[Samba] Time sync not working with Windows 10

Rowland penny rpenny at samba.org
Mon Nov 23 20:13:18 UTC 2020 

On 23/11/2020 19:40, Mark Foley via samba wrote:
> On Sun, 22 Nov 2020 09:56:07 Rowland penny <rpenny at samba.org> wrote:
>> On 22/11/2020 02:04, Mark Foley via samba wrote:
>>> From: Mark Foley via samba <samba at lists.samba.org>
>>> To: "samba at lists.samba.org" <samba at lists.samba.org>
>>> Subject: Re: [Samba] Time sync not working with Windows 10
>>> Date: Thu, 19 Nov 2020 22:13:40 +0000
>>>
>>>> On Wed, 18 Nov 2020 08:41:03 -0500 me at tdiehl.org wrote:
>>>>> On Wed, 18 Nov 2020, Mark Foley via samba wrote:
>>>>>
>>>>>> After our office upgraded to Windows 10, time sync stopped working with the Windows
>>>>>> workstations. This used to work fine with Windows 7 and still works with linux domain members
>>>>>> (although that's not surprising).
>>>>>>
>>>>>> The Windows 10 workstations ended up operating off the CMOS clock. We didn't notice this for a long
>>>>>> time since the CMOS clock drift is slow, but after several months users started noticing up to
>>>>>> +/-6 minutes difference between their computers and the *real* time.
>>>>>>
>>>>>> Going to 'Date & Time settings > Sync Now' always gives "Time synchronization failed".
>>>>>>
>>>>>> For Windows 7 workstations, several years ago, I followed the advice in
>>>>>> https://www.meinbergglobal.com/english/info/ntp-w32time.htm which was to do the following on
>>>>>> the Windows 7 workstations:
>>>>>>
>>>>>>
>>>>>> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
>>>>>> w32tm /config /update
>>>>>>
>>>>>> Check the configuration:
>>>>>>
>>>>>> w32tm /query /source
>>>>>>
>>>>>> This worked and time was in-sync on the WIN7 computers for many years.  I did this after
>>>>>> upgrading/installing each Windows 10 workstation during 2019 Q4 and 2020 Q1, but apparently
>>>>>> that didn't work.
>>>>>>
>>>>>> For the Windows 10 workstations I create the "Time Source" group policy per the instructions in
>>>>>> https://wiki.samba.org/index.php/Time_Synchronisation. That didn't help either.
>>>>>>
>>>>>> Is it possible that the version of Samba I am using (Version 4.8.2) is too old for Windows 10?
>>>>>> I could upgrade to 4.13.2, but that is in the "experimental" release of Slackware and may or
>>>>>> may not install properly.
>>>>> I do not think 4.8.2 is too old for time sync to work with win 10. However
>>>>> 4.8.2 is EOL as far as samba is concerned.
>>>>>
>>>>> A couple of weeks ago I was still running 4.8.x on 2 different Ad domains
>>>>> and time sync was working fine on all of the clients, including the win 10.
>>>>>
>>>>> I would suggest you have a look at https://wiki.samba.org/index.php/Time_Synchronisation
>>>>> In particular make sure the symlink points to the correct place.
>>>>>
>>>>> After we upgraded the DC's to 4.12.x the symlinks got b0rked and that killed time sync
>>>>> for us. Fixing the symlinks and restarting chronyd and samba fixed the problem.
>>>>>
>>>>> FWIW, there is no extra configuration required on windows domain members assuming
>>>>> that the DC's are configured correctly. Just use w32tm /query /source to make sure
>>>>> the clients are using one of the DC's to sync from. If they are not then there is
>>>>> a problem with the DC configuration.
>>>>>
>>>>> Regards,
>>>>>
>>>>> -- 
>>>>> Tom			me at tdiehl.org
>>>>>
>>>> Tom - thanks for your reply.  Question: on your Windows 10 workstation when you go to the Date
>>>> & Time setting, what does it show for Time Server? After doing the steps described below on two
>>>> of the WIN10 worstations, one shows "Time Server: unspecified" and the other shows "Local CMOS
>>>> Clock".
>>>>
>>>> Can you click on "Sync Now" and have it work? I continue to get "Time synchronization failed".
>>>>
>>>> I've put these questions up-front so they don't get buried below.
>>>>
>>>> Your post was useful (though things still don't appear to be competely working). I'm using
>>>> ntpd, not chrony. Rechecking the
>>>> https://wiki.samba.org/index.php/Time_Synchronisation link I noted that it said, "Requirements:
>>>> ntpd >= 4.2.6 from http://www.ntp.org, compiled with enabled signed ntp support
>>>> (--enable-ntp-signd)". I didn't know if my version of ntpd was compile with --enable-ntp-signd.
>>>>
>>>> While trying to figure that out I came across the potentially very useful webpage
>>>> https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain. It gave the following
>>>> instruction to see where Samba wants to put the ntp_signd socket:
>>>>
>>>> # netstat -xpln | grep signd
>>>> unix  2  [ ACC ]  STREAM  LISTENING  2071520535 19381/samba     /var/lib/samba/ntp_signd/socket
