[Samba] net ads info: failed to get server's current time
L.P.H. van Belle
belle at bazuin.nl
Wed Oct 28 13:45:21 UTC 2015
Hai Guy,
Yes, it make a backup of your previous version so you can revert if needed.
And review your config after your run it, you micht see a these line :
restrict
> -4 default kod notrap nomodify nopeer noquery mssntp mssntp
( check if you dont see mssntp 2 x, if so, remove 1 of them )
This is because normaly this is run against a "default" ntp.conf
And change the variables in the script where needed before running it.
Below is my ntp.conf after running the script on a DC !
Member server ntp.conf is bit different
And from a default/clean/unmodded ntp.conf. !
Review it or run the script.
( more about these scripts https://secure.bazuin.nl/scripts/ )
If reviewed manualy, dont forget the rights on
/var/lib/samba/ntp_signd
drwxr-x--- 2 root ntp 4096 Oct 16 16:58 ntp_signd
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server ntp1.nl.net
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
# Xen guest adjustments
#dispersion 1.000: Ignore high jitters and offsets as local clock dirfts wildly on xen
#panic 0: set time even if time shift is more than 1000 seconds
tinker panic 0 dispersion 1.000
interface listen lo
interface listen eth0
interface ignore wildcard
interface ignore ipv6
###### Needed for Samba 4
####### in the restrict -4 or -6 added mssntp at the end
# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent Subri
> Verzonden: woensdag 28 oktober 2015 14:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] net ads info: failed to get server's current time
>
> Thanks for the script. I ran it. So all my config regarding NTP should
> be ok, if I understood correctly ?
>
> Cheers,
> Guy-Laurent
> On Wed, Oct 28, 2015 at 11:33:14AM +0100, L.P.H. van Belle wrote:
> >Hai,
> >
> >
> >Copy the code and Set these variable
> >Run the script, restart samba and login again with an pc.
> >Should work now, your missing something and. Your not using good ntp
> servers.
> >
> >#!/bin/bash
> >########## NTP Settings needed for a correct funtioning samba AD DC
> server
> >## Set to 1 installs the ntp server. (default is ok )
> >## (default is ok )
> >NTPD_INSTALL="1"
> ># if you run the server on a XEN Server, set to 1.
> >NTPD_XEN_GUEST="0"
> >## important look for a stratum 1 server in your area
> >## for a server joining a domain put the ip of the AD server here.
> >## see also http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
> >## (default is not ok, change this one to a ntp in your country )
> >NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
> >## if you dont have a second ntp server leave empty
> >NTPD_SERVER2_EXTERNAL=""
> >## restrict ntpd bind to which interfaces.
> >## choose, multple options are allowed.
> >## the options are: lo eth(0..9) wildcard ipv6
> >## (default is ok, if you interface name is eth0 and you dont use ipv6. )
> >NTPD_RESTRICT_INTERFACE="lo eth0"
> >NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
> >## default for sernet samba and debian samba ( should normaly not be
> changed )
> >SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
> >## debian default, leave it as is.
> >NTPD_GROUP="ntp"
> >
> >
> >########### NTP
> >apt-get -y --no-install-recommends install ntp
> >cp /etc/ntp.conf /etc/ntp.conf.backup
> >echo " " >> /etc/ntp.conf
> >for x in 0 1 2 3 ; do sed -i "s]server ${x}.debian]#server
> ${x}.debian]g" /etc/ntp.conf ; done
> >for i in ${NTPD_RESTRICT_INTERFACE} ; do echo " " >> /etc/ntp.conf;
> echo "interface listen ${i}" >> /etc/ntp.conf; done
> >for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do echo "interface
> ignore ${i2}" >> /etc/ntp.conf; done
> >## setup the ntp source server.
