[Samba] help with chrony time synchronisation

Thu Nov 6 14:57:36 UTC 2025

On 06.11.2025 13:23, Kacper Wirski via samba wrote:
> Hello,
>
> It came to my attention, that recently time synchronisation has 
> stopped working properly in my environment, and I can't wrap my head 
> around it, maybe someone here can give me some ideas.
>
> I'm running latest samba 4 on debian bookworm (backports) as an AD DC. 
> Schema/functionality upgraded.
>
> As time service is chrony. Service is running, I checked with wiki's 
> entry, I re-checked permissions on /var/lib/samba/ntp_signd, proper 
> entry is there in chrony.conf
>
> Windows clients, domain joined, differend OS's (windows server 2012, 
> windows server 2016, windows 11) all show similiar issue:
>
> 1) if i set from client the manualpeerlist (w32tm /config 
> /manualpeerlist:<FQDN> /syncfromflags:MANUAL /update)and direct them 
> precisely at DC1 (that is my samba server with PDC FSMO), it works 
> fine, I see windows setting with "w32tm /query /source" dc1 and I see 
> it actively syncing
>
> 2) If I use the default on the client or re-set it (w32tm /config 
> /syncfromflags:DOMHIER /update) and then "w32tm /resync /rediscover" 
> or "w32tm /resync /force")
>
> I see two things:
>
> - first client tries to use different DC (one that is not the owner of 
> PDC FSMO) - it fails, server receives request, but doesn't respond
>
> - dc2 (the one that is preferred on most clients) has the same chrony 
> setup, /var/lib/samba/ntp_signd has valid owner/chmod settings and on 
> startup chrony logs
>
> - eventually client tries using dc1 but somehow fails too (even though 
> with /manualpeerlist - it doesn't)
>
>
> I have kerberos normally working fine, gpo, logins work fine across 
> all windows platforms that are joined to the AD, DNS is working 
> properly (from client side even w32tm /monitor lists proper DC entries 
> with dc1 as PDC fsmo). On startup i see the "MS-SNTP authentication 
> enabled".
>
> Firewall isn't blocking, because example 1) works fine. When running 
> w32tm /resync /rediscover client.
>
>
> I read long thread on this mailing list from january about chrony 
> issues, I found the information, which helped, that on the wiki page 
> in the example config:
>
> "keys" directive is uncommented which, should, as far as I understand, 
> be commented out.
>
> My questions first are:
>
> 1) should non-PDC role owners respond to windows clients?
>
> 2) if only PDC should,  why windows clients decide to use on-PDC one 
> their first time source, even though they can lookup, which DC is 
> carrying the PDC fsmo role?
>
> 3) what else I might be missing?
>
>
> Regards,
>
> Kacper Wirski
>
>
Hi Kacper,

Here we go again for the n:th time.

If you want time synchronization with a recent Samba DC from a Windows 
client, this is the only hack that works:

- Run regedit
- Change the value of 
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed 
to 0 (zero)

Open a CMD prompt as administrator on the Windows box
- Run w32tm /config /syncfromflags:DOMHIER /reliable:YES /update
- Run net stop w32time && net start w32time
- Wait a few seconds and run w32tm /query /status

This hack does not allow secure synchronization, but it works. But you 
don't need to hardcode a NTP-server, as the Windows client now uses a DC 
for time synchronization. You could create a GPO to push it out to many 
Windows clients. Not worth the trouble for just a few clients.

Still waiting for a working secure time synchronization with a Samba DC 
for many years...

Best regards,

Peter