----
> > > > > From: "Thomas Simmons" <twsnnva at gmail.com>
> > > > > To: "Andrew Martin" <amartin at xes-inc.com>
> > > > > Cc: samba at lists.samba.org
> > > > > Sent: Saturday, July 27, 2013 12:26:57 PM
> > > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > > > >
> > > > > Running "w32tm /config /update /syncfromflags:DOMHIER && net
> > > > > stop
> > > > > w32time
> > > > > && net start w32time" should make the client query the
> > > > > directory
> > > > > for
> > > > > it's
> > > > > time server. You can verify the configuration with "w32tm
> > > > > /query
> > > > > /configuration" and look for the "Type" to be NT5DS. This means
> > > > > it's
> > > > > using
> > > > > AD. You can also run w32tm /monitor and the Windows time
> > > > > service
> > > > > will
> > > > > go
> > > > > through the processes of querying the directory to find a time
> > > > > server, then
> > > > > verify it's accessible. If that works, all is working. I found
> > > > > w32tm
> > > > > /monitor will fail if you have your domain functional level at
> > > > > 2008
> > > > > or
> > > > > 2008_R2. I don't know if this is a bug in Samba as I haven't
> > > > > had
> > > > > time
> > > > > to
> > > > > test against a real 2008+ server. Just know it's to be
> > > > > expected.
> > > > >
> > > > >
> > > > > On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin
> > > > > <amartin at xes-inc.com>
> > > > > wrote:
> > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Thomas Simmons" <twsnnva at gmail.com>
> > > > > > > To: "Andrew Martin" <amartin at xes-inc.com>
> > > > > > > Cc: samba at lists.samba.org
> > > > > > > Sent: Saturday, July 27, 2013 11:03:49 AM
> > > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > > > > > >
> > > > > > >
> > > > > > > The ls -l command you ran shows the ntp_signd directory is
> > > > > > > empty,
> > > > > > > so
> > > > > > > it looks like samba is not creating the socket (at least in
> > > > > > > that
> > > > > > > location). Do you have the "ntp signd socket directory"
> > > > > > > option
> > > > > > > in
> > > > > > > your smb.conf? If not, try manually it to smb.conf:
> > > > > > >
> > > > > > > ntp signd socket directory = /var/run/samba/ntp_signd
> > > > > > >
> > > > > > >
> > > > > > > Apart from that, my suggestion would be to stop apparmor
> > > > > > > and
> > > > > > > iptables
> > > > > > > for testing and run ntp and samba with verbose logging on
> > > > > > > and
> > > > > > > see
> > > > > > > what it says. Also, what does "w32tm /query /source" and
> > > > > > > "w32tm
> > > > > > > /monitor" show on the client?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin <
> > > > > > > amartin at xes-inc.com
> > > > > > > > wrote:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Thomas Simmons" < twsnnva at gmail.com >
> > > > > > > > To: "Andrew Martin" < amartin at xes-inc.com >
> > > > > > > > Cc: samba at lists.samba.org
> > > > > > > > Sent: Saturday, July 27, 2013 10:33:49 AM
> > > > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba
> > > > > > > > 4.0.6?
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin <
> > > > > > > > amartin at xes-inc.com
> > > > > > > > > wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > I recently compiled Samba 4.0.6 (as an AD DC) and am
> > > > > > > > running
> > > > > > > > it
> > > > > > > > on
> > > > > > > > Ubuntu 12.04.
> > > > > > > > I followed the instructions on the Samba wiki (
> > > > > > > > https://wiki.samba.org/index.php/Configure_NTP )
> > > > > > > > for how to configure ntp, however the domain clients are
> > > > > > > > rejecting
> > > > > > > > the DCs as
> > > > > > > > being acceptable time sources. Below is my ntp.conf:
> > > > > > > >
> > > > > > > > server 127.127.1.0
> > > > > > > > fudge 127.127.1.0 stratum 10
> > > > > > > > server 0.pool.ntp.org iburst prefer
> > > > > > > > server 1.pool.ntp.org iburst prefer
> > > > > > > > driftfile /var/lib/ntp/ntp.drift
> > > > > > > > logfile /var/log/ntp
> > > > > > > > ntpsigndsocket /var/run/samba/ntp_signd
> > > > > > > > restrict default kod nomodify notrap nopeer mssntp
> > > > > > > > restrict 127.0.0.1
> > > > > > > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify
> > > > > > > > notrap
> > > > > > > > nopeer
> > > > > > > > noquery
> > > > > > > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify
> > > > > > > > notrap
> > > > > > > > nopeer
> > > > > > > > noquery
> > > > > > > >
> > > > > > > > Using Ubuntu, I am not using SELinux. I do not believe
> > > > > > > > there
> > > > > > > > to
> > > > > > > > be
> > > > > > > > any problems
> > > > > > > > with apparmor, as it contains these lines in
> > > > > > > > /etc/apparmor.d/usr.sbin.ntpd:
> > > > > > > > # samba4 ntp signing socket
> > > > > > > > /{,var/}run/samba/ntp_signd/socket rw,
> > > > > > > >
> > > > > > > > What is the correct procedure for configuring NTP for a
> > > > > > > > Samba4
> > > > > > > > AD
> > > > > > > > DC?
