[Samba] Time sync not working with Windows 10

Mark Foley mfoley at ohprs.org
Mon Nov 23 19:40:34 UTC 2020 

On Sun, 22 Nov 2020 09:56:07 Rowland penny <rpenny at samba.org> wrote:
>
> On 22/11/2020 02:04, Mark Foley via samba wrote:
> > From: Mark Foley via samba <samba at lists.samba.org>
> > To: "samba at lists.samba.org" <samba at lists.samba.org>
> > Subject: Re: [Samba] Time sync not working with Windows 10
> > Date: Thu, 19 Nov 2020 22:13:40 +0000
> >
> >> On Wed, 18 Nov 2020 08:41:03 -0500 me at tdiehl.org wrote:
> >>> On Wed, 18 Nov 2020, Mark Foley via samba wrote:
> >>>
> >>>> After our office upgraded to Windows 10, time sync stopped working with the Windows
> >>>> workstations. This used to work fine with Windows 7 and still works with linux domain members
> >>>> (although that's not surprising).
> >>>>
> >>>> The Windows 10 workstations ended up operating off the CMOS clock. We didn't notice this for a long
> >>>> time since the CMOS clock drift is slow, but after several months users started noticing up to
> >>>> +/-6 minutes difference between their computers and the *real* time.
> >>>>
> >>>> Going to 'Date & Time settings > Sync Now' always gives "Time synchronization failed".
> >>>>
> >>>> For Windows 7 workstations, several years ago, I followed the advice in
> >>>> https://www.meinbergglobal.com/english/info/ntp-w32time.htm which was to do the following on
> >>>> the Windows 7 workstations:
> >>>>
> >>>>
> >>>> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
> >>>> w32tm /config /update
> >>>>
> >>>> Check the configuration:
> >>>>
> >>>> w32tm /query /source
> >>>>
> >>>> This worked and time was in-sync on the WIN7 computers for many years.  I did this after
> >>>> upgrading/installing each Windows 10 workstation during 2019 Q4 and 2020 Q1, but apparently
> >>>> that didn't work.
> >>>>
> >>>> For the Windows 10 workstations I create the "Time Source" group policy per the instructions in
> >>>> https://wiki.samba.org/index.php/Time_Synchronisation. That didn't help either.
> >>>>
> >>>> Is it possible that the version of Samba I am using (Version 4.8.2) is too old for Windows 10?
> >>>> I could upgrade to 4.13.2, but that is in the "experimental" release of Slackware and may or
> >>>> may not install properly.
> >>> I do not think 4.8.2 is too old for time sync to work with win 10. However
> >>> 4.8.2 is EOL as far as samba is concerned.
> >>>
> >>> A couple of weeks ago I was still running 4.8.x on 2 different Ad domains
> >>> and time sync was working fine on all of the clients, including the win 10.
> >>>
> >>> I would suggest you have a look at https://wiki.samba.org/index.php/Time_Synchronisation
> >>> In particular make sure the symlink points to the correct place.
> >>>
> >>> After we upgraded the DC's to 4.12.x the symlinks got b0rked and that killed time sync
> >>> for us. Fixing the symlinks and restarting chronyd and samba fixed the problem.
> >>>
> >>> FWIW, there is no extra configuration required on windows domain members assuming
> >>> that the DC's are configured correctly. Just use w32tm /query /source to make sure
> >>> the clients are using one of the DC's to sync from. If they are not then there is
> >>> a problem with the DC configuration.
> >>>
> >>> Regards,
> >>>
> >>> -- 
> >>> Tom			me at tdiehl.org
> >>>
> >> Tom - thanks for your reply.  Question: on your Windows 10 workstation when you go to the Date
> >> & Time setting, what does it show for Time Server? After doing the steps described below on two
> >> of the WIN10 worstations, one shows "Time Server: unspecified" and the other shows "Local CMOS
> >> Clock".
> >>
> >> Can you click on "Sync Now" and have it work? I continue to get "Time synchronization failed".
> >>
> >> I've put these questions up-front so they don't get buried below.
> >>
> >> Your post was useful (though things still don't appear to be competely working). I'm using
> >> ntpd, not chrony. Rechecking the
> >> https://wiki.samba.org/index.php/Time_Synchronisation link I noted that it said, "Requirements:
> >> ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support
> >> (--enable-ntp-signd)". I didn't know if my version of ntpd was compile with --enable-ntp-signd.
> >>
> >> While trying to figure that out I came across the potentially very useful webpage
> >> https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain. It gave the following
> >> instruction to see where Samba wants to put the ntp_signd socket:
> >>
> >> # netstat -xpln | grep signd
> >> unix  2  [ ACC ]  STREAM  LISTENING  2071520535 19381/samba     /var/lib/samba/ntp_signd/socket
> >>
> >> This location is different from what the Samba wiki specified (/usr/local/samba/var/lib/ntp_signd),
> >> so I changed my ntp.conf to be the one found by netstat.
> >>
> >> That blog also advised adding "noquery" to the restrict config:
> >>
> >> restrict default kod limited nomodify notrap nopeer noquery mssntp
> >>
> >> His example had two lines with -4 and -6 after the "restrict" directive, respectively. I hope
> >> my not using those isn't a problem.
> >>
> >> Finally, the blog advised adding "listen":
> >>
> >> listen on 192.168.0.2
> >>
> >> This is the IP of the server running ntpd. Not sure why that would be needed, never was in the
> >> past, hope it doesn't hurt.
> >>
> >> I restarted ntpd and, according to the blog, checked syslog to confirm signd:
> >>
> >> Nov 19 01:40:33 mail ntpd[10076]: mssntp restrict bit ignored, this ntpd was configured without --enable-ntp-signd.
> >>
> >> So, there's my first problem! My ntpd is not compiled with --enable-ntp-signd. So, I downloaded
> >> ntpd 4.2.8p15 (same version as I already have) from ntp.org and built it. Turns out that
> >> --enable-ntp-signd is not a default for that either, so I re-config'd:
> >>
> >> ../configure --enable-ntp-signd
> >>
> >> When I restarted and checked the syslog I now have:
> >>
> >> Nov 19 01:50:14 mail ntpd[17169]: MS-SNTP signd operations currently block ntpd degrading service to all clients.
> >>
> >> which is what the blogs says should be there.
> >>
> >> However, as stated at top, the Windows 10 workstations are still not syncing. On 3 of the
> >> workstations I had manually set the time server to an external time server:
> >>
> >> w32tm /config /manualpeerlist:0.us.pool.ntp.org /syncfromflags:manual /reliable:YES /update
> >>
> >> and on several others I manually set the time server to the Samba AD server, per my O.P.:
> >>
> >> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
> >>
> >> Prior to fixing ntpd with signd the workstations set to the external server were syncing since
> >> the "Last successful time synchronization" kept updating. The ones set to the local Samba
> >> server were months out of date.
> >>
> >> In order to try and undo my manual settings, I did the following on both external time-sync and
> >> local Samba time-sync workstations:
> >>
> >> net stop w32time
> >> w32tm /unregister
> >> w32tm /register
> >> net start w32time
> >>
> >> and rebooted. That didn't help. Still not getting time to sync with Samba, and:
> >>
> >> w32tm /query /source
> >>
> >> still shows "Local CMOS Clock".
> >>
> >> My current ntp.conf is below. If you or anyone has any idea as to what could still be wrong,
> >> I'd greatly appreciate the help. This problem has been ongoing for several months.
> >>
> >> Below is my current ntp.conf:
> >> ----------------------------
> >> logfile /var/log/ntpd.log	# note, this file is empty!?
> >>
> >> server 0.pool.ntp.org iburst prefer
> >> server 1.pool.ntp.org iburst
> >> server  127.127.1.0     # local clock
> >> fudge   127.127.1.0 stratum 10
> >>
> >> driftfile /etc/ntp/drift
> >> ntpsigndsocket  /var/lib/samba/ntp_signd/socket
> >>
> >> listen on 192.168.0.2
> >>
> >> restrict default kod limited nomodify notrap nopeer noquery mssntp
> >>
> >> restrict 127.0.0.1
> >> restrict ::1
> >>
> >> restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
> >> restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
> >>
> > SOLVED!
> >
> > The last problem was with my ntpsigndsocket setting. Based on the netstat command (described
> > above) I changed ntp.conf to:
> >
> > ntpsigndsocket /var/lib/samba/ntp_signd/socket
> >
> > The problem here is that "socket" from the netstat command is the actual socket. my setting
> > caused a sub-directory "socket" to be created. The solution was to change the setting to:
> >
> > ntpsigndsocket  /var/lib/samba/ntp_signd
> >
> >
> > Whew! This has been a months long struggle!
> So, you didn't read this wiki page: 
> https://wiki.samba.org/index.php/Time_Synchronisation ?
>
> Rowland

