[Samba] member ntp time sync

Rowland Penny rowlandpenny at googlemail.com
Mon Feb 9 07:23:42 MST 2015


On 09/02/15 14:06, Bob of Donelson Trophy wrote:
>   
>
> On my member server, running 'ntpq -p' yields:
>
> ntpq -p
> localhost: timed out, nothing received
> ***Request timed out
>
> The ntp.conf file is trying to use the DC's hostnames addresses:
>
> user at DC01:~# cat /etc/ntp.conf
> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
>
> driftfile /var/lib/ntp/ntp.drift
>
> # Enable this if you want statistics to be logged.
> #statsdir /var/log/ntpstats/
>
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
>
> # You do need to talk to an NTP server or two (or three).
> #server ntp.your-provider.example
>
> # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server
> will
> # pick a different set every time it starts up. Please consider joining
> the
> # pool: <http://www.pool.ntp.org/join.html>
> server 0.debian.pool.ntp.org iburst
> server 1.debian.pool.ntp.org iburst
> server 2.debian.pool.ntp.org iburst
> server 3.debian.pool.ntp.org iburst
>
> # Access control configuration; see
> /usr/share/doc/ntp-doc/html/accopt.html for
> # details. The web page
> <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> # might also be helpful.
> #
> # Note that "restrict" applies to both servers and clients, so a
> configuration
> # that might be intended to block requests from certain clients could
> also end
> # up blocking replies from your own upstream servers.
>
> # By default, exchange time with everybody, but don't allow
> configuration.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
>
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
>
> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> #restrict 192.168.123.0 mask 255.255.255.0 notrust
>
> # If you want to provide time to your local subnet, change the next
> line.
> # (Again, the address is an example only.)
> #broadcast 192.168.123.255
>
> # If you want to listen to time broadcasts on your local subnet,
> de-comment the
> # next lines. Please do this only if you trust everybody on the network!
> #disable auth
> #broadcastclient
> driftfile /var/lib/ntp/ntp.drift
>
> # Enable this if you want statistics to be logged.
> #statsdir /var/log/ntpstats/
>
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
>
> # You do need to talk to an NTP server or two (or three).
> server 0.north-america.pool.ntp.org
>
> #server 0.nl.pool.ntp.org nomodify notrap nopeer noquery
> #server 1.nl.pool.ntp.org nomodify notrap nopeer noquery
> #server 2.nl.pool.ntp.org nomodify notrap nopeer noquery
> #server 3.nl.pool.ntp.org nomodify notrap nopeer noquery
>
> # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server
> will
> # pick a different set every time it starts up. Please consider joining
> the
> # pool: <http://www.pool.ntp.org/join.html>
> #server 0.debian.pool.ntp.org iburst
> #server 1.debian.pool.ntp.org iburst
> #server 2.debian.pool.ntp.org iburst
> #server 3.debian.pool.ntp.org iburst
>
> # Access control configuration; see
> /usr/share/doc/ntp-doc/html/accopt.html for
> # details. The web page
> <http://support.ntp.org/bin/view/Support/AccessRestrictions>
> # might also be helpful.
> #
> # Note that "restrict" applies to both servers and clients, so a
> configuration
> # that might be intended to block requests from certain clients could
> also end
> # up blocking replies from your own upstream servers.
>
> ###### Needed for Samba 4 ####### in the restrict -4 or -6 added mssntp
> at the end
> # Location of the samba ntp_signed directory
> ntpsigndsocket /var/lib/samba/ntp_signd
>
> # By default, exchange time with everybody, but don't allow
> configuration.
> restrict -4 default kod notrap nomodify nopeer noquery mssntp
> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
>
> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> #restrict 192.168.16.0 mask 255.255.255.0 notrust
>
> # If you want to provide time to your local subnet, change the next
> line.
> # (Again, the address is an example only.)
> #broadcast 192.168.16.255
>
> # If you want to listen to time broadcasts on your local subnet,
> de-comment the
> # next lines. Please do this only if you trust everybody on the network!
> #disable auth
> #broadcastclient
>
> And here is the ntp.conf file from my member server:
>
> user at member:~# cat /etc/ntp.conf
> # Local clock (this is not the localhost address!)
> server 127.127.1.0
> fudge 127.127.1.0 stratum 10
>
> # The source, where we are receiving the time from (PDC)
> server dtdc02.dts***m.lan. iburst prefer
> server dtdc01.dts***m.lan. iburst prefer
>
> driftfile /var/lib/ntp/ntp.drift
> logfile /var/log/ntp
>
> # Access control
> # Default restriction
> restrict default ignore
>
> # Allow everything from localhost
> restrict 127.0.0.1
>
> # Allow that our time source can only provide time and do nothing else
> restrict dtdc02.dts***m.lan. mask 255.255.255.255 nomodify notrap nopeer
> noquery
> restrict dtdc01.dts***m.lan. mask 255.255.255.255 nomodify notrap nopeer
> noquery
>
> Should not the end of the DC's ntp.conf file (where it is suggesting a
> 'Samba4' setting) be set to the local lan addresses access? I tried
> setting it so and got the same result on the member server after
> restarting ntp time on the DC's? So, I figured I must be wrong? Member
> needs to keep time with the DC's, right?

Hi, If I remove the commented lines from your DC's ntp.conf, I found this:

driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1

driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server 0.north-america.pool.ntp.org
ntpsigndsocket /var/lib/samba/ntp_signd
restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp
restrict 127.0.0.1
restrict ::1

You seem to have all of the required lines, but twice !!

Try making it like this:

driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server 0.north-america.pool.ntp.org
ntpsigndsocket /var/lib/samba/ntp_signd
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1

restart ntp and try again

Rowland


More information about the samba mailing list