[Samba] net ads info: failed to get server's current time
Guy-Laurent Subri
guy-laurent at subri.ch
Wed Oct 28 14:01:36 UTC 2015
Reviewing the file, I didn't see any differences between before and
after the script. I guess this means my NTP config was already fine?
Cheers,
Guy-Laurent
On Wed, Oct 28, 2015 at 02:45:21PM +0100, L.P.H. van Belle wrote:
Hai Guy-Laurent, .... ;)
>
>Yes, it make a backup of your previous version so you can revert if needed.
>
>And review your config after your run it, you micht see a these line :
>restrict
>> -4 default kod notrap nomodify nopeer noquery mssntp mssntp
>( check if you dont see mssntp 2 x, if so, remove 1 of them )
>This is because normaly this is run against a "default" ntp.conf
>
>And change the variables in the script where needed before running it.
>
>
>Below is my ntp.conf after running the script on a DC !
>Member server ntp.conf is bit different
>And from a default/clean/unmodded ntp.conf. !
>
>Review it or run the script.
>( more about these scripts https://secure.bazuin.nl/scripts/ )
>
>If reviewed manualy, dont forget the rights on
>/var/lib/samba/ntp_signd
>drwxr-x--- 2 root ntp 4096 Oct 16 16:58 ntp_signd
I have the right permissions on this directory.
># /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
>
>driftfile /var/lib/ntp/ntp.drift
>
>
># Enable this if you want statistics to be logged.
>#statsdir /var/log/ntpstats/
>
>statistics loopstats peerstats clockstats
>filegen loopstats file loopstats type day enable
>filegen peerstats file peerstats type day enable
>filegen clockstats file clockstats type day enable
>
>
># You do need to talk to an NTP server or two (or three).
>server ntp1.nl.net
>
># pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
># pick a different set every time it starts up. Please consider joining the
># pool: <http://www.pool.ntp.org/join.html>
>#server 0.debian.pool.ntp.org iburst
>#server 1.debian.pool.ntp.org iburst
>#server 2.debian.pool.ntp.org iburst
>#server 3.debian.pool.ntp.org iburst
>
>
># Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
># details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
># might also be helpful.
>#
># Note that "restrict" applies to both servers and clients, so a configuration
># that might be intended to block requests from certain clients could also end
># up blocking replies from your own upstream servers.
>
># By default, exchange time with everybody, but don't allow configuration.
>restrict -4 default kod notrap nomodify nopeer noquery mssntp
>restrict -6 default kod notrap nomodify nopeer noquery mssntp
>
># Local users may interrogate the ntp server more closely.
>restrict 127.0.0.1
>restrict ::1
>
># Clients from this (example!) subnet have unlimited access, but only if
># cryptographically authenticated.
>#restrict 192.168.123.0 mask 255.255.255.0 notrust
>
>
># If you want to provide time to your local subnet, change the next line.
># (Again, the address is an example only.)
>#broadcast 192.168.123.255
>
># If you want to listen to time broadcasts on your local subnet, de-comment the
># next lines. Please do this only if you trust everybody on the network!
>#disable auth
>#broadcastclient
>
># Xen guest adjustments
>#dispersion 1.000: Ignore high jitters and offsets as local clock dirfts wildly on xen
>#panic 0: set time even if time shift is more than 1000 seconds
>tinker panic 0 dispersion 1.000
>
>interface listen lo
>
>interface listen eth0
>interface ignore wildcard
>interface ignore ipv6
>
>###### Needed for Samba 4
>####### in the restrict -4 or -6 added mssntp at the end
># Location of the samba ntp_signed directory
>ntpsigndsocket /var/lib/samba/ntp_signd
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent Subri
>> Verzonden: woensdag 28 oktober 2015 14:21
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] net ads info: failed to get server's current time
>>
>> Thanks for the script. I ran it. So all my config regarding NTP should
>> be ok, if I understood correctly ?