Yes, I did, as mentioned in my O.P. But there were some details the wiki didn't address in my
case. 

First, the path stated in the wiki for the ntpsigndsocket was incorrect for my system. I don't
know why. Perhaps my distro put it somewhere else. A very useful blog: 
https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain, gave me instructions to
determine where Samba creates the ntp_signd socket:

netstat -xpln | grep signd

Which on my system gave:

/var/lib/samba/ntp_signd/socket

versus the wiki:

/usr/local/samba/var/lib/ntp_signd/

So, I had to change the ntpsigndsocket setting in ntp.conf or nothing was going to work. Perhaps
this tip should be included in the wiki doc.

Second, I didn't realize that the netstat command gave me the full path, including the socket
itself. So my correct ntpsigndsocket setting is:

ntpsigndsocket /var/lib/samba/ntp_signd

As part of this point, I didn't know Samba had to be allowed to create the ntp_signd directory.
So I had to stop Samba and ntpd and do:

rm -r /var/lib/samba/ntp_signd

Even though I had the correct path, timesync still would not work until I removed this
directory.  I found this tip in another post whose URL I don't recall.  Again, perhaps this
should be part of the aforementioned wiki tip. 

Finally, I had no way of knowing for sure that my ntpd was built with --enable-ntp-signd or
not. ntpd does not have equivalent of samba's -b option to show how it was built. Again, the
blog mentioned above gave the tip to look in syslog which should show:

Apr  9 20:15:24 dc ntpd[30129]: MS-SNTP signd operations currently block ntpd degrading service to all clients.

to confirm SIGND was working. Instead, I got:

Nov 19 01:40:33 mail ntpd[10076]: mssntp restrict bit ignored, this ntpd was configured without --enable-ntp-signd.

confirming that my ntpd was not built with --enable-ntp-signd. By default, the build of sources
from ntp.org also does not build with --enable-ntp-signd by default. To do so, one must run:

.configure --enable-ntp-signd

This tip on determining whether or not ntpd was built with --enable-ntp-signd would also be
useful in the wiki.

Perhaps I'm the only one who has run into this issue, but if these two tips (netstat to
deteremine the socket path and syslog to determine SIGND enabled) had been included in the wiki
it would have saved me hours of searching through the web for numerous useful links. 

--Mark

More information about the samba mailing list