[Samba] time sync for windows workstations

mourik jan heupink - merit heupink at merit.unu.edu
Wed Sep 10 06:11:52 MDT 2014


Hi Louis,

Thank you very much for your elaborate reply. :-)

Following your suggestions, things seem to be working now..! Problem was 
I did chown ntp:ntp, instead of chown root:ntp

Now restarting samba gives no errors anymore, ntp is synced, and:

C:\Windows\system32>w32tm /resync /rediscover
Sending resync command to local computer
The command completed successfully.

Yess :-)

Thank you again, Louis!

Regards,
Mourik Jan

On 9/10/2014 13:19, L.P.H. van Belle wrote:
> Hai Mourik Jan,
>
> here are some suggestions.
>
> The GPO as shown below should not be needed, check the following at least.
>
> in /etc/ntp.conf on all servers, make sure they are the same and check if you have only 1 ntp server source.
> like :   server npt1.nl.net
> disable all others server lines.
>
> check if you did set this in ntp.conf on all servers.
>
> # Location of the samba ntp_signed directory
> ntpsigndsocket /var/lib/samba/ntp_signd
>
> # By default, exchange time with everybody, but don't allow configuration.
> restrict -4 default kod notrap nomodify nopeer noquery mssntp
> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>
> make sure the rights are ok.
>
> install -o root -g ntp -m 0750 -d /var/lib/samba/ntp_signd
> ( or chown root:ntp  /var/lib/samba/ntp_signd && chmod 0750  /var/lib/samba/ntp_signd )
>
> make sure /var/lib/samba has right 755 or ntp wont reach the /var/lib/samba/ntp_signd folder
>
> run on you windows pc as administrator
> net time /setsntp:dc1.you.domain.tld
> reboot the pc.
>
> restart ntp and wait 5 min and  type ntpq -p
> should see.
>       remote           refid      st t when poll reach   delay   offset  jitter
> ==============================================================================
> *dc2.internal.. 193.79.237.14    2 u   8d 1024    0    0.628   -0.666   0.000
>
> the refid is the ip of the ntp server in ntp.conf
> remote is the internal time server on you DC.
>
> if the refid is unknown then you must recheck you config.
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: heupink at merit.unu.edu
>> [mailto:samba-bounces at lists.samba.org] Namens mourik jan
>> heupink - merit
>> Verzonden: dinsdag 9 september 2014 18:40
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] time sync for windows workstations
>>
>> Hi all,
>>
>> Thanks to all who responded... It still does not yet work, and your
>> ideas are highly appreciated:
>>
>> I have followed this document:
>> https://wiki.samba.org/index.php/Time_Synchronisation
>>
>> Where things seem to go wrong:
>>
>> - I changed ownership to ntp:ntp on the directory ntp_signd:
>> root at DC2:~# ls -ld /var/lib/samba/ntp_signd/
>> drwxr-x--- 2 ntp ntp 19 Sep  9 17:15 /var/lib/samba/ntp_signd/
>>
>> However, after this, things start to go wrong:
>> After the above ownership change, restarting samba complains
>> upon start
>> that 'it cannot create NTP signd pipe directory' and also every samba
>> restart I get: "warming: failed to kill 2889: No such process".
>>
>> Also with the new ownership, the dc no longer shows as available in
>> ADUC. I need to undo the chown and then reboot the DC for it to become
>> available again.
>>
>> I have set a GPO, to take time from:
>> NtpServer "dc2.samba.company.com,0x9"
>> Type: NT5DS
>> CrossSiteSyncFlags: 2
>> ResolvPeerBackoffMinutes: 15
>> ResolvPeerBackoffMaxTimes: 7
>> SpecialPollInterval: 3600
>> EventLogFlags: 3
>>
>> And a GPO to enable the windown NTP client, both enabled an in effect.
>>
>> Yet, cmd as admin user:
>>
>> C:\Windows\system32>W32tm /resync /rediscover
>> Sending resync command to local computer
>> The computer did not resync because no time data was available.
>>
>> And:
>> C:\Windows\system32>W32tm /monitor
>> dc1.samba.merit.unu.edu *** PDC ***[192.x.y.17:123]:
>>      ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms
>>      NTP: error ERROR_TIMEOUT - no response from server in 1000ms
>> DC2.samba.company.com *** PDC ***[192.x.y.15:123]:
>>      ICMP: 0ms delay
>>      NTP: +61.5498299s offset from dc1.samba.company.com
>>          RefID: (unknown) [0x06696505]
>>          Stratum: 3
>> DC3.samba.company.com *** PDC ***[192.x.y.16:123]:
>>      ICMP: 0ms delay
>>      NTP: +61.5499067s offset from dc1.samba.company.com
>>          RefID: 2-smtp.kingsquare.nl [77.72.144.59]
>>          Stratum: 3
>> DC4.samba.company.com *** PDC ***[192.x.y.14:123]:
>>      ICMP: 0ms delay
>>      NTP: +61.5478667s offset from dc1.samba.company.com
>>          RefID: (unknown) [0x06696505]
>>          Stratum: 3
>>
>> When cheching with wireshark, I can see ntp traffic (surprisingly) to
>> the DC3.samba.company.com. (yet the GPO is set to dc2.samba... and DC2
>> also has the PDC role in our AD)
>>
>> And still, my workstation time is one minute late, compared to the DC.
>> No firewall in the DC.
>>
>> Can anyone help..? What am I missing....
>>
>> MJ
>>
>> On 9/3/2014 21:52, Marc Muehlfeld wrote:
>>> Am 03.09.2014 21:12, schrieb Helmut Hullen:
>>>> I've looked into the "./configure --help" options of ntp-4.2.6p5
>>>> (slackware, but the source should be distribution independent), and
>>>> there I haven't found such an option.
>>>>
>>>> And my slackware binary of ntpd works well since very many
>> months as an
>>>> "internet time server" for windows xp and windows 7.
>>>
>>>
>>> https://wiki.samba.org/index.php/Time_Synchronisation#Installation
>>>
>>> It has to be build with --enable-ntp-signd.
>>>
>>>
>>> Regards,
>>> Marc
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>


More information about the samba mailing list