>>
>> Cheers,
>> Guy-Laurent
>> On Wed, Oct 28, 2015 at 11:33:14AM +0100, L.P.H. van Belle wrote:
>> >Hai,
>> >
>> >
>> >Copy the code and Set these variable
>> >Run the script, restart samba and login again with an pc.
>> >Should work now, your missing something and. Your not using good ntp
>> servers.
>> >
>> >#!/bin/bash
>> >########## NTP Settings needed for a correct funtioning samba AD DC
>> server
>> >## Set to 1 installs the ntp server. (default is ok )
>> >## (default is ok )
>> >NTPD_INSTALL="1"
>> ># if you run the server on a XEN Server, set to 1.
>> >NTPD_XEN_GUEST="0"
>> >## important look for a stratum 1 server in your area
>> >## for a server joining a domain put the ip of the AD server here.
>> >## see also http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
>> >## (default is not ok, change this one to a ntp in your country )
>> >NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
>> >## if you dont have a second ntp server leave empty
>> >NTPD_SERVER2_EXTERNAL=""
>> >## restrict ntpd bind to which interfaces.
>> >## choose, multple options are allowed.
>> >## the options are: lo eth(0..9) wildcard ipv6
>> >## (default is ok, if you interface name is eth0 and you dont use ipv6. )
>> >NTPD_RESTRICT_INTERFACE="lo eth0"
>> >NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
>> >## default for sernet samba and debian samba ( should normaly not be
>> changed )
>> >SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
>> >## debian default, leave it as is.
>> >NTPD_GROUP="ntp"
>> >
>> >
>> >########### NTP
>> >apt-get -y --no-install-recommends install ntp
>> >cp /etc/ntp.conf /etc/ntp.conf.backup
>> >echo " " >> /etc/ntp.conf
>> >for x in 0 1 2 3 ; do sed -i "s]server ${x}.debian]#server
>> ${x}.debian]g" /etc/ntp.conf ; done
>> >for i in ${NTPD_RESTRICT_INTERFACE} ; do echo " " >> /etc/ntp.conf;
>> echo "interface listen ${i}" >> /etc/ntp.conf; done
>> >for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do echo "interface
>> ignore ${i2}" >> /etc/ntp.conf; done
>> >## setup the ntp source server.
>> >if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then sed -i "s]#server
>> ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL} ]g"
>> /etc/ntp.conf; fi
>> >if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then echo "server
>> ${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
>> >sed -i "s]restrict -4 default kod notrap nomodify nopeer noquery]restrict
>> -4 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
>> >sed -i "s]restrict -6 default kod notrap nomodify nopeer noquery]restrict
>> -6 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
>> >cat << EOF >> /etc/ntp.conf
>> >
>> >ntpsigndsocket /var/lib/samba/ntp_signd
>> >
>> >EOF
>> >
>> >install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
>> >service ntp start
>> >
>> >
>> >
>> >> -----Oorspronkelijk bericht-----
>> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent
>> Subri
>> >> Verzonden: woensdag 28 oktober 2015 11:09
>> >> Aan: Rowland Penny
>> >> CC: sambalist
>> >> Onderwerp: Re: [Samba] net ads info: failed to get server's current
>> time
>> >>
>> >> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
>> >> >On 22/10/15 22:33, Guy-Laurent Subri wrote:
>> >> >> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
>> >> >>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
>> >> >>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny wrote:
>> >> >>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
>> >> >>>>>> Hi all,
>> >> >>>>>> We're having issues with Samba at work. I've searched a bit and
>> the
>> >> >>>>>> only
>> >> >>>>>> thing that have caught my eye is this: when I run the 'net ads
>> >> info'
>> >> >>>>>> command on our DC --we have a Debian on which samba4 is
>> installed
>> >> and
>> >> >>>>>> configured as a AD DC-- I have the message "Failed to get
>> server's
>> >> >>>>>> current time!", and "Server time: Thu, 01 Jan 1970 01:00:00
>> CET".
