[Samba] help with chrony time synchronisation
Steven Monai
stevemoca at gmail.com
Thu Nov 6 15:25:04 UTC 2025
On 2025-11-06 5:24 a.m., Kacper Wirski via samba wrote:
>
> I would be very glad If someone confirmed that has working time service
> with similar config (samba 4 on debian bookworm with chrony 4.22.3+ and
> windows clients using nt5ds, default for domain joined clients).
>
For what it's worth, my recent experience with NT5DS (i.e. MS-SNTP) on
Debian-based Samba AD DCs using chrony has been as follows:
On Debian Bookworm, with Samba 4.17.x (with domain function level
2008_R2), MS-SNTP works correctly. Domain-joined Windows clients
configured for NT5DS/DOMHIER (or also ALLSYNC) obtain authenticated time
from the Samba DCs via MS-SNTP without issue.
On Debian Trixie, with Samba 4.22.x (with domain function level also at
2008_R2), MS-SNTP-authenticated time sync also works fine.
However, the moment the domain function level is upgraded (to 2016),
MS-SNTP time sync from chrony stops working. Unauthenticated NTP is then
the only option that does work, which means using GPO (or local
w32tm.exe commands) to give Windows clients a "manualpeerlist" of the
DCs to get (unauthenticated) time from.
Interestingly, recent version of ntpsec (as in Debian Trixie) does also
appear to serve MS-SNTP correctly to NT5DS/DOMHIER/ALLSYNC-configured
Windows clients, provided that the domain function level is 2008_R2.
(Again, upgrading the domain function level from 2008_R2 immediately
breaks MS-SNTP service from ntpsec.)
In summary, both chrony and ntpsec can provide MS-SNTP service to
Windows domain clients of Samba AD, provided that the domain function
level is 2008_R2. Newer domain function levels seem to prevent MS-SNTP
working. Perhaps this is by design? Or a bug? I don't know.
-S.M.
More information about the samba
mailing list