Hi Andrew, I've been struggling silently with this for quite awhile. With pretty much an identical set-up (save for my W7 machines being handled by Virtual Box) I'm at my wit's end. A tcpdump initially revealed that the server with Samba4(.0.7) and NTP was being sent packets, but never returning them. Similarly, a Linux box was caught in stratum 16. Both of these problems were resolved after amending the ntp.conf file to allow IP's from a specified subnet. So in my case: restrict 192.168.1.128 mask 255.255.255.128 nomodify notrap nopeer
Now I get this: C:\Users\administrator>w32tm /monitor sambaf.sambafour. <http://sambaf.sambafour.co.ecacs16.ab.ca/>LOCAL *** PDC ***[192.168.1.131:123]: ICMP: 0ms delay NTP: +0.0000000s offset from sambaf.sambafour.<http://sambaf.sambafour.co.ecacs16.ab.ca/> LOCAL RefID: mx2.trentu.ca [192.75.12.11] Stratum: 3 Warning: Reverse name resolution is best effort. It may not be correct since RefID field in time packets differs across NTP implementations and may not be using IP addresses. BUT, I still get this: C:\Users\administrator>w32tm /resync /rediscover Sending resync command to local computer The computer did not resync because no time data was available. C:\Users\administrator>w32tm /config /syncfromflags:DOMHIER /update The command completed successfully. C:\Users\administrator>w32tm /query /source Local CMOS Clock Tried it all. Disabled Windows firewalls, set iptables, net stop/start, register/unregister, included the signdsocket directory in both the smb and ntp configuration files. I'm really surprised to hear that you received mixed results based on how you launched the ntp service. I've had no such luck. So I'm pretty baffled. Time drift is potentially a massive issue where we deploy machines due to PEBKAC. I hate to piggyback on an issue, but any insight anyone might have would be appreciated. On Sat, Jul 27, 2013 at 10:43 PM, Andrew Martin <amar...@xes-inc.com> wrote: > ----- Original Message ----- > > From: "Thomas Simmons" <twsn...@gmail.com> > > To: "Andrew Martin" <amar...@xes-inc.com> > > Cc: samba@lists.samba.org > > Sent: Saturday, July 27, 2013 7:07:59 PM > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? > > > > Your Windows client is not able to access the NTP server, which is > > why > > w32tm /resync fails and the reason for the "NTP: ERROR_TIMEOUT - no > > response from server in 1000ms" error when running w32tm /monitor. > > Why? I > > can't say. Can you setup a Linux box to use this server for NTP and > > run > > ntpdate as a test? I've seen this when there is a flaky network > > connection > > (traffic, wifi, or when the DC is a VMware VM under certain > > situations). > > Your DC is not a VM is it? > > > > > > On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin <amar...@xes-inc.com> > > wrote: > > > > > ----- Original Message ----- > > > > From: "Andrew Martin" <amar...@xes-inc.com> > > > > To: "Thomas Simmons" <twsn...@gmail.com> > > > > Cc: samba@lists.samba.org > > > > Sent: Saturday, July 27, 2013 2:31:21 PM > > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? > > > > > > > > ----- Original Message ----- > > > > > From: "Thomas Simmons" <twsn...@gmail.com> > > > > > To: "Andrew Martin" <amar...@xes-inc.com> > > > > > Cc: samba@lists.samba.org > > > > > Sent: Saturday, July 27, 2013 12:26:57 PM > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? > > > > > > > > > > Running "w32tm /config /update /syncfromflags:DOMHIER && net > > > > > stop > > > > > w32time > > > > > && net start w32time" should make the client query the > > > > > directory > > > > > for > > > > > it's > > > > > time server. You can verify the configuration with "w32tm > > > > > /query > > > > > /configuration" and look for the "Type" to be NT5DS. This means > > > > > it's > > > > > using > > > > > AD. You can also run w32tm /monitor and the Windows time > > > > > service > > > > > will > > > > > go > > > > > through the processes of querying the directory to find a time > > > > > server, then > > > > > verify it's accessible. If that works, all is working. I found > > > > > w32tm > > > > > /monitor will fail if you have your domain functional level at > > > > > 2008 > > > > > or > > > > > 2008_R2. I don't know if this is a bug in Samba as I haven't > > > > > had > > > > > time > > > > > to > > > > > test against a real 2008+ server. Just know it's to be > > > > > expected. > > > > > > > > > > > > > > > On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin > > > > > <amar...@xes-inc.com> > > > > > wrote: > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Thomas Simmons" <twsn...@gmail.com> > > > > > > > To: "Andrew Martin" <amar...