>> >> >>>>>
>> >> >>>>> It works for me on a Debian 4.1.17 DC, so you may have something
>> >> >>>>> mis-configured, have you altered the smb.conf in any way ?
>> >> >>>>
>> >> >>>> I don't think the modifications I did to smb.conf are relevant
>> >> >>>> enough to
>> >> >>>> cause problem, but here's our smb.conf, just in case:
>> >> >>>>
>> >> >>>> # Global parameters
>> >> >>>> [global]
>> >> >>>> workgroup = TRS-CH
>> >> >>>> realm = TRS-CH.COM
>> >> >>>> netbios name = PDC
>> >> >>>> server role = active directory domain controller
>> >> >>>> server services = +s3fs, +rpc, +nbt, +wrepl, +ldap, +cldap,
>> +kdc,
>> >> >>>> +drepl,
>> >> >>>> +winbind, +ntp_signd, +kcc, +dnsupdate
>> >> >>>> [netlogon]
>> >> >>>> path = /var/lib/samba/sysvol/trs-ch.com/scripts
>> >> >>>> read only = No
>> >> >>>>
>> >> >>>> [sysvol]
>> >> >>>> path = /var/lib/samba/sysvol
>> >> >>>> read only = No
>> >> >>>>
>> >> >>>>> do you have ntp installed and configured correctly ?
>> >> >>>> Yes, I have it installed and everything works fine.
>> >> >>>>
>> >> >>>> I also already tested the DNS by running the commands described
>> here:
>> >> >>>>
>> >>
>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
>> >> troller
>> >> >>>>
>> >> >>>>
>> >> >>>> Everything is reachable.
>> >> >>>>
>> >> >>>> I tested kerberos by doing:
>> >> >>>> 'kinit administrator at TRS-CH.COM'
>> >> >>>> It showed up when I did 'klist'.
>> >> >>>>
>> >> >>>> Do you need more information ?
>> >> >>>>
>> >> >>>> Thanks !
>> >> >>>> Cheers,
>> >> >>>> Guy-Laurent Subri
>> >> >>>
>> >> >>> Are you running with Bind9 ?
>> >> >>>
>> >> >>> I think you need to remove all the '+' signs you have added to the
>> >> >>> 'server services' line, you normally only use the '+' sign to add a
>> >> >>> service to the line, I think you may still be using the un-shown
>> 'dns'
>> >> >>> option.
>> >> >>> I would also recommend that you use the new separate 'winbindd'
>> >> instead
>> >> >>> of the 'winbind' that you are using. I think that before long the
>> old
>> >> >>> 'winbind' built into the samba daemon is going to disappear, so you
>> >> >>> might as well get used to it now.
>> >> >> Yes, I'm running Bind9.
>> >> >> If I either remove the + sings or change 'windbind' to 'windbindd' I
>> >> >> cannot contact the server again. (The result of the command 'net ads
>> >> >> info' is : no logon servers, didn't find the ldap server).
>> >> >>
>> >> >> Cheers,
>> >> >> Guy-Laurent Subri
>> >> >
>> >> >OK, I have just joined a new DC to my domain and I am using Bind9 and
>> >> >this is what I have in smb.conf:
>> >> >
>> >> >server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> >> >winbindd, ntp_signd, kcc, dnsupdate
>> >> >
>> >> >Note the lack of '+' signs
>> >> >
>> >> >This is with Samba 4.3.1
>> >> My version of Samba is 4.1.17. I don't think this changes anything, but
>> >> I can try to upgrade if needed.
