[Samba] Samba domain time sync woes (Debian Bookworm)
Peter Milesson
miles at atmos.eu
Fri Aug 11 07:30:56 UTC 2023
On 10.08.2023 19:52, Michael Tokarev via samba wrote:
> FWIW, I looked at the settings in our domain (all of which I did myself).
> I used to explicitly set up ntp time sources in our network for all
> windows
> workstations before, and I continued to provide these after conversion
> from
> nt4-style domain to samba AD-DC. The NTP records are provided by
> DHCP, and
> are configured in the GPO, both with regional differences (choosing
> the local
> NTP servers within each location). None of our AD-DC run NTP server
> by itself,
> but all syncronize to the same NTP servers.
>
> Here's a typical output on a windows workstation:
>
> # w32tm /query /status
> Leap Indicator: 0(no warning)
> Stratum: 3 (secondary reference - syncd by (S)NTP)
> Precision: -23 (119.209ns per tick)
> Root Delay: 0.0030693s
> Root Dispersion: 0.2549162s
> ReferenceId: 0xC0A8B105 (source IP: 192.168.177.5)
> Last Successful Sync Time: 10.08.2023 20:42:45
> Source: ntp.tls.msk.ru,0x9
> Poll Interval: 15 (32768s)
>
> All this is run with ntpsec now (on debian bookworm). Local NTP servers at
> different locations also syncronize with each other.
>
> There's no (zero) problems with time syncronization (or AD, or DNS, or
> GPO or
> anything else) across whole network.
>
> FWIW.
>
> /mjt
>
Hi Michael,
Fortunately, I have got a small network to take care of.
As there are lots of other tasks (as usual) for a single IT guy at the
company, I used to install new Windows domain computers, registering
them with the domain, and things just worked (with ntp). After upgrading
the DCs and member servers to Debian Bookworm with ntpsec, I started to
notice clock drift. Mostly, it was just a second here and there, but one
PC drifted substantially. That triggered my curiosity, and I started to
dig into this problem. After almost a days work analyzing the problem,
it was evident that ntpsec did not work as a time source the way things
were setup.
I could have changed the setup to let the Windows domain PCs sync the
time with a GPO defining which NTP servers to use, or continue try to
use the DCs as a reliable time source. As usual, the less you have got
to setup and fiddle with, the less you have got to keep an eye on. For
me the easiest way out was to get to the root of the problem. That
problem was ntpsec. Up till now, I have always used ntp for keeping
time, but as Debian has chosen to switch to ntpsec, that's not an option
any more. Chrony was painless to setup and get working with Samba (about
5 minutes). AFAIK, RedHat uses Chrony for many years, so I was not
reluctant to switch.
As usual with Linux, there are multiple ways to get to a solution. In my
case it was switching from ntpsec to Chrony. If you have got hundreds,
or thousands of devices to manage, your solution is probably the right
one for you. In my case, I found the solution I'm satisfied with. That's
the beauty with open systems.
Best regards,
Peter
More information about the samba
mailing list