[Samba] Time sync not working with Windows 10

Rowland penny rpenny at samba.org
Sun Nov 22 09:56:07 UTC 2020 

On 22/11/2020 02:04, Mark Foley via samba wrote:
> From: Mark Foley via samba <samba at lists.samba.org>
> To: "samba at lists.samba.org" <samba at lists.samba.org>
> Subject: Re: [Samba] Time sync not working with Windows 10
> Date: Thu, 19 Nov 2020 22:13:40 +0000
>
>> On Wed, 18 Nov 2020 08:41:03 -0500 me at tdiehl.org wrote:
>>> On Wed, 18 Nov 2020, Mark Foley via samba wrote:
>>>
>>>> After our office upgraded to Windows 10, time sync stopped working with the Windows
>>>> workstations. This used to work fine with Windows 7 and still works with linux domain members
>>>> (although that's not surprising).
>>>>
>>>> The Windows 10 workstations ended up operating off the CMOS clock. We didn't notice this for a long
>>>> time since the CMOS clock drift is slow, but after several months users started noticing up to
>>>> +/-6 minutes difference between their computers and the *real* time.
>>>>
>>>> Going to 'Date & Time settings > Sync Now' always gives "Time synchronization failed".
>>>>
>>>> For Windows 7 workstations, several years ago, I followed the advice in
>>>> https://www.meinbergglobal.com/english/info/ntp-w32time.htm which was to do the following on
>>>> the Windows 7 workstations:
>>>>
>>>>
>>>> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
>>>> w32tm /config /update
>>>>
>>>> Check the configuration:
>>>>
>>>> w32tm /query /source
>>>>
>>>> This worked and time was in-sync on the WIN7 computers for many years.  I did this after
>>>> upgrading/installing each Windows 10 workstation during 2019 Q4 and 2020 Q1, but apparently
>>>> that didn't work.
>>>>
>>>> For the Windows 10 workstations I create the "Time Source" group policy per the instructions in
>>>> https://wiki.samba.org/index.php/Time_Synchronisation. That didn't help either.
>>>>
>>>> Is it possible that the version of Samba I am using (Version 4.8.2) is too old for Windows 10?
>>>> I could upgrade to 4.13.2, but that is in the "experimental" release of Slackware and may or
>>>> may not install properly.
>>> I do not think 4.8.2 is too old for time sync to work with win 10. However
>>> 4.8.2 is EOL as far as samba is concerned.
>>>
>>> A couple of weeks ago I was still running 4.8.x on 2 different Ad domains
>>> and time sync was working fine on all of the clients, including the win 10.
>>>
>>> I would suggest you have a look at https://wiki.samba.org/index.php/Time_Synchronisation
>>> In particular make sure the symlink points to the correct place.
>>>
>>> After we upgraded the DC's to 4.12.x the symlinks got b0rked and that killed time sync
>>> for us. Fixing the symlinks and restarting chronyd and samba fixed the problem.
>>>
>>> FWIW, there is no extra configuration required on windows domain members assuming
>>> that the DC's are configured correctly. Just use w32tm /query /source to make sure
>>> the clients are using one of the DC's to sync from. If they are not then there is
>>> a problem with the DC configuration.
>>>
>>> Regards,
>>>
>>> -- 
>>> Tom			me at tdiehl.org
>>>
>> Tom - thanks for your reply.  Question: on your Windows 10 workstation when you go to the Date
>> & Time setting, what does it show for Time Server? After doing the steps described below on two
>> of the WIN10 worstations, one shows "Time Server: unspecified" and the other shows "Local CMOS
>> Clock".
>>
>> Can you click on "Sync Now" and have it work? I continue to get "Time synchronization failed".
>>
>> I've put these questions up-front so they don't get buried below.
>>
>> Your post was useful (though things still don't appear to be competely working). I'm using
>> ntpd, not chrony. Rechecking the
>> https://wiki.samba.org/index.php/Time_Synchronisation link I noted that it said, "Requirements:
>> ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support
>> (--enable-ntp-signd)". I didn't know if my version of ntpd was compile with --enable-ntp-signd.
>>
>> While trying to figure that out I came across the potentially very useful webpage
