[Samba] net ads info: failed to get server's current time
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Oct 28 11:19:15 UTC 2015
On 28/10/15 11:10, L.P.H. van Belle wrote:
> Hm, the bind setup looks ok ,to me, its a debian Jessie as far i can see.
> Its a default setup, almost the same im using and bind is configured to 9.9
>
> So i think one of these 4 problems.
>
> Incorrect rights on /var/lib/samba/ntp_signd
> chown root:ntp /var/lib/samba/ntp_signd
> chmod 750 /var/lib/samba/ntp_signd
>
> OR
> The time on the pc is more than 5 min off.
>
> OR
> The pc has just joined the domain and has not rebooted yet.
>
> OR
> Pc is resolving to the internet first.
> Which make it fail also.
>
> So, check the event logs for the last 3 solutions.
> Check the rights on /var/lib/samba/ntp_signd
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: woensdag 28 oktober 2015 11:45
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] net ads info: failed to get server's current time
>>
>> On 28/10/15 10:33, L.P.H. van Belle wrote:
>>> Hai,
>>>
>>>
>>> Copy the code and Set these variable
>>> Run the script, restart samba and login again with an pc.
>>> Should work now, your missing something and. Your not using good ntp
>> servers.
>>
>> They all reply to a ping and a quick google seems to prove they exist
>> (they must be good time servers, they are Swiss :-D )
>>
>> I don't think that is the problem though, the OP is using a very strange
>> Bind setup>
>>
>> Rowland
>>> #!/bin/bash
>>> ########## NTP Settings needed for a correct funtioning samba AD DC
>> server
>>> ## Set to 1 installs the ntp server. (default is ok )
>>> ## (default is ok )
>>> NTPD_INSTALL="1"
>>> # if you run the server on a XEN Server, set to 1.
>>> NTPD_XEN_GUEST="0"
>>> ## important look for a stratum 1 server in your area
>>> ## for a server joining a domain put the ip of the AD server here.
>>> ## see also
>> http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
>>> ## (default is not ok, change this one to a ntp in your country )
>>> NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
>>> ## if you dont have a second ntp server leave empty
>>> NTPD_SERVER2_EXTERNAL=""
>>> ## restrict ntpd bind to which interfaces.
>>> ## choose, multple options are allowed.
>>> ## the options are: lo eth(0..9) wildcard ipv6
>>> ## (default is ok, if you interface name is eth0 and you dont use ipv6.
>> )
>>> NTPD_RESTRICT_INTERFACE="lo eth0"
>>> NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
>>> ## default for sernet samba and debian samba ( should normaly not be
>> changed )
>>> SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
>>> ## debian default, leave it as is.
>>> NTPD_GROUP="ntp"
>>>
>>>
>>> ########### NTP
>>> apt-get -y --no-install-recommends install ntp
>>> cp /etc/ntp.conf /etc/ntp.conf.backup
>>> echo " " >> /etc/ntp.conf
>>> for x in 0 1 2 3 ; do sed -i "s]server ${x}.debian]#server
>> ${x}.debian]g" /etc/ntp.conf ; done
>>> for i in ${NTPD_RESTRICT_INTERFACE} ; do echo " " >> /etc/ntp.conf;
>> echo "interface listen ${i}" >> /etc/ntp.conf; done
>>> for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do echo "interface
>> ignore ${i2}" >> /etc/ntp.conf; done
>>> ## setup the ntp source server.