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > >
> > > > > > > > Andrew
> > > > > > > >
> > > > > > > >
> > > > > > > > When you compiled Samba, did you not use the standard
> > > > > > > > install
> > > > > > > > path
> > > > > > > > (/usr/local/samba) or did you add an entry in smb.conf to
> > > > > > > > use
> > > > > > > > /var/run/samba/ntp_signd for the socket?
> > > > > > > >
> > > > > > > Thomas,
> > > > > > >
> > > > > > > When compiling Samba, I specified custom paths to be in
> > > > > > > line
> > > > > > > with
> > > > > > > Debian's
> > > > > > > conventions for file locations:
> > > > > > > conf_args = \
> > > > > > > --prefix=/usr \
> > > > > > > --enable-fhs \
> > > > > > > --sysconfdir=/etc \
> > > > > > > --localstatedir=/var \
> > > > > > > --with-privatedir=/var/lib/samba/private \
> > > > > > > --with-smbpasswd-file=/etc/samba/smbpasswd \
> > > > > > > --with-piddir=/var/run/samba \
> > > > > > > --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
> > > > > > > --with-pam \
> > > > > > > --with-syslog \
> > > > > > > --with-utmp \
> > > > > > > --with-pam_smbpass \
> > > > > > > --with-winbind \
> > > > > > >
> > > > > >
> > >
> --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
> > > > > > > \
> > > > > > > --with-automount \
> > > > > > > --with-ldap \
> > > > > > > --with-ads \
> > > > > > > --with-dnsupdate \
> > > > > > > --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
> > > > > > > --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
> > > > > > > --datadir=/usr/share \
> > > > > > > --with-lockdir=/var/run/samba \
> > > > > > > --with-statedir=/var/lib/samba \
> > > > > > > --with-cachedir=/var/cache/samba \
> > > > > > > --disable-avahi \
> > > > > > > --with-ctdb=/usr \
> > > > > > > --disable-rpath \
> > > > > > > --disable-ntdb \
> > > > > > > --disable-rpath-install \
> > > > > > > --bundled-libraries=NONE,pytevent,iniparser \
> > > > > > > --builtin-libraries=replace,ccan \
> > > > > > > --minimum-library-version="$(shell ./debian/autodeps.py
> > > > > > > --minimum-library-version)" \
> > > > > > > --without-getpass-replacement \
> > > > > > > --enable-debug
> > > > > > >
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > Andrew
> > > > > > >
> > > > > > >
> > > > > > Thomas,
> > > > > >
> > > > > > Adding that parameter to the smb.conf file, as well as
> > > > > > removing
> > > > > > the
> > > > > > ntp_signd directory
> > > > > > so that samba itself could create it appears to have worked:
> > > > > > root at dc0:/# ls -l /var/run/samba/ntp_signd/
> > > > > > total 0
> > > > > > srwxrwxrwx 1 root root 0 Jul 27 11:41 socket
> > > > > >
> > > > > > I also needed a few extra lines in ntp.conf, otherwise the
> > > > > > Windows
> > > > > > client
> > > > > > would fail
> > > > > > with the error "The computer did not resync beacuse no time
> > > > > > data
> > > > > > was
> > > > > > available":
> > > > > > server 0.us.pool.ntp.org
> > > > > > server 1.us.pool.ntp.org
> > > > > > server 2.us.pool.ntp.org
> > > > > > server 3.us.pool.ntp.org
> > > > > > server 127.127.1.0
> > > > > > fudge  127.127.1.0 stratum 10
> > > > > > server 0.pool.ntp.org  iburst prefer
> > > > > > server 1.pool.ntp.org  iburst prefer
> > > > > > driftfile /var/lib/ntp/ntp.drift
> > > > > > logfile /var/log/ntp
> > > > > > ntpsigndsocket /var/run/samba/ntp_signd
> > > > > > restrict default kod nomodify notrap nopeer mssntp
> > > > > > restrict 127.0.0.1
> > > > > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap
> > > > > > nopeer
> > > > > > noquery
> > > > > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap
> > > > > > nopeer
> > > > > > noquery
> > > > > >
> > > > > >
> > > > > > Do the Windows clients prefer ntp information from the DHCP
> > > > > > lease,
> > > > > > or from
> > > > > > the DC that
> > > > > > they are connected to? My DHCP configuration currently is
> > > > > > using
> > > > > > an
> > > > > > old NTP
> > > > > > server until
> > > > > > I get Samba4's NTP up and running. Thus, when I run w32tm
> > > > > > /query
> > > > > > /source
> > > > > > on the client,
> > > > > > it still shows the old server. I ran the following command to
> > > > > > manually set
> > > > > > it to one of the DCs:
> > > > > > w32tm /config /update /manualpeerlist:dc0
> > > > > > /syncfromflags:MANUAL
> > > > > >
> > > > > > Then, running w32tm /resync succeeds and w32tm /query /source
> > > > > > lists
> > > > > > dc0 as
> > > > > > the NTP source.
