[Samba] help with chrony time synchronisation
Kacper Wirski
kacper.wirski at gmail.com
Thu Nov 6 15:30:17 UTC 2025
Oh, that's very interesting, thank You for information. I have raised my
schema/functional level so that's probably what broke previously working
configuration.
W dniu 06.11.2025 o 16:25, Steven Monai via samba pisze:
> On 2025-11-06 5:24 a.m., Kacper Wirski via samba wrote:
>>
>> I would be very glad If someone confirmed that has working time
>> service with similar config (samba 4 on debian bookworm with chrony
>> 4.22.3+ and windows clients using nt5ds, default for domain joined
>> clients).
>>
>
> For what it's worth, my recent experience with NT5DS (i.e. MS-SNTP) on
> Debian-based Samba AD DCs using chrony has been as follows:
>
> On Debian Bookworm, with Samba 4.17.x (with domain function level
> 2008_R2), MS-SNTP works correctly. Domain-joined Windows clients
> configured for NT5DS/DOMHIER (or also ALLSYNC) obtain authenticated
> time from the Samba DCs via MS-SNTP without issue.
>
> On Debian Trixie, with Samba 4.22.x (with domain function level also
> at 2008_R2), MS-SNTP-authenticated time sync also works fine.
>
> However, the moment the domain function level is upgraded (to 2016),
> MS-SNTP time sync from chrony stops working. Unauthenticated NTP is
> then the only option that does work, which means using GPO (or local
> w32tm.exe commands) to give Windows clients a "manualpeerlist" of the
> DCs to get (unauthenticated) time from.
>
> Interestingly, recent version of ntpsec (as in Debian Trixie) does
> also appear to serve MS-SNTP correctly to
> NT5DS/DOMHIER/ALLSYNC-configured Windows clients, provided that the
> domain function level is 2008_R2. (Again, upgrading the domain
> function level from 2008_R2 immediately breaks MS-SNTP service from
> ntpsec.)
>
> In summary, both chrony and ntpsec can provide MS-SNTP service to
> Windows domain clients of Samba AD, provided that the domain function
> level is 2008_R2. Newer domain function levels seem to prevent MS-SNTP
> working. Perhaps this is by design? Or a bug? I don't know.
>
> -S.M.
>
>
>
--
Ta wiadomość e-mail została sprawdzona pod kątem wirusów przez oprogramowanie antywirusowe Avast.
www.avast.com
More information about the samba
mailing list