[Samba] net ads info: failed to get server's current time

Guy-Laurent Subri guy-laurent at subri.ch
Wed Oct 28 10:09:06 UTC 2015 

On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
>On 22/10/15 22:33, Guy-Laurent Subri wrote:
>> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
>>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
>>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny wrote:
>>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
>>>>>> Hi all,
>>>>>> We're having issues with Samba at work. I've searched a bit and the
>>>>>> only
>>>>>> thing that have caught my eye is this: when I run the 'net ads info'
>>>>>> command on our DC --we have a Debian on which samba4 is installed and
>>>>>> configured as a AD DC-- I have the message "Failed to get server's
>>>>>> current time!", and "Server time: Thu, 01 Jan 1970 01:00:00 CET".
>>>>>
>>>>> It works for me on a Debian 4.1.17 DC, so you may have something
>>>>> mis-configured, have you altered the smb.conf in any way ?
>>>>
>>>> I don't think the modifications I did to smb.conf are relevant
>>>> enough to
>>>> cause problem, but here's our smb.conf, just in case:
>>>>
>>>> # Global parameters
>>>> [global]
>>>>    workgroup = TRS-CH
>>>>    realm = TRS-CH.COM
>>>>    netbios name = PDC
>>>>    server role = active directory domain controller
>>>>    server services = +s3fs, +rpc, +nbt, +wrepl, +ldap, +cldap, +kdc,
>>>> +drepl,
>>>>                        +winbind, +ntp_signd, +kcc, +dnsupdate
>>>> [netlogon]
>>>>   path = /var/lib/samba/sysvol/trs-ch.com/scripts
>>>>   read only = No
>>>>
>>>> [sysvol]
>>>>   path = /var/lib/samba/sysvol
>>>>   read only = No
>>>>
>>>>> do you have ntp installed and configured correctly ?
>>>> Yes, I have it installed and everything works fine.
>>>>
>>>> I also already tested the DNS by running the commands described here:
>>>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>>>>
>>>>
>>>> Everything is reachable.
>>>>
>>>> I tested kerberos by doing:
>>>> 'kinit administrator at TRS-CH.COM'
>>>> It showed up when I did 'klist'.
>>>>
>>>> Do you need more information ?
>>>>
>>>> Thanks !
>>>> Cheers,
>>>> Guy-Laurent Subri
>>>
>>> Are you running with Bind9 ?
>>>
>>> I think you need to remove all the '+' signs you have added to the
>>> 'server services' line, you normally only use the '+' sign to add a
>>> service to the line, I think you may still be using the un-shown 'dns'
>>> option.
>>> I would also recommend that you use the new separate 'winbindd' instead
>>> of the 'winbind' that you are using. I think that before long the old
>>> 'winbind' built into the samba daemon is going to disappear, so you
>>> might as well get used to it now.
>> Yes, I'm running Bind9.
>> If I either remove the + sings or change 'windbind' to 'windbindd' I
>> cannot contact the server again. (The result of the command 'net ads
>> info' is : no logon servers, didn't find the ldap server).
>>
>> Cheers,
>> Guy-Laurent Subri
>
>OK, I have just joined a new DC to my domain and I am using Bind9 and
>this is what I have in smb.conf:
>
>server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>winbindd, ntp_signd, kcc, dnsupdate
>
>Note the lack of '+' signs
>
>This is with Samba 4.3.1
My version of Samba is 4.1.17. I don't think this changes anything, but
I can try to upgrade if needed.
>I have also checked and 'net ads info' works as well, so if yours isn't
>working, then something else is wrong, can you post your ntp.conf and
>bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
>
>Rowland

Here are the files:

/etc/ntp.conf
-------------
driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd

statsdir /var/log/ntpstats/

server 0.ch.pool.ntp.org
server 1.ch.pool.ntp.org
server 2.ch.pool.ntp.org
server 3.ch.pool.ntp.org

restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp

restrict 127.0.0.1
restrict ::1

restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer noquery

broadcast 192.168.123.255

/etc/bind/named.conf
--------------------
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

/etc/bind/named.conf.options
----------------------------
options {
    directory "/var/cache/bind";

    forwarders {
        192.168.1.185;
    };
    
    dnssec-validation auto;

    auth-nxdomain no;
    allow-query { localhost; any; };
    listen-on port 53 { 127.0.0.1; 192.168.1.17; };
    listen-on-v6 { any; };
};

/etc/bind/named.conf.local 
--------------------------
is empty

/etc/bind/named.conf.default-zones
----------------------------------
zone "." {
    type hint;
    file "/etc/bind/db.root";
};

zone "localhost" {
    type master;
    file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
};

/var/lib/samba/private/named.conf
---------------------------------
zone "trs-ch.com." IN {
    type master;
    file "/var/lib/samba/private/dns/trs-ch.com.zone";
    include "/var/lib/samba/private/named.conf.update";
    check-names ignore;
};

resolv.conf
-----------
search trs-ch.com
nameserver 192.168.1.17
nameserver 192.168.1.7

krb5.conf
---------
[libdefaults]
default_realm = TRS-CH.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
TRS-CH.COM = {
    kdc = 192.168.1.17
        admin_server = 192.168.1.17
        default_domain = trs-ch.com
}
[TRS-CH.COM]
.trs-ch.com = TRS-CH.COM
trs.ch.com =
TRS-CH.COM

Thank you for your time!

Cheers,
Guy-Laurent

More information about the samba mailing list