Running "w32tm /config /update /syncfromflags:DOMHIER && net stop w32time && net start w32time" should make the client query the directory for it's time server. You can verify the configuration with "w32tm /query /configuration" and look for the "Type" to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected.
On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin <amar...@xes-inc.com> wrote: > ----- Original Message ----- > > From: "Thomas Simmons" <twsn...@gmail.com> > > To: "Andrew Martin" <amar...@xes-inc.com> > > Cc: samba@lists.samba.org > > Sent: Saturday, July 27, 2013 11:03:49 AM > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? > > > > > > The ls -l command you ran shows the ntp_signd directory is empty, so > > it looks like samba is not creating the socket (at least in that > > location). Do you have the "ntp signd socket directory" option in > > your smb.conf? If not, try manually it to smb.conf: > > > > ntp signd socket directory = /var/run/samba/ntp_signd > > > > > > Apart from that, my suggestion would be to stop apparmor and iptables > > for testing and run ntp and samba with verbose logging on and see > > what it says. Also, what does "w32tm /query /source" and "w32tm > > /monitor" show on the client? > > > > > > > > On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin < amar...@xes-inc.com > > > wrote: > > > > > > > > ----- Original Message ----- > > > From: "Thomas Simmons" < twsn...@gmail.com > > > > To: "Andrew Martin" < amar...@xes-inc.com > > > > Cc: samba@lists.samba.org > > > Sent: Saturday, July 27, 2013 10:33:49 AM > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? > > > > > > > > > > > > > > > > > > > > > > On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin < > > > amar...@xes-inc.com > > > > wrote: > > > > > > > > > Hello, > > > > > > I recently compiled Samba 4.0.6 (as an AD DC) and am running it on > > > Ubuntu 12.04. > > > I followed the instructions on the Samba wiki ( > > > https://wiki.samba.org/index.php/Configure_NTP ) > > > for how to configure ntp, however the domain clients are rejecting > > > the DCs as > > > being acceptable time sources. Below is my ntp.conf: > > > > > > server 127.127.1.0 > > > fudge 127.127.1.0 stratum 10 > > > server 0.pool.ntp.org iburst prefer > > > server 1.pool.ntp.org iburst prefer > > > driftfile /var/lib/ntp/ntp.drift > > > logfile /var/log/ntp > > > ntpsigndsocket /var/run/samba/ntp_signd > > > restrict default kod nomodify notrap nopeer mssntp > > > restrict 127.0.0.1 > > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer > > > noquery > > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer > > > noquery > > > > > > Using Ubuntu, I am not using SELinux. I do not believe there to be > > > any problems > > > with apparmor, as it contains these lines in > > > /etc/apparmor.d/usr.sbin.ntpd: > > > # samba4 ntp signing socket > > > /{,var/}run/samba/ntp_signd/socket rw, > > > > > > What is the correct procedure for configuring NTP for a Samba4 AD > > > DC? > > > > > > Thanks, > > > > > > Andrew > > > > > > > > > When you compiled Samba, did you not use the standard install path > > > (/usr/local/samba) or did you add an entry in smb.conf to use > > > /var/run/samba/ntp_signd for the socket? > > > > > Thomas, > > > > When compiling Samba, I specified custom paths to be in line with > > Debian's > > conventions for file locations: > > conf_args = \ > > --prefix=/usr \ > > --enable-fhs \ > > --sysconfdir=/etc \ > > --localstatedir=/var \ > > --with-privatedir=/var/lib/samba/private \ > > --with-smbpasswd-file=/etc/samba/smbpasswd \ > > --with-piddir=/var/run/samba \ > > --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ > > --with-pam \ > > --with-syslog \ > > --with-utmp \ > > --with-pam_smbpass \ > > --with-winbind \ > > > --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 > > \ > > --with-automount \ > > --with-ldap \ > > --with-ads \ > > --with-dnsupdate \ > > --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ > > --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ > > --datadir=/usr/share \ > > --with-lockdir=/var/run/samba \ > > --with-statedir=/var/lib/samba \ > > --with-cachedir=/var/cache/samba \ > > --disable-avahi \ > > --with-ctdb=/usr \ > > --disable-rpath \ > > --disable-ntdb \ > > --disable-rpath-install \ > > --bundled-libraries=NONE,pytevent,iniparser \ > > --builtin-libraries=replace,ccan \ > > --minimum-library-version="$(shell ./debian/autodeps.py > > --minimum-library-version)" \ > > --without-getpass-replacement \ > > --enable-debug > > > > > > Thanks, > > > > Andrew > > > > > Thomas, > > Adding that parameter to the smb.conf file, as well as removing the > ntp_signd directory > so that samba itself could create it appears to have worked: > root@dc0:/# ls -l /var/run/samba/ntp_signd/ > total 0 > srwxrwxrwx 1 root root 0 Jul 27 11:41 socket > > I also needed a few extra lines in ntp.conf, otherwise the Windows client > would fail > with the error "The computer did not resync beacuse no time data was > available": > server 0.us.pool.ntp.org > server 1.us.pool.ntp.org > server 2.us.pool.ntp.org > server 3.us.pool.ntp.org > server 127.127.1.0 > fudge 127.127.1.0 stratum 10 > server 0.pool.ntp.org iburst prefer > server 1.pool.ntp.org iburst prefer > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntp > ntpsigndsocket /var/run/samba/ntp_signd > restrict default kod nomodify notrap nopeer mssntp > restrict 127.0.0.1 > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer > noquery > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer > noquery > > > Do the Windows clients prefer ntp information from the DHCP lease, or from > the DC that > they are connected to? My DHCP configuration currently is using an old NTP > server until > I get Samba4's NTP up and running. Thus, when I run w32tm /query /source > on the client, > it still shows the old server. I ran the following command to manually set > it to one of the DCs: > w32tm /config /update /manualpeerlist:dc0 /syncfromflags:MANUAL > > Then, running w32tm /resync succeeds and w32tm /query /source lists dc0 as > the NTP source. > > Are there any other tests I should run to verify that NTP is working > correctly? > > Thanks, > > Andrew > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