>> https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain. It gave the following
>> instruction to see where Samba wants to put the ntp_signd socket:
>>
>> # netstat -xpln | grep signd
>> unix  2  [ ACC ]  STREAM  LISTENING  2071520535 19381/samba     /var/lib/samba/ntp_signd/socket
>>
>> This location is different from what the Samba wiki specified (/usr/local/samba/var/lib/ntp_signd),
>> so I changed my ntp.conf to be the one found by netstat.
>>
>> That blog also advised adding "noquery" to the restrict config:
>>
>> restrict default kod limited nomodify notrap nopeer noquery mssntp
>>
>> His example had two lines with -4 and -6 after the "restrict" directive, respectively. I hope
>> my not using those isn't a problem.
>>
>> Finally, the blog advised adding "listen":
>>
>> listen on 192.168.0.2
>>
>> This is the IP of the server running ntpd. Not sure why that would be needed, never was in the
>> past, hope it doesn't hurt.
>>
>> I restarted ntpd and, according to the blog, checked syslog to confirm signd:
>>
>> Nov 19 01:40:33 mail ntpd[10076]: mssntp restrict bit ignored, this ntpd was configured without --enable-ntp-signd.
>>
>> So, there's my first problem! My ntpd is not compiled with --enable-ntp-signd. So, I downloaded
>> ntpd 4.2.8p15 (same version as I already have) from ntp.org and built it. Turns out that
>> --enable-ntp-signd is not a default for that either, so I re-config'd:
>>
>> ../configure --enable-ntp-signd
>>
>> When I restarted and checked the syslog I now have:
>>
>> Nov 19 01:50:14 mail ntpd[17169]: MS-SNTP signd operations currently block ntpd degrading service to all clients.
>>
>> which is what the blogs says should be there.
>>
>> However, as stated at top, the Windows 10 workstations are still not syncing. On 3 of the
>> workstations I had manually set the time server to an external time server:
>>
>> w32tm /config /manualpeerlist:0.us.pool.ntp.org /syncfromflags:manual /reliable:YES /update
>>
>> and on several others I manually set the time server to the Samba AD server, per my O.P.:
>>
>> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
>>
>> Prior to fixing ntpd with signd the workstations set to the external server were syncing since
>> the "Last successful time synchronization" kept updating. The ones set to the local Samba
>> server were months out of date.
>>
>> In order to try and undo my manual settings, I did the following on both external time-sync and
>> local Samba time-sync workstations:
>>
>> net stop w32time
>> w32tm /unregister
>> w32tm /register
>> net start w32time
>>
>> and rebooted. That didn't help. Still not getting time to sync with Samba, and:
>>
>> w32tm /query /source
>>
>> still shows "Local CMOS Clock".
>>
>> My current ntp.conf is below. If you or anyone has any idea as to what could still be wrong,
>> I'd greatly appreciate the help. This problem has been ongoing for several months.
>>
>> Below is my current ntp.conf:
>> ----------------------------
>> logfile /var/log/ntpd.log	# note, this file is empty!?
>>
>> server 0.pool.ntp.org iburst prefer
>> server 1.pool.ntp.org iburst
>> server  127.127.1.0     # local clock
>> fudge   127.127.1.0 stratum 10
>>
>> driftfile /etc/ntp/drift
>> ntpsigndsocket  /var/lib/samba/ntp_signd/socket
>>
>> listen on 192.168.0.2
>>
>> restrict default kod limited nomodify notrap nopeer noquery mssntp
>>
>> restrict 127.0.0.1
>> restrict ::1
>>
>> restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
>> restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
>>
> SOLVED!
>
> The last problem was with my ntpsigndsocket setting. Based on the netstat command (described
> above) I changed ntp.conf to:
>
> ntpsigndsocket /var/lib/samba/ntp_signd/socket
>
> The problem here is that "socket" from the netstat command is the actual socket. my setting
> caused a sub-directory "socket" to be created. The solution was to change the setting to:
>
> ntpsigndsocket  /var/lib/samba/ntp_signd
>
>
> Whew! This has been a months long struggle!
So, you didn't read this wiki page: 
https://wiki.samba.org/index.php/Time_Synchronisation ?

Rowland

More information about the samba mailing list