>>> if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then sed -i "s]#server
>> ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL} ]g"
>> /etc/ntp.conf; fi
>>> if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then echo "server
>> ${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
>>> sed -i "s]restrict -4 default kod notrap nomodify nopeer
>> noquery]restrict -4 default kod notrap nomodify nopeer noquery mssntp]g"
>> /etc/ntp.conf
>>> sed -i "s]restrict -6 default kod notrap nomodify nopeer
>> noquery]restrict -6 default kod notrap nomodify nopeer noquery mssntp]g"
>> /etc/ntp.conf
>>> cat << EOF >> /etc/ntp.conf
>>>
>>> ntpsigndsocket /var/lib/samba/ntp_signd
>>>
>>> EOF
>>>
>>> install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
>>> service ntp start
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent
>> Subri
>>>> Verzonden: woensdag 28 oktober 2015 11:09
>>>> Aan: Rowland Penny
>>>> CC: sambalist
>>>> Onderwerp: Re: [Samba] net ads info: failed to get server's current
>> time
>>>> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
>>>>> On 22/10/15 22:33, Guy-Laurent Subri wrote:
>>>>>> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
>>>>>>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
>>>>>>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny wrote:
>>>>>>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
>>>>>>>>>> Hi all,
>>>>>>>>>> We're having issues with Samba at work. I've searched a bit and
>> the
>>>>>>>>>> only
>>>>>>>>>> thing that have caught my eye is this: when I run the 'net ads
>>>> info'
>>>>>>>>>> command on our DC --we have a Debian on which samba4 is installed
>>>> and
>>>>>>>>>> configured as a AD DC-- I have the message "Failed to get
>> server's
>>>>>>>>>> current time!", and "Server time: Thu, 01 Jan 1970 01:00:00 CET".
>>>>>>>>> It works for me on a Debian 4.1.17 DC, so you may have something
>>>>>>>>> mis-configured, have you altered the smb.conf in any way ?
>>>>>>>> I don't think the modifications I did to smb.conf are relevant
>>>>>>>> enough to
>>>>>>>> cause problem, but here's our smb.conf, just in case:
>>>>>>>>
>>>>>>>> # Global parameters
>>>>>>>> [global]
>>>>>>>> workgroup = TRS-CH
>>>>>>>> realm = TRS-CH.COM
>>>>>>>> netbios name = PDC
>>>>>>>> server role = active directory domain controller
>>>>>>>> server services = +s3fs, +rpc, +nbt, +wrepl, +ldap, +cldap,
>> +kdc,
>>>>>>>> +drepl,
>>>>>>>> +winbind, +ntp_signd, +kcc, +dnsupdate
>>>>>>>> [netlogon]
>>>>>>>> path = /var/lib/samba/sysvol/trs-ch.com/scripts
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>> [sysvol]
>>>>>>>> path = /var/lib/samba/sysvol
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>>> do you have ntp installed and configured correctly ?
>>>>>>>> Yes, I have it installed and everything works fine.
>>>>>>>>
>>>>>>>> I also already tested the DNS by running the commands described
>> here:
>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
>>>> troller
>>>>>>>> Everything is reachable.
>>>>>>>>
>>>>>>>> I tested kerberos by doing:
>>>>>>>> 'kinit administrator at TRS-CH.COM'
>>>>>>>> It showed up when I did 'klist'.
>>>>>>>>
>>>>>>>> Do you need more information ?
>>>>>>>>
>>>>>>>> Thanks !
>>>>>>>> Cheers,
>>>>>>>> Guy-Laurent Subri
>>>>>>> Are you running with Bind9 ?
>>>>>>>
>>>>>>> I think you need to remove all the '+' signs you have added to the
>>>>>>> 'server services' line, you normally only use the '+' sign to add a
>>>>>>> service to the line, I think you may still be using the un-shown
>> 'dns'
>>>>>>> option.
>>>>>>> I would also recommend that you use the new separate 'winbindd'
>>>> instead
>>>>>>> of the 'winbind' that you are using. I think that before long the
>> old
>>>>>>> 'winbind' built into the samba daemon is going to disappear, so you
>>>>>>> might as well get used to it now.
>>>>>> Yes, I'm running Bind9.
>>>>>> If I either remove the + sings or change 'windbind' to 'windbindd' I
>>>>>> cannot contact the server again. (The result of the command 'net ads
>>>>>> info' is : no logon servers, didn't find the ldap server).
>>>>>>
>>>>>> Cheers,
>>>>>> Guy-Laurent Subri
>>>>> OK, I have just joined a new DC to my domain and I am using Bind9 and
>>>>> this is what I have in smb.conf:
>>>>>
>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>>>> winbindd, ntp_signd, kcc, dnsupdate
>>>>>
>>>>> Note the lack of '+' signs
>>>>>
>>>>> This is with Samba 4.3.1
>>>> My version of Samba is 4.1.17. I don't think this changes anything, but
>>>> I can try to upgrade if needed.