@xes-inc.com> > > > > > > > Cc: samba@lists.samba.org > > > > > > > Sent: Saturday, July 27, 2013 11:03:49 AM > > > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? > > > > > > > > > > > > > > > > > > > > > The ls -l command you ran shows the ntp_signd directory is > > > > > > > empty, > > > > > > > so > > > > > > > it looks like samba is not creating the socket (at least in > > > > > > > that > > > > > > > location). Do you have the "ntp signd socket directory" > > > > > > > option > > > > > > > in > > > > > > > your smb.conf? If not, try manually it to smb.conf: > > > > > > > > > > > > > > ntp signd socket directory = /var/run/samba/ntp_signd > > > > > > > > > > > > > > > > > > > > > Apart from that, my suggestion would be to stop apparmor > > > > > > > and > > > > > > > iptables > > > > > > > for testing and run ntp and samba with verbose logging on > > > > > > > and > > > > > > > see > > > > > > > what it says. Also, what does "w32tm /query /source" and > > > > > > > "w32tm > > > > > > > /monitor" show on the client? > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin < > > > > > > > amar...@xes-inc.com > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Thomas Simmons" < twsn...@gmail.com > > > > > > > > > To: "Andrew Martin" < amar...@xes-inc.com > > > > > > > > > Cc: samba@lists.samba.org > > > > > > > > Sent: Saturday, July 27, 2013 10:33:49 AM > > > > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba > > > > > > > > 4.0.6? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin < > > > > > > > > amar...@xes-inc.com > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > I recently compiled Samba 4.0.6 (as an AD DC) and am > > > > > > > > running > > > > > > > > it > > > > > > > > on > > > > > > > > Ubuntu 12.04. > > > > > > > > I followed the instructions on the Samba wiki ( > > > > > > > > https://wiki.samba.org/index.php/Configure_NTP ) > > > > > > > > for how to configure ntp, however the domain clients are > > > > > > > > rejecting > > > > > > > > the DCs as > > > > > > > > being acceptable time sources. Below is my ntp.conf: > > > > > > > > > > > > > > > > server 127.127.1.0 > > > > > > > > fudge 127.127.1.0 stratum 10 > > > > > > > > server 0.pool.ntp.org iburst prefer > > > > > > > > server 1.pool.ntp.org iburst prefer > > > > > > > > driftfile /var/lib/ntp/ntp.drift > > > > > > > > logfile /var/log/ntp > > > > > > > > ntpsigndsocket /var/run/samba/ntp_signd > > > > > > > > restrict default kod nomodify notrap nopeer mssntp > > > > > > > > restrict 127.0.0.1 > > > > > > > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify > > > > > > > > notrap > > > > > > > > nopeer > > > > > > > > noquery > > > > > > > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify > > > > > > > > notrap > > > > > > > > nopeer > > > > > > > > noquery > > > > > > > > > > > > > > > > Using Ubuntu, I am not using SELinux. I do not believe > > > > > > > > there > > > > > > > > to > > > > > > > > be > > > > > > > > any problems > > > > > > > > with apparmor, as it contains these lines in > > > > > > > > /etc/apparmor.d/usr.sbin.ntpd: > > > > > > > > # samba4 ntp signing socket > > > > > > > > /{,var/}run/samba/ntp_signd/socket rw, > > > > > > > > > > > > > > > > What is the correct procedure for configuring NTP for a > > > > > > > > Samba4 > > > > > > > > AD > > > > > > > > DC? > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > Andrew > > > > > > > > > > > > > > > > > > > > > > > > When you compiled Samba, did you not use the standard > > > > > > > > install > > > > > > > > path > > > > > > > > (/usr/local/samba) or did you add an entry in smb.conf to > > > > > > > > use > > > > > > > > /var/run/samba/ntp_signd for the socket? > > > > > > > > > > > > > > > Thomas, > > > > > > > > > > > > > > When compiling Samba, I specified custom paths to be in > > > > > > > line > > > > > > > with > > > > > > > Debian's > > > > > > > conventions for file locations: > > > > > > > conf_args = \ > > > > > > > --prefix=/usr \ > > > > > > > --enable-fhs \ > > > > > > > --sysconfdir=/etc \ > > > > > > > --localstatedir=/var \ > > > > > > > --with-privatedir=/var/lib/samba/private \ > > > > > > > --with-smbpasswd-file=/etc/samba/smbpasswd \ > > > > > > > --with-piddir=/var/run/samba \ > > > > > > > --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ > > > > > > > --with-pam \ > > > > > > > --with-syslog \ > > > > > > > --with-utmp \ > > > > > > > --with-pam_smbpass \ > > > > > > > --with-winbind \ > > > > > > > > > > > > > > > > > --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 > > > > > > > \ > > > > > > > --with-automount \ > > > > > > > --with-ldap \ > > > > > > > --with-ads \ > > > > > > > --with-dnsupdate \ > > > > > > > --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ > > > > > > > --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ > > > > > > > --datadir=/usr/share \ > > > > > > > --with-lockdir=/var/run/samba \ > > > > > > > --with-statedir=/var/lib/samba \ > > > > > > > --with-cachedir=/var/cache/samba \ > > > > > > > --disable-avahi \ > > > > > > > --with-ctdb=/usr \ > > > > > > > --disable-rpath \ > > > > > > > --disable-ntdb \ > > > > > > > --disable-rpath-install \ > > > > > > > --bundled-libraries=NONE,pytevent,iniparser \ > > > > > > > --builtin-libraries=replace,ccan \ > > > > > > > --minimum-library-version="$(shell ./debian/autodeps.py > > > > > > > --minimum-library-version)" \ > > > > > > > --without-getpass-replacement \ > > > > > > > --enable-debug > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Andrew > > > > > > > > > > > > > > > > > > > > Thomas, > > > > > > > > > > > > Adding that parameter to the smb.conf file, as well as > > > > > > removing > > > > > > the > > > > > > ntp_signd directory > > > > > > so that samba itself could create it appears to have worked: > > > > > > root@dc0:/# ls -l /var/run/samba/ntp_signd/ > > > > > > total 0 > > > > > > srwxrwxrwx 1 root root 0 Jul 27 11:41 socket > > > > > > > > > > > > I also needed a few extra lines in ntp.conf, otherwise the > > > > > > Windows > > > > > > client > > > > > > would fail > > > > > > with the error "The computer did not resync beacuse no time > > > > > > data > > > > > > was > > > > > > available": > > > > > > server 0.us.pool.ntp.org > > > > > > server 1.us.pool.ntp.org > > > > > > server 2.us.pool.ntp.org > > > > > > server 3.us.pool.ntp.org > > > > > > server 127.127.1.0 > > > > > > fudge 127.127.1.0 stratum 10 > > > > > > server 0.pool.ntp.org iburst prefer > > > > > > server 1.pool.ntp.org iburst prefer > > > > > > driftfile /var/lib/ntp/ntp.drift > > > > > > logfile /var/log/ntp > > > > > > ntpsigndsocket /var/run/samba/ntp_signd > > > > > > restrict default kod nomodify notrap nopeer mssntp > > > > > > restrict 127.0.0.1 > > > > > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap > > > > > > nopeer > > > > > > noquery > > > > > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap > > > > > > nopeer > > > > > > noquery > > > > > > > > > > > > > > > > > > Do the Windows clients prefer ntp information from the DHCP > > > > > > lease, > > > > > > or from > > > > > > the DC that > > > > > > they are connected to? My DHCP configuration currently is > > > > > > using > > > > > > an > > > > > > old NTP > > > > > > server until > > > > > > I get Samba4's NTP up and running. Thus, when I run w32tm > > > > > > /query > > > > > > /source > > > > > > on the client, > > > > > > it still shows the old server. I ran the following command to > > > > > > manually set > > > > > > it to one of the DCs: > > > > > > w32tm /config /update /manualpeerlist:dc0 > > > > > > /syncfromflags:MANUAL > > > > > > > > > > > > Then, running w32tm /resync succeeds and w32tm /query /source > > > > > > lists > > > > > > dc0 as > > > > > > the NTP source. > > > > > > > > > > > > Are there any other tests I should run to verify that NTP is > > > > > > working > > > > > > correctly? > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Andrew > > > > > > > > > > > > > > > > > > > Thomas, > > > > > > > > After following your instructions, I have verified that the type > > > > is > > > > listed > > > > as NT5DS. Thanks again for your help in getting this working! > > > > > > > > Regarding DHCP settings, is it okay to have the DHCP lease push > > > > out > > > > NTP settings (e.g. they'll just get overridden by the DC), or > > > > should > > > > I > > > > completely remove NTP settings in dhcpd.conf for all domain > > > > members? > > > > > > > > Thanks, > > > > > > > > Andrew > > > > -- > > > > To unsubscribe from this list go to the following URL and read > > > > the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > Thomas, > > > > > > I now notice that w32tm /resync does not work, failing with the > > > error > > > "The computer did not resync because no time data was available". > > > As I > > > mentioned in my last message, w32tm /monitor correctly shows all 3 > > > of my > > > Samba4 DCs (although one of them is currently offline): > > > dc0.mydomain.com *** PDC ***[192.168.0.101:123]: > > > ICMP: 0ms delay > > > NTP: +0.0000000s offset from dc0.x-es.com > > > RefID: vimo.dorui.net [97.107.128.58] > > > Stratum: 4 > > > > > > DC1.mydomain.com *** PDC ***[192.168.0.102:123]: > > > ICMP: 0ms delay > > > NTP: +0.0049947s offset from dc0.x-es.com > > > RefID: 'INIT' [0x54494E49] > > > Stratum: 0 > > > > > > DCT.mydomain.com *** PDC ***[192.168.0.103:123]: > > > ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms > > > NTP: ERROR_TIMEOUT - no response from server in 1000ms > > > > > > Does the w32tm /resync command simply not operate correctly in a > > > domain > > > environment (even though it returns an error, domain time sync is > > > working)? > > > > > > Thanks, > > > > > > Andrew > > > > > > Thomas