[Samba] Time sync issue

Bo Kersey bo at vircio.com
Wed Apr 2 21:04:23 UTC 2025 

I'm a little late to the game on this. Just upgraded a few of our Samba servers to Ubuntu 24.04 and was pleased to see ntpsec... And today I see that time is not syncing on the windows machines. 
Before I saw the registry entry work around on this mailing list, I did some testing. Found that I can sync older Linux machines with the newer ntpsec servers without problems (tested with ntpdate), but Windows machines would not sync. So, I went into GPO and changed the Windows NTP Client settings to use type NTP instead of NT5DS. Once that was done and GPO had been updated on the machines, time sync started working.... No service restarts or reboots required. 

It's nice that NT5DS has some level of encryption, but to use that the NTP server on the network has to use no encryption. Seems that no encryption/verification on the LAN is better than no encryption/verification over the Internet. So, I'm keeping ntpsec to sync time with the internet and downgrading the windows machines to use plain ntp on the LAN. 

Is my logic valid? 


Bo Kersey 

In theory there is no difference between theory and practice. In practice, there is. - noted philosopher Yogi Berra 

----- Original Message ----- 
> From: "Luis Peromarta via samba" <samba at lists.samba.org> 
> To: "Samba List" <samba at lists.samba.org> 
> Sent: Tuesday, March 11, 2025 5:46:38 AM 
> Subject: Re: [Samba] Time sync issue 

> This is my same experience, never needed the reg key nor I could reproduce the 
> problem if following my notes in samba.bigbird.es 
> 
> All the best. 
> On 11 Mar 2025 at 10:30 +0100, Stefan G. Weichinger via samba 
> <samba at lists.samba.org>, wrote: 
>> Am 10.03.25 um 18:13 schrieb Peter Milesson via samba: 
>> 
>> > Hi Stefan, 
>> > 
>> > I can confirm that setting 
>> > 
>> > HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient/ 
>> > SignatureAuthAllowed 
>> > 
>> > to 0 is working. You don't need any more complex GPOs than that. I have 
>> > tried it with Windows 7, Windows 10 and Windows 11. 
>> > 
>> > On the flip side, the clients will synchronize with the DCs, the 
>> > drawback is naturally, without the security features. Any other method 
>> > previously described, where time data is supplied by external servers, 
>> > is a last resort option. 
>> 
>> thank you. 
>> 
>> So far the customer told me that all the tested PCs (Windows 11) have 
>> the correct time today after setting up samba with chrony yesterday. 
>> 
>> bingo 
>> 
>> I don't have that registry key in place, I think. I'd have to check on 
>> site ... that might have been set years ago. But I assume: no. 
>> 
>> 
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the 
>> instructions: https://lists.samba.org/mailman/options/samba 
> -- 
> To unsubscribe from this list go to the following URL and read the 
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list