[Samba] Samba domain time sync woes (Debian Bookworm)

[Peter Milesson]

On 10.08.2023 19:52, Michael Tokarev via samba wrote:
> FWIW, I looked at the settings in our domain (all of which I did myself).
> I used to explicitly set up ntp time sources in our network for all 
> windows
> workstations before, and I continued to provide these after conversion 
> from
> nt4-style domain to samba AD-DC.  The NTP records are provided by 
> DHCP, and
> are configured in the GPO, both with regional differences (choosing 
> the local
> NTP servers within each location).  None of our AD-DC run NTP server 
> by itself,
> but all syncronize to the same NTP servers.
>
> Here's a typical output on a windows workstation:
>
> # w32tm /query /status
> Leap Indicator: 0(no warning)
> Stratum: 3 (secondary reference - syncd by (S)NTP)
> Precision: -23 (119.209ns per tick)
> Root Delay: 0.0030693s
> Root Dispersion: 0.2549162s
> ReferenceId: 0xC0A8B105 (source IP:  192.168.177.5)
> Last Successful Sync Time: 10.08.2023 20:42:45
> Source: ntp.tls.msk.ru,0x9
> Poll Interval: 15 (32768s)
>
> All this is run with ntpsec now (on debian bookworm). Local NTP servers at
> different locations also syncronize with each other.
>
> There's no (zero) problems with time syncronization (or AD, or DNS, or 
> GPO or
> anything else) across whole network.
>
> FWIW.
>
> /mjt
>
Hi Michael,

Fortunately, I have got a small network to take care of.

As there are lots of other tasks (as usual) for a single IT guy at the 
company, I used to install new Windows domain computers, registering 
them with the domain, and things just worked (with ntp). After upgrading 
the DCs and member servers to Debian Bookworm with ntpsec, I started to 
notice clock drift. Mostly, it was just a second here and there, but one 
PC drifted substantially. That triggered my curiosity, and I started to 
dig into this problem. After almost a days work analyzing the problem, 
it was evident that ntpsec did not work as a time source the way things 
were setup.

I could have changed the setup to let the Windows domain PCs sync the 
time with a GPO defining which NTP servers to use, or continue try to 
use the DCs as a reliable time source. As usual, the less you have got 
to setup and fiddle with, the less you have got to keep an eye on. For 
me the easiest way out was to get to the root of the problem. That 
problem was ntpsec. Up till now, I have always used ntp for keeping 
time, but as Debian has chosen to switch to ntpsec, that's not an option 
any more. Chrony was painless to setup and get working with Samba (about 
5 minutes). AFAIK, RedHat uses Chrony for many years, so I was not 
reluctant to switch.

As usual with Linux, there are multiple ways to get to a solution. In my 
case it was switching from ntpsec to Chrony. If you have got hundreds, 
or thousands of devices to manage, your solution is probably the right 
one for you. In my case, I found the solution I'm satisfied with. That's 
the beauty with open systems.

Best regards,

Peter