[Samba] Time sync issue

Virgo Pärna virgo.parna at mail.ee
Tue Feb 18 09:06:02 UTC 2025 

	When chasing possible issues with Windows 11 being unable to log in, I 
initially noticed, that on primary DC ntpdate -q dc.domain did not 
respond. And I did fix it (but incorrectly).
	Yesterday I noticed, that none of the windows computers have actually 
synced time since few days after Samba upgrade.
	I did have backup Samba DC also, running in the container. There I 
upgraded Samba at the same time. And computers were actually syncing to 
that backup dc.
	Primary dc was using ntpsec timeserver. Backup dc was using chrony.
	I now noticed, that ntpsec complained at startup, that restrict line in 
configuration file, that specified mssntp was invalid.
	After correcting that line that server stopped responding even ntpdate 
-q requests. There were no errors or warnings in ntpsec log. And ntpsec 
had permission for /var/lib/samba/ntp_signd/

	So I replaced it with chrony, changed /var/lib/samba/ntp_signd/ 
permissions to allow chrony and configured chrony to
ntpsigndsocket /var/lib/samba/ntp_signd/
	Basically same configuration, that used to work in bdc container.

	After restarting chrony, chrony would respond ntpdate -q requests, that 
was advancement compared to ntpsec. But Windows computers would still 
not sync. Using Wireshark I could see, that when running
w32tm /resync
there were packets goint to time server but not response. Requests had 
Key ID and 68 byte Message Authentication Code (with one byte set to 01, 
according to WireShark).
w32tm /monitor would send requests not from 123 port and without Key ID 
and Message Authentication Code. And that would receive response.

After changing in Windows registry under 
HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient
value of SignatureAuthAllowed from 1 to 0 and restarting w32time service 
w32tm /resync would work and there would be responses and time would 
sync. And Wireshark shows, that requests are sent with same Key ID 
value, but Message Authentication Code is instead 16 bytes all zeros. 
And it does receive responses.

lsof | grep /var/lib/samba/ntp_
shows that ntp_signd has /var/lib/samba/ntp_signd/socket open in LISTEN 
and CONNECTED mode.



PS: That did not fix and login issue. And had been strange, if it had, 
because clock was maximum few second out of sync. So kerberos should not 
have had any issues.



-- 
Virgo Pärna
virgo.parna at mail.ee

More information about the samba mailing list