> > > > > >
> > > > > > Are there any other tests I should run to verify that NTP is
> > > > > > working
> > > > > > correctly?
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Andrew
> > > > > >
> > > > >
> > > >
> > > > Thomas,
> > > >
> > > > After following your instructions, I have verified that the type
> > > > is
> > > > listed
> > > > as NT5DS. Thanks again for your help in getting this working!
> > > >
> > > > Regarding DHCP settings, is it okay to have the DHCP lease push
> > > > out
> > > > NTP settings (e.g. they'll just get overridden by the DC), or
> > > > should
> > > > I
> > > > completely remove NTP settings in dhcpd.conf for all domain
> > > > members?
> > > >
> > > > Thanks,
> > > >
> > > > Andrew
> > > > --
> > > > To unsubscribe from this list go to the following URL and read
> > > > the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > >
> > >
> > > Thomas,
> > >
> > > I now notice that w32tm /resync does not work, failing with the
> > > error
> > > "The computer did not resync because no time data was available".
> > > As I
> > > mentioned in my last message, w32tm /monitor correctly shows all 3
> > > of my
> > > Samba4 DCs (although one of them is currently offline):
> > > dc0.mydomain.com *** PDC ***[192.168.0.101:123]:
> > >     ICMP: 0ms delay
> > >     NTP: +0.0000000s offset from dc0.x-es.com
> > >         RefID: vimo.dorui.net [97.107.128.58]
> > >         Stratum: 4
> > >
> > > DC1.mydomain.com *** PDC ***[192.168.0.102:123]:
> > >     ICMP: 0ms delay
> > >     NTP: +0.0049947s offset from dc0.x-es.com
> > >         RefID: 'INIT' [0x54494E49]
> > >         Stratum: 0
> > >
> > > DCT.mydomain.com *** PDC ***[192.168.0.103:123]:
> > >     ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms
> > >     NTP: ERROR_TIMEOUT - no response from server in 1000ms
> > >
> > > Does the w32tm /resync command simply not operate correctly in a
> > > domain
> > > environment (even though it returns an error, domain time sync is
> > > working)?
> > >
> > > Thanks,
> > >
> > > Andrew
> > >
> >
> Thomas,
>
> The "NTP: ERROR_TIMEOUT - no response from server in 1000ms" error from my
> previous
> message only occurred on 1 of 3 DCs, dct, because it is currently offline.
> I verified
> with "w32tm /query /source" that the Windows client I am using is
> connecting to dc1, which is online. The default parameters that ntpd is
> run with
> on dc1 are:
> /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:113
>
> 106 and 113 are the ntp user and ntp group respectively. Running several
> variations of
> these arguments, I find that the Windows client can sync without error
> (using w32tm /resync)
> when the following arguments are used:
> /usr/sbin/ntpd -p /var/run/ntpd.pid -g (running as root:root)
> /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106 (running as the ntp user but
> not specifying the group)
> /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 0:113 (running as root:ntp)
>
> However, running with "-g 106:113" causes the Windows client to be unable
> to connect. A
> linux client running ntpdate can connect under all of these circumstances.
> Running ntpd in
> the foreground did not print any errors or differing messages when run
> with these different arguments.
>
> I believe the problem is that /var/run/samba/ntp_signd/socket is owned by
> root:root:
> root at dc1:# ls -l /var/run/samba/ntp_signd/socket
> srwxrwxrwx 1 root root 0 Jul 27 11:39 /var/run/samba/ntp_signd/socket
>
> I can also verify that the samba process using the socket is running as
> root:root:
> root at dc1:# lsof | grep /var/run/samba/ntp_signd/socket
> samba      7401       root   21u     unix 0xffff880130777400      0t0
> 739534 /var/run/samba/ntp_signd/socket
> root at dc1:# ps -eo "%p %c %u %g" | grep 7401
>  7401 samba           root     root
>
> Is it acceptable to run ntp as root:root instead of ntp:ntp? It seems that
> would solve
> this problem, though I am not aware of the full security implications of
> running the ntp
> daemon as root.
>
> As a side note, these DCs are in fact VMs (KVM is the hypervisor).
>
> Thanks,
>
> Andrew
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list