I'm running a Samba AD DC v4.9.9 with Windows 10 clients connected to it
and just noticed that the clients are not synchronizing time with the
server. I'm not sure why not.
My setup is a bit special in that the DC is running inside a (privileged)
linux container. For that reason, it's not possible or necessary for the
container to correct the system clock, this is done on the container host
using ntp. But the DC should provide time to clients connected to the
domain just as in a regular setup.
Naturally, I followed the guide in the wiki with the exception that I
didn't set external servers to get time from. My ntp.conf looks like this
(it really is called ntp.conf on Ubuntu, not ntpd.conf):
server 127.127.1.0
fudge 127.127.1.0 stratum 1
driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd
restrict -4 default kod notrap nomodify nopeer noquery limited mssntp
restrict -6 default kod notrap nomodify nopeer noquery limited mssntp
restrict 127.0.0.1
restrict ::1
tinker panic 0
I've checked and rechecked this configuration, I can't see an issue with
it. And ntpd does seem to start properly:
Nov 14 16:58:45 DC1 ntpd[32172]: ntpd 4.2.8p10 at 1.3728-o (1): Starting
Nov 14 16:58:45 DC1 ntpd[32172]: Command line: /usr/sbin/ntpd -p
/var/run/ntpd.pid -g -u 111:118
Nov 14 16:58:45 DC1 systemd[1]: Started Network Time Service.
Nov 14 16:58:45 DC1 ntpd[32175]: proto: precision = 0.073 usec (-24)
Nov 14 16:58:45 DC1 ntpd[32175]: MS-SNTP signd operations currently block
ntpd degrading service to all clients.
Nov 14 16:58:45 DC1 ntpd[32175]: Listen and drop on 0 v6wildcard [::]:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 2 lo 127.0.0.1:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 3 eth0 192.168.1.2:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 4 lo [::1]:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 5 eth0
[fe80::216:3eff:feb4:414e%10]:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listening on routing socket on fd #22 for
interface updates
The command ntpq shows that the local clock is accepted to be
authoritative:
root at DC1:~# ntpq -pn
remote refid st t when poll reach delay offset
jitter
==============================================================================
*127.127.1.0 .LOCL. 1 l 30 64 377 0.000 0.000
0.000
On the Windows client, I can query the server alright:
C:\WINDOWS\system32>w32tm /monitor
DC1.samdom.example.com *** PDC ***[192.168.1.2:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from DC1.samdom.example.com
RefID: (unknown) [0x00017F7F]
Stratum: 2
C:\WINDOWS\system32>w32tm /stripchart /computer:dc1 /dataonly /samples:5
Tracking dc1 [192.168.1.2:123].
Collecting 5 samples.
The current time is 14.11.2019 19:39:49.
19:39:49, -02.9196934s
19:39:51, -02.9197052s
19:39:53, -02.9197256s
19:39:55, -02.9197882s
19:39:57, -02.9197818s
However, when I run w32tm /resync /rediscover, it complains that "The
computer did not resync because no time data was available."
I tried so many things on the PC. Restarting the time service,
unregistering the service and registering it again, checking that the time
service is not configured by group or local policy (it is not), running
w32tm /config /syncfromflags:domhier /update, and last but not least,
rebooting to no end.
This is not on a laptop, this is happening on computers constantly
connected to the host and therefore the DC via ethernet.
Oh, and before I forget, here is my smb.conf, though the AD is otherwise
functioning without issues:
[global]
dns forwarder = 192.168.1.1
netbios name = DC1
realm = SAMDOM.EXAMPLE.COM
server role = active directory domain controller
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
I'd really appreciate a nudge in the right direction.
Viktor