[Samba] DC Time Problems
jamesb192 at jamesb192.com
Wed Oct 25 18:10:57 UTC 2023
> On 10/25/2023 9:53 AM PDT Ham via samba <samba at lists.samba.org> wrote:
> It appears that none of our windows clients are syncing their time with
> the samba DC. From what I can tell they are not able to get a
> response from the DC. For example, where the DC is named athena:
> >w32tm /monitor /computers:athena
> ICMP: 0ms delay
> NTP: error ERROR_TIMEOUT - no response from server in 1000ms
> From a Linux machine there is also no response:
> ntpdate -q athena
> 24 Oct 16:47:41 ntpdate: no server suitable for
> synchronization found
> Here is the DC /etc/ntpsec/ntp.conf:
> # Where to retrieve the time from
> server 0.pool.ntp.org iburst prefer
> server 1.pool.ntp.org iburst prefer
> server 2.pool.ntp.org iburst prefer
> driftfile /var/lib/ntpsec/ntp.drift
> logfile /var/log/ntp.log
> #logconfig =all
> ntpsigndsocket /var/lib/samba/ntp_signd/
> # Access control
> # Default restriction: Allow clients only to query the time
> #restrict default kod nomodify notrap nopeer limited mssntp
> restrict -4 default kod limited nomodify notrap nopeer noquery mssntp
> # No restrictions for "localhost"
> restrict 127.0.0.1
> # Enable the time sources to only provide time to this host
> restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> My DC is using Debian 11 and the Samba package from Debian.
> Any ideas on what the problem is?
The version of NTPsec that ships with Debian Bookworm has broken MS-SNTP support; no one here wants to help. I would suggest turning off the mssntp restrict in default before listening to the vitrololic shitstorm a couple of people here will unleash.
Or you can follow the bleating; using chrony and crapping on NTPsec.
More information about the samba