>>>>> I have also checked and 'net ads info' works as well, so if yours
>> isn't
>>>>> working, then something else is wrong, can you post your ntp.conf and
>>>>> bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
>>>>>
>>>>> Rowland
>>>> Here are the files:
>>>>
>>>> /etc/ntp.conf
>>>> -------------
>>>> driftfile /var/lib/ntp/ntp.drift
>>>> ntpsigndsocket /var/lib/samba/ntp_signd
>>>>
>>>> statsdir /var/log/ntpstats/
>>>>
>>>> server 0.ch.pool.ntp.org
>>>> server 1.ch.pool.ntp.org
>>>> server 2.ch.pool.ntp.org
>>>> server 3.ch.pool.ntp.org
>>>>
>>>> restrict -4 default kod notrap nomodify nopeer noquery mssntp
>>>> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>>>>
>>>> restrict 127.0.0.1
>>>> restrict ::1
>>>>
>>>> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer
>> noquery
>>>> broadcast 192.168.123.255
>>>>
>>>> /etc/bind/named.conf
>>>> --------------------
>>>> include "/etc/bind/named.conf.options";
>>>> include "/etc/bind/named.conf.local";
>>>> include "/etc/bind/named.conf.default-zones";
>>>> include "/var/lib/samba/private/named.conf";
>>>>
>>>> /etc/bind/named.conf.options
>>>> ----------------------------
>>>> options {
>>>> directory "/var/cache/bind";
>>>>
>>>> forwarders {
>>>> 192.168.1.185;
>>>> };
>>>>
>>>> dnssec-validation auto;
>>>>
>>>> auth-nxdomain no;
>>>> allow-query { localhost; any; };
>>>> listen-on port 53 { 127.0.0.1; 192.168.1.17; };
>>>> listen-on-v6 { any; };
>>>> };
>>>>
>>>> /etc/bind/named.conf.local
>>>> --------------------------
>>>> is empty
>>>>
>>>> /etc/bind/named.conf.default-zones
>>>> ----------------------------------
>>>> zone "." {
>>>> type hint;
>>>> file "/etc/bind/db.root";
>>>> };
>>>>
>>>> zone "localhost" {
>>>> type master;
>>>> file "/etc/bind/db.local";
>>>> };
>>>>
>>>> zone "127.in-addr.arpa" {
>>>> type master;
>>>> file "/etc/bind/db.127";
>>>> };
>>>>
>>>> zone "0.in-addr.arpa" {
>>>> type master;
>>>> file "/etc/bind/db.0";
>>>> };
>>>>
>>>> zone "255.in-addr.arpa" {
>>>> type master;
>>>> file "/etc/bind/db.255";
>>>> };
>>>>
>>>> /var/lib/samba/private/named.conf
>>>> ---------------------------------
>>>> zone "trs-ch.com." IN {
>>>> type master;
>>>> file "/var/lib/samba/private/dns/trs-ch.com.zone";
>>>> include "/var/lib/samba/private/named.conf.update";
>>>> check-names ignore;
>>>> };
>>>>
>>>> resolv.conf
>>>> -----------
>>>> search trs-ch.com
>>>> nameserver 192.168.1.17
>>>> nameserver 192.168.1.7
>>>>
>>>> krb5.conf
>>>> ---------
>>>> [libdefaults]
>>>> default_realm = TRS-CH.COM
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>> [realms]
>>>> TRS-CH.COM = {
>>>> kdc = 192.168.1.17
>>>> admin_server = 192.168.1.17
>>>> default_domain = trs-ch.com
>>>> }
>>>> [TRS-CH.COM]
>>>> .trs-ch.com = TRS-CH.COM
>>>> trs.ch.com =
>>>> TRS-CH.COM
>>>>
>>>> Thank you for your time!
>>>>
>>>> Cheers,
>>>> Guy-Laurent
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
I think you missed this:
/var/lib/samba/private/named.conf
---------------------------------
zone "trs-ch.com." IN {
type master;
file "/var/lib/samba/private/dns/trs-ch.com.zone";
include "/var/lib/samba/private/named.conf.update";
check-names ignore;
};
On my wheezy DC:
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/private/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.0
#database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};
Rowland
More information about the samba
mailing list