[Samba] time sync for windows workstations

L.P.H. van Belle belle at bazuin.nl
Wed Sep 10 05:19:49 MDT 2014


Hai Mourik Jan, 

here are some suggestions. 

The GPO as shown below should not be needed, check the following at least.

in /etc/ntp.conf on all servers, make sure they are the same and check if you have only 1 ntp server source. 
like :   server npt1.nl.net  
disable all others server lines. 

check if you did set this in ntp.conf on all servers. 

# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp

make sure the rights are ok. 

install -o root -g ntp -m 0750 -d /var/lib/samba/ntp_signd
( or chown root:ntp  /var/lib/samba/ntp_signd && chmod 0750  /var/lib/samba/ntp_signd ) 

make sure /var/lib/samba has right 755 or ntp wont reach the /var/lib/samba/ntp_signd folder

run on you windows pc as administrator 
net time /setsntp:dc1.you.domain.tld
reboot the pc.

restart ntp and wait 5 min and  type ntpq -p  
should see. 
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*dc2.internal.. 193.79.237.14    2 u   8d 1024    0    0.628   -0.666   0.000

the refid is the ip of the ntp server in ntp.conf 
remote is the internal time server on you DC. 

if the refid is unknown then you must recheck you config.

Louis



>-----Oorspronkelijk bericht-----
>Van: heupink at merit.unu.edu 
>[mailto:samba-bounces at lists.samba.org] Namens mourik jan 
>heupink - merit
>Verzonden: dinsdag 9 september 2014 18:40
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] time sync for windows workstations
>
>Hi all,
>
>Thanks to all who responded... It still does not yet work, and your 
>ideas are highly appreciated:
>
>I have followed this document:
>https://wiki.samba.org/index.php/Time_Synchronisation
>
>Where things seem to go wrong:
>
>- I changed ownership to ntp:ntp on the directory ntp_signd:
>root at DC2:~# ls -ld /var/lib/samba/ntp_signd/
>drwxr-x--- 2 ntp ntp 19 Sep  9 17:15 /var/lib/samba/ntp_signd/
>
>However, after this, things start to go wrong:
>After the above ownership change, restarting samba complains 
>upon start 
>that 'it cannot create NTP signd pipe directory' and also every samba 
>restart I get: "warming: failed to kill 2889: No such process".
>
>Also with the new ownership, the dc no longer shows as available in 
>ADUC. I need to undo the chown and then reboot the DC for it to become 
>available again.
>
>I have set a GPO, to take time from:
>NtpServer "dc2.samba.company.com,0x9"
>Type: NT5DS
>CrossSiteSyncFlags: 2
>ResolvPeerBackoffMinutes: 15
>ResolvPeerBackoffMaxTimes: 7
>SpecialPollInterval: 3600
>EventLogFlags: 3
>
>And a GPO to enable the windown NTP client, both enabled an in effect.
>
>Yet, cmd as admin user:
>
>C:\Windows\system32>W32tm /resync /rediscover
>Sending resync command to local computer
>The computer did not resync because no time data was available.
>
>And:
>C:\Windows\system32>W32tm /monitor
>dc1.samba.merit.unu.edu *** PDC ***[192.x.y.17:123]:
>     ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms
>     NTP: error ERROR_TIMEOUT - no response from server in 1000ms
>DC2.samba.company.com *** PDC ***[192.x.y.15:123]:
>     ICMP: 0ms delay
>     NTP: +61.5498299s offset from dc1.samba.company.com
>         RefID: (unknown) [0x06696505]
>         Stratum: 3
>DC3.samba.company.com *** PDC ***[192.x.y.16:123]:
>     ICMP: 0ms delay
>     NTP: +61.5499067s offset from dc1.samba.company.com
>         RefID: 2-smtp.kingsquare.nl [77.72.144.59]
>         Stratum: 3
>DC4.samba.company.com *** PDC ***[192.x.y.14:123]:
>     ICMP: 0ms delay
>     NTP: +61.5478667s offset from dc1.samba.company.com
>         RefID: (unknown) [0x06696505]
>         Stratum: 3
>
>When cheching with wireshark, I can see ntp traffic (surprisingly) to 
>the DC3.samba.company.com. (yet the GPO is set to dc2.samba... and DC2 
>also has the PDC role in our AD)
>
>And still, my workstation time is one minute late, compared to the DC. 
>No firewall in the DC.
>
>Can anyone help..? What am I missing....
>
>MJ
>
>On 9/3/2014 21:52, Marc Muehlfeld wrote:
>> Am 03.09.2014 21:12, schrieb Helmut Hullen:
>>> I've looked into the "./configure --help" options of ntp-4.2.6p5
>>> (slackware, but the source should be distribution independent), and
>>> there I haven't found such an option.
>>>
>>> And my slackware binary of ntpd works well since very many 
>months as an
>>> "internet time server" for windows xp and windows 7.
>>
>>
>> https://wiki.samba.org/index.php/Time_Synchronisation#Installation
>>
>> It has to be build with --enable-ntp-signd.
>>
>>
>> Regards,
>> Marc
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list