> >if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then sed -i "s]#server
> ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL} ]g"
> /etc/ntp.conf; fi
> >if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then echo "server
> ${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
> >sed -i "s]restrict -4 default kod notrap nomodify nopeer noquery]restrict
> -4 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
> >sed -i "s]restrict -6 default kod notrap nomodify nopeer noquery]restrict
> -6 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
> >cat << EOF >> /etc/ntp.conf
> >
> >ntpsigndsocket /var/lib/samba/ntp_signd
> >
> >EOF
> >
> >install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
> >service ntp start
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent
> Subri
> >> Verzonden: woensdag 28 oktober 2015 11:09
> >> Aan: Rowland Penny
> >> CC: sambalist
> >> Onderwerp: Re: [Samba] net ads info: failed to get server's current
> time
> >>
> >> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
> >> >On 22/10/15 22:33, Guy-Laurent Subri wrote:
> >> >> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
> >> >>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
> >> >>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny wrote:
> >> >>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
> >> >>>>>> Hi all,
> >> >>>>>> We're having issues with Samba at work. I've searched a bit and
> the
> >> >>>>>> only
> >> >>>>>> thing that have caught my eye is this: when I run the 'net ads
> >> info'
> >> >>>>>> command on our DC --we have a Debian on which samba4 is
> installed
> >> and
> >> >>>>>> configured as a AD DC-- I have the message "Failed to get
> server's
> >> >>>>>> current time!", and "Server time: Thu, 01 Jan 1970 01:00:00
> CET".
> >> >>>>>
> >> >>>>> It works for me on a Debian 4.1.17 DC, so you may have something
> >> >>>>> mis-configured, have you altered the smb.conf in any way ?
> >> >>>>
> >> >>>> I don't think the modifications I did to smb.conf are relevant
> >> >>>> enough to
> >> >>>> cause problem, but here's our smb.conf, just in case:
> >> >>>>
> >> >>>> # Global parameters
> >> >>>> [global]
> >> >>>> workgroup = TRS-CH
> >> >>>> realm = TRS-CH.COM
> >> >>>> netbios name = PDC
> >> >>>> server role = active directory domain controller
> >> >>>> server services = +s3fs, +rpc, +nbt, +wrepl, +ldap, +cldap,
> +kdc,
> >> >>>> +drepl,
> >> >>>> +winbind, +ntp_signd, +kcc, +dnsupdate
> >> >>>> [netlogon]
> >> >>>> path = /var/lib/samba/sysvol/trs-ch.com/scripts
> >> >>>> read only = No
> >> >>>>
> >> >>>> [sysvol]
> >> >>>> path = /var/lib/samba/sysvol
> >> >>>> read only = No
> >> >>>>
> >> >>>>> do you have ntp installed and configured correctly ?
> >> >>>> Yes, I have it installed and everything works fine.
> >> >>>>
> >> >>>> I also already tested the DNS by running the commands described
> here:
> >> >>>>
> >>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
> >> troller
> >> >>>>
> >> >>>>
> >> >>>> Everything is reachable.
> >> >>>>
> >> >>>> I tested kerberos by doing:
> >> >>>> 'kinit administrator at TRS-CH.COM'
> >> >>>> It showed up when I did 'klist'.
> >> >>>>
> >> >>>> Do you need more information ?
> >> >>>>
> >> >>>> Thanks !
> >> >>>> Cheers,
> >> >>>> Guy-Laurent Subri
> >> >>>
> >> >>> Are you running with Bind9 ?
> >> >>>
> >> >>> I think you need to remove all the '+' signs you have added to the
> >> >>> 'server services' line, you normally only use the '+' sign to add a
> >> >>> service to the line, I think you may still be using the un-shown
> 'dns'
> >> >>> option.
> >> >>> I would also recommend that you use the new separate 'winbindd'
> >> instead
> >> >>> of the 'winbind' that you are using. I think that before long the
> old
> >> >>> 'winbind' built into the samba daemon is going to disappear, so you
> >> >>> might as well get used to it now.
> >> >> Yes, I'm running Bind9.
> >> >> If I either remove the + sings or change 'windbind' to 'windbindd' I
> >> >> cannot contact the server again. (The result of the command 'net ads
> >> >> info' is : no logon servers, didn't find the ldap server).