>>>>
>>>> This location is different from what the Samba wiki specified (/usr/local/samba/var/lib/ntp_signd),
>>>> so I changed my ntp.conf to be the one found by netstat.
>>>>
>>>> That blog also advised adding "noquery" to the restrict config:
>>>>
>>>> restrict default kod limited nomodify notrap nopeer noquery mssntp
>>>>
>>>> His example had two lines with -4 and -6 after the "restrict" directive, respectively. I hope
>>>> my not using those isn't a problem.
>>>>
>>>> Finally, the blog advised adding "listen":
>>>>
>>>> listen on 192.168.0.2
>>>>
>>>> This is the IP of the server running ntpd. Not sure why that would be needed, never was in the
>>>> past, hope it doesn't hurt.
>>>>
>>>> I restarted ntpd and, according to the blog, checked syslog to confirm signd:
>>>>
>>>> Nov 19 01:40:33 mail ntpd[10076]: mssntp restrict bit ignored, this ntpd was configured without --enable-ntp-signd.
>>>>
>>>> So, there's my first problem! My ntpd is not compiled with --enable-ntp-signd. So, I downloaded
>>>> ntpd 4.2.8p15 (same version as I already have) from ntp.org and built it. Turns out that
>>>> --enable-ntp-signd is not a default for that either, so I re-config'd:
>>>>
>>>> ../configure --enable-ntp-signd
>>>>
>>>> When I restarted and checked the syslog I now have:
>>>>
>>>> Nov 19 01:50:14 mail ntpd[17169]: MS-SNTP signd operations currently block ntpd degrading service to all clients.
>>>>
>>>> which is what the blogs says should be there.
>>>>
>>>> However, as stated at top, the Windows 10 workstations are still not syncing. On 3 of the
>>>> workstations I had manually set the time server to an external time server:
>>>>
>>>> w32tm /config /manualpeerlist:0.us.pool.ntp.org /syncfromflags:manual /reliable:YES /update
>>>>
>>>> and on several others I manually set the time server to the Samba AD server, per my O.P.:
>>>>
>>>> w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
>>>>
>>>> Prior to fixing ntpd with signd the workstations set to the external server were syncing since
>>>> the "Last successful time synchronization" kept updating. The ones set to the local Samba
>>>> server were months out of date.
>>>>
>>>> In order to try and undo my manual settings, I did the following on both external time-sync and
>>>> local Samba time-sync workstations:
>>>>
>>>> net stop w32time
>>>> w32tm /unregister
>>>> w32tm /register
>>>> net start w32time
>>>>
>>>> and rebooted. That didn't help. Still not getting time to sync with Samba, and:
>>>>
>>>> w32tm /query /source
>>>>
>>>> still shows "Local CMOS Clock".
>>>>
>>>> My current ntp.conf is below. If you or anyone has any idea as to what could still be wrong,
>>>> I'd greatly appreciate the help. This problem has been ongoing for several months.
>>>>
>>>> Below is my current ntp.conf:
>>>> ----------------------------
>>>> logfile /var/log/ntpd.log	# note, this file is empty!?
>>>>
>>>> server 0.pool.ntp.org iburst prefer
>>>> server 1.pool.ntp.org iburst
>>>> server  127.127.1.0     # local clock
>>>> fudge   127.127.1.0 stratum 10
>>>>
>>>> driftfile /etc/ntp/drift
>>>> ntpsigndsocket  /var/lib/samba/ntp_signd/socket
>>>>
>>>> listen on 192.168.0.2
>>>>
>>>> restrict default kod limited nomodify notrap nopeer noquery mssntp
>>>>
>>>> restrict 127.0.0.1
>>>> restrict ::1
>>>>
>>>> restrict 0.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
>>>> restrict 1.pool.ntp.org   mask 255.255.255.255    nomodify notrap nopeer noquery
>>>>
>>> SOLVED!
>>>
>>> The last problem was with my ntpsigndsocket setting. Based on the netstat command (described
>>> above) I changed ntp.conf to:
>>>
>>> ntpsigndsocket /var/lib/samba/ntp_signd/socket
>>>
>>> The problem here is that "socket" from the netstat command is the actual socket. my setting
>>> caused a sub-directory "socket" to be created. The solution was to change the setting to:
>>>
>>> ntpsigndsocket  /var/lib/samba/ntp_signd
>>>
>>>
>>> Whew! This has been a months long struggle!
>> So, you didn't read this wiki page:
>> https://wiki.samba.org/index.php/Time_Synchronisation ?
>>
>> Rowland
> Yes, I did, as mentioned in my O.P. But there were some details the wiki didn't address in my
> case.
>
> First, the path stated in the wiki for the ntpsigndsocket was incorrect for my system.
It probably would be in a different place if you use distro packages, 
the wiki is written from the point of view of using a self compiled Samba.
>   I don't
> know why. Perhaps my distro put it somewhere else. A very useful blog:
> https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain, gave me instructions to
> determine where Samba creates the ntp_signd socket:

An even easier way to find out where your distro expects it is run this 
command:

samba -b | grep 'NTP_SIGND_SOCKET_DIR'

It even works before you provision and start the domain.

>
> netstat -xpln | grep signd
>
> Which on my system gave:
>
> /var/lib/samba/ntp_signd/socket
>
> versus the wiki:
>
> /usr/local/samba/var/lib/ntp_signd/
Yes, but if you use the first path, it is still wrong.
>
> So, I had to change the ntpsigndsocket setting in ntp.conf or nothing was going to work. Perhaps
> this tip should be included in the wiki doc.
No, but perhaps we need to mention that all paths refer to a self 
compiled Samba unless otherwise mentioned.
>
> Second, I didn't realize that the netstat command gave me the full path, including the socket
> itself. So my correct ntpsigndsocket setting is:
>
> ntpsigndsocket /var/lib/samba/ntp_signd
>
> As part of this point, I didn't know Samba had to be allowed to create the ntp_signd directory.
> So I had to stop Samba and ntpd and do:
>
> rm -r /var/lib/samba/ntp_signd
>
> Even though I had the correct path, timesync still would not work until I removed this
> directory.  I found this tip in another post whose URL I don't recall.  Again, perhaps this
> should be part of the aforementioned wiki tip.
Problem is, I don't create the directory and allow Samba to create it, 
but Louis creates it before he starts Samba and ntp, both methods seem 
to work, but seemingly not for yourself, perhaps the permissions were 
incorrect ?
>
> Finally, I had no way of knowing for sure that my ntpd was built with --enable-ntp-signd or
> not. ntpd does not have equivalent of samba's -b option to show how it was built. Again, the
> blog mentioned above gave the tip to look in syslog which should show:
>
> Apr  9 20:15:24 dc ntpd[30129]: MS-SNTP signd operations currently block ntpd degrading service to all clients.
>
> to confirm SIGND was working. Instead, I got:
>
> Nov 19 01:40:33 mail ntpd[10076]: mssntp restrict bit ignored, this ntpd was configured without --enable-ntp-signd.
>
> confirming that my ntpd was not built with --enable-ntp-signd. By default, the build of sources
> from ntp.org also does not build with --enable-ntp-signd by default. To do so, one must run:
>
> .configure --enable-ntp-signd
>
> This tip on determining whether or not ntpd was built with --enable-ntp-signd would also be
> useful in the wiki.
>
> Perhaps I'm the only one who has run into this issue, but if these two tips (netstat to
> deteremine the socket path and syslog to determine SIGND enabled) had been included in the wiki
> it would have saved me hours of searching through the web for numerous useful links.

The part about checking if NTP was built to use ntp-signd should be in 
the wiki, so I will add it.

You are not the first person to mention the wiki paths, but then again 
it doesn't come up that often, but it is often enough that we should 
document it somewhere, probably on the first page ???

Rowland

More information about the samba mailing list