>> >> >I have also checked and 'net ads info' works as well, so if yours
>> isn't
>> >> >working, then something else is wrong, can you post your ntp.conf and
>> >> >bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
>> >> >
>> >> >Rowland
>> >>
>> >> Here are the files:
>> >>
>> >> /etc/ntp.conf
>> >> -------------
>> >> driftfile /var/lib/ntp/ntp.drift
>> >> ntpsigndsocket /var/lib/samba/ntp_signd
>> >>
>> >> statsdir /var/log/ntpstats/
>> >>
>> >> server 0.ch.pool.ntp.org
>> >> server 1.ch.pool.ntp.org
>> >> server 2.ch.pool.ntp.org
>> >> server 3.ch.pool.ntp.org
>> >>
>> >> restrict -4 default kod notrap nomodify nopeer noquery mssntp
>> >> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>> >>
>> >> restrict 127.0.0.1
>> >> restrict ::1
>> >>
>> >> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer
>> noquery
>> >>
>> >> broadcast 192.168.123.255
>> >>
>> >> /etc/bind/named.conf
>> >> --------------------
>> >> include "/etc/bind/named.conf.options";
>> >> include "/etc/bind/named.conf.local";
>> >> include "/etc/bind/named.conf.default-zones";
>> >> include "/var/lib/samba/private/named.conf";
>> >>
>> >> /etc/bind/named.conf.options
>> >> ----------------------------
>> >> options {
>> >> directory "/var/cache/bind";
>> >>
>> >> forwarders {
>> >> 192.168.1.185;
>> >> };
>> >>
>> >> dnssec-validation auto;
>> >>
>> >> auth-nxdomain no;
>> >> allow-query { localhost; any; };
>> >> listen-on port 53 { 127.0.0.1; 192.168.1.17; };
>> >> listen-on-v6 { any; };
>> >> };
>> >>
>> >> /etc/bind/named.conf.local
>> >> --------------------------
>> >> is empty
>> >>
>> >> /etc/bind/named.conf.default-zones
>> >> ----------------------------------
>> >> zone "." {
>> >> type hint;
>> >> file "/etc/bind/db.root";
>> >> };
>> >>
>> >> zone "localhost" {
>> >> type master;
>> >> file "/etc/bind/db.local";
>> >> };
>> >>
>> >> zone "127.in-addr.arpa" {
>> >> type master;
>> >> file "/etc/bind/db.127";
>> >> };
>> >>
>> >> zone "0.in-addr.arpa" {
>> >> type master;
>> >> file "/etc/bind/db.0";
>> >> };
>> >>
>> >> zone "255.in-addr.arpa" {
>> >> type master;
>> >> file "/etc/bind/db.255";
>> >> };
>> >>
>> >> /var/lib/samba/private/named.conf
>> >> ---------------------------------
>> >> zone "trs-ch.com." IN {
>> >> type master;
>> >> file "/var/lib/samba/private/dns/trs-ch.com.zone";
>> >> include "/var/lib/samba/private/named.conf.update";
>> >> check-names ignore;
>> >> };
>> >>
>> >> resolv.conf
>> >> -----------
>> >> search trs-ch.com
>> >> nameserver 192.168.1.17
>> >> nameserver 192.168.1.7
>> >>
>> >> krb5.conf
>> >> ---------
>> >> [libdefaults]
>> >> default_realm = TRS-CH.COM
>> >> dns_lookup_realm = false
>> >> dns_lookup_kdc = true
>> >> [realms]
>> >> TRS-CH.COM = {
>> >> kdc = 192.168.1.17
>> >> admin_server = 192.168.1.17
>> >> default_domain = trs-ch.com
>> >> }
>> >> [TRS-CH.COM]
>> >> .trs-ch.com = TRS-CH.COM
>> >> trs.ch.com =
>> >> TRS-CH.COM
>> >>
>> >> Thank you for your time!
>> >>
>> >> Cheers,
>> >> Guy-Laurent
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions: https://lists.samba.org/mailman/options/samba
>> >
>> >
>> >
>> >--
>> >To unsubscribe from this list go to the following URL and read the
>> >instructions: https://lists.samba.org/mailman/options/samba
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list