[Samba] Unable to join domain

Tue Oct 12 15:54:14 UTC 2021

On 10/12/21 10:18, Rowland Penny via samba wrote:
> On Tue, 2021-10-12 at 09:42 -0500, Patrick Goetz via samba wrote:
>>
>> On 10/12/21 04:27, Rowland Penny via samba wrote:
>>> On Tue, 2021-10-12 at 11:14 +0200, L.P.H. van Belle via samba
>>> wrote:
>>>> Ow yes, this can work fine.
>>>>    
>>>> AD-DC, time is given to the pc's over the AD. (not NTP
>>>> directly)..
>>>> sure you can configure that, but i didnt.
>>>>
>>>> Members, systemd-timedated used the AD-DC its NTP to sync.
>>>> Standalones ( i have 1, ) same.
>>>>
>>>> The members dont need SNTP to sync time, only the AD-DC <=>
>>>> Windows
>>>> And you can even overrule that, but im not doing that.
>>>>
>>>> timedatectl show-timesync
>>>> SystemNTPServers="192.168.1.1 192.168.1.2"
>>>>
>>>
>>> I repeat, your clients are not using the DC's directly for time,
>>> you
>>> might be okay with this, but I am not, but hey, they are your
>>> clients :
>>> -)
>>>
>>
>> I'm not sure why this matters if the drift is less than the
>> allowable
>> kerberos time difference.
> 
> It is this: People can and will do things their own way. I cannot know
> or remember how they do things their way, I have a bad enough time
> remembering the recommended way :-)
> 

That's fair. I have a dozen or so Ubuntu workstations at work bound to 
an AD domain, and haven't bothered to configure systemd-timedated on 
them, either:

cnsit at armadillo:~$ timedatectl show-timesync
FallbackNTPServers=ntp.ubuntu.com
ServerName=ntp.ubuntu.com
ServerAddress=91.189.89.198
RootDistanceMaxUSec=5s
PollIntervalMinUSec=32s
PollIntervalMaxUSec=34min 8s
PollIntervalUSec=34min 8s
NTPMessage={ Leap=0, Version=4, Mode=4, Stratum=2, Precision=-23, 
RootDelay=1.113ms, RootDispersion=40.023ms, Reference=11FD227B, 
OriginateTimestamp=Tue 2021-10-12 10:08:51 CDT, ReceiveTimestamp=Tue 
2021-10-12 10:08:51 CDT, TransmitTimestamp=Tue 2021-10-12 10:08:51 CDT, 
DestinationTimestamp=Tue 2021-10-12 10:08:51 CDT, Ignored=no 
PacketCount=541, Jitter=2.738ms }

It just hasn't ever been a problem. The time differences are too close 
for Kerberos to care.  Yes, I probably *should* configure this, but I'm 
  a member of the old school "If it ain't broke, don't fix it" club. One 
usually ends up there after a number of years of systems engineer 
experience. After one too many times of fixing something that was 
working and consequently breaking it; then wondering what the hell were 
you thinking not leaving well enough alone.

> Just because I say don't do it that way, doesn't mean it will
> definitely not work (it possibly will), but it is just not the Samba
> recommended way of doing things and I cannot test everything (so I know
> it does work, or not). If anyone feels that something does work and can
> prove it, then register for the wiki and edit it to add that
> information.
>

Did not know mere mortals could sign up for Wiki editing. Will do so, if 
only to fix some vaguely annoying typos I've run in to.

> Rowland
>   
> 
> 