> >> >>
> >> >> Cheers,
> >> >> Guy-Laurent Subri
> >> >
> >> >OK, I have just joined a new DC to my domain and I am using Bind9 and
> >> >this is what I have in smb.conf:
> >> >
> >> >server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> >> >winbindd, ntp_signd, kcc, dnsupdate
> >> >
> >> >Note the lack of '+' signs
> >> >
> >> >This is with Samba 4.3.1
> >> My version of Samba is 4.1.17. I don't think this changes anything, but
> >> I can try to upgrade if needed.
> >> >I have also checked and 'net ads info' works as well, so if yours
> isn't
> >> >working, then something else is wrong, can you post your ntp.conf and
> >> >bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
> >> >
> >> >Rowland
> >>
> >> Here are the files:
> >>
> >> /etc/ntp.conf
> >> -------------
> >> driftfile /var/lib/ntp/ntp.drift
> >> ntpsigndsocket /var/lib/samba/ntp_signd
> >>
> >> statsdir /var/log/ntpstats/
> >>
> >> server 0.ch.pool.ntp.org
> >> server 1.ch.pool.ntp.org
> >> server 2.ch.pool.ntp.org
> >> server 3.ch.pool.ntp.org
> >>
> >> restrict -4 default kod notrap nomodify nopeer noquery mssntp
> >> restrict -6 default kod notrap nomodify nopeer noquery mssntp
> >>
> >> restrict 127.0.0.1
> >> restrict ::1
> >>
> >> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer
> noquery
> >>
> >> broadcast 192.168.123.255
> >>
> >> /etc/bind/named.conf
> >> --------------------
> >> include "/etc/bind/named.conf.options";
> >> include "/etc/bind/named.conf.local";
> >> include "/etc/bind/named.conf.default-zones";
> >> include "/var/lib/samba/private/named.conf";
> >>
> >> /etc/bind/named.conf.options
> >> ----------------------------
> >> options {
> >> directory "/var/cache/bind";
> >>
> >> forwarders {
> >> 192.168.1.185;
> >> };
> >>
> >> dnssec-validation auto;
> >>
> >> auth-nxdomain no;
> >> allow-query { localhost; any; };
> >> listen-on port 53 { 127.0.0.1; 192.168.1.17; };
> >> listen-on-v6 { any; };
> >> };
> >>
> >> /etc/bind/named.conf.local
> >> --------------------------
> >> is empty
> >>
> >> /etc/bind/named.conf.default-zones
> >> ----------------------------------
> >> zone "." {
> >> type hint;
> >> file "/etc/bind/db.root";
> >> };
> >>
> >> zone "localhost" {
> >> type master;
> >> file "/etc/bind/db.local";
> >> };
> >>
> >> zone "127.in-addr.arpa" {
> >> type master;
> >> file "/etc/bind/db.127";
> >> };
> >>
> >> zone "0.in-addr.arpa" {
> >> type master;
> >> file "/etc/bind/db.0";
> >> };
> >>
> >> zone "255.in-addr.arpa" {
> >> type master;
> >> file "/etc/bind/db.255";
> >> };
> >>
> >> /var/lib/samba/private/named.conf
> >> ---------------------------------
> >> zone "trs-ch.com." IN {
> >> type master;
> >> file "/var/lib/samba/private/dns/trs-ch.com.zone";
> >> include "/var/lib/samba/private/named.conf.update";
> >> check-names ignore;
> >> };
> >>
> >> resolv.conf
> >> -----------
> >> search trs-ch.com
> >> nameserver 192.168.1.17
> >> nameserver 192.168.1.7
> >>
> >> krb5.conf
> >> ---------
> >> [libdefaults]
> >> default_realm = TRS-CH.COM
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >> [realms]
> >> TRS-CH.COM = {
> >> kdc = 192.168.1.17
> >> admin_server = 192.168.1.17
> >> default_domain = trs-ch.com
> >> }
> >> [TRS-CH.COM]
> >> .trs-ch.com = TRS-CH.COM
> >> trs.ch.com =
> >> TRS-CH.COM
> >>
> >> Thank you for your time!
> >>
> >> Cheers,
> >> Guy-Laurent
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list