[Samba] Time sync not working with Windows 10

Mark Foley mfoley at ohprs.org
Thu Nov 19 22:13:40 UTC 2020 

On Wed, 18 Nov 2020 08:41:03 -0500 me at tdiehl.org wrote:
>
> On Wed, 18 Nov 2020, Mark Foley via samba wrote:
>
> > After our office upgraded to Windows 10, time sync stopped working with the Windows
> > workstations. This used to work fine with Windows 7 and still works with linux domain members
> > (although that's not surprising).
> >
> > The Windows 10 workstations ended up operating off the CMOS clock. We didn't notice this for a long
> > time since the CMOS clock drift is slow, but after several months users started noticing up to
> > +/-6 minutes difference between their computers and the *real* time.
> >
> > Going to 'Date & Time settings > Sync Now' always gives "Time synchronization failed".
> >
> > For Windows 7 workstations, several years ago, I followed the advice in
> > https://www.meinbergglobal.com/english/info/ntp-w32time.htm which was to do the following on
> > the Windows 7 workstations:
> >
> >
> > w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
> > w32tm /config /update
> >
> > Check the configuration:
> >
> > w32tm /query /source
> >
> > This worked and time was in-sync on the WIN7 computers for many years.  I did this after
> > upgrading/installing each Windows 10 workstation during 2019 Q4 and 2020 Q1, but apparently
> > that didn't work.
> >
> > For the Windows 10 workstations I create the "Time Source" group policy per the instructions in
> > https://wiki.samba.org/index.php/Time_Synchronisation. That didn't help either.
> >
> > Is it possible that the version of Samba I am using (Version 4.8.2) is too old for Windows 10?
> > I could upgrade to 4.13.2, but that is in the "experimental" release of Slackware and may or
> > may not install properly.
>
> I do not think 4.8.2 is too old for time sync to work with win 10. However
> 4.8.2 is EOL as far as samba is concerned.
>
> A couple of weeks ago I was still running 4.8.x on 2 different Ad domains
> and time sync was working fine on all of the clients, including the win 10.
>
> I would suggest you have a look at https://wiki.samba.org/index.php/Time_Synchronisation
> In particular make sure the symlink points to the correct place.
>
> After we upgraded the DC's to 4.12.x the symlinks got b0rked and that killed time sync
> for us. Fixing the symlinks and restarting chronyd and samba fixed the problem.
>
> FWIW, there is no extra configuration required on windows domain members assuming
> that the DC's are configured correctly. Just use w32tm /query /source to make sure
> the clients are using one of the DC's to sync from. If they are not then there is
> a problem with the DC configuration.
>
> Regards,
>
> -- 
> Tom			me at tdiehl.org
>

Tom - thanks for your reply.  Question: on your Windows 10 workstation when you go to the Date
& Time setting, what does it show for Time Server? After doing the steps described below on two
of the WIN10 worstations, one shows "Time Server: unspecified" and the other shows "Local CMOS
Clock". 

Can you click on "Sync Now" and have it work? I continue to get "Time synchronization failed".

I've put these questions up-front so they don't get buried below.

Your post was useful (though things still don't appear to be competely working). I'm using
ntpd, not chrony. Rechecking the
https://wiki.samba.org/index.php/Time_Synchronisation link I noted that it said, "Requirements:
ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support
(--enable-ntp-signd)". I didn't know if my version of ntpd was compile with --enable-ntp-signd.

While trying to figure that out I came across the potentially very useful webpage
https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain. It gave the following
instruction to see where Samba wants to put the ntp_signd socket:

# netstat -xpln | grep signd
unix  2  [ ACC ]  STREAM  LISTENING  2071520535 19381/samba     /var/lib/samba/ntp_signd/socket

This location is different from what the Samba wiki specified (/usr/local/samba/var/lib/ntp_signd),
so I changed my ntp.conf to be the one found by netstat.

That blog also advised adding "noquery" to the restrict config:

restrict default kod limited nomodify notrap nopeer noquery mssntp

His example had two lines with -4 and -6 after the "restrict" directive, respectively. I hope
my not using those isn't a problem.

Finally, the blog advised adding "listen":

listen on 192.168.0.2

This is the IP of the server running ntpd. Not sure why that would be needed, never was in the
past, hope it doesn't hurt.

I restarted ntpd and, according to the blog, checked syslog to confirm signd:

Nov 19 01:40:33 mail ntpd[10076]: mssntp restrict bit ignored, this ntpd was configured without --enable-ntp-signd.

So, there's my first problem! My ntpd is not compiled with --enable-ntp-signd. So, I downloaded
ntpd 4.2.8p15 (same version as I already have) from ntp.org and built it. Turns out that
--enable-ntp-signd is not a default for that either, so I re-config'd:

../configure --enable-ntp-signd

When I restarted and checked the syslog I now have:

Nov 19 01:50:14 mail ntpd[17169]: MS-SNTP signd operations currently block ntpd degrading service to all clients.

which is what the blogs says should be there.

However, as stated at top, the Windows 10 workstations are still not syncing. On 3 of the
workstations I had manually set the time server to an external time server:

w32tm /config /manualpeerlist:0.us.pool.ntp.org /syncfromflags:manual /reliable:YES /update

and on several others I manually set the time server to the Samba AD server, per my O.P.:

w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL

Prior to fixing ntpd with signd the workstations set to the external server were syncing since
the "Last successful time synchronization" kept updating. The ones set to the local Samba
server were months out of date.

In order to try and undo my manual settings, I did the following on both external time-sync and
local Samba time-sync workstations:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

and rebooted. That didn't help. Still not getting time to sync with Samba, and:

w32tm /query /source

still shows "Local CMOS Clock".

My current ntp.conf is below. If you or anyone has any idea as to what could still be wrong,
I'd greatly appreciate the help. This problem has been ongoing for several months.

Below is my current ntp.conf:
----------------------------
logfile /var/log/ntpd.log	# note, this file is empty!?

server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst
server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10

driftfile /etc/ntp/drift
ntpsigndsocket  /var/lib/samba/ntp_signd/socket

listen on 192.168.0.2

restrict default kod limited nomodify notrap nopeer noquery mssntp

restrict 127.0.0.1
restrict ::1

restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery

More information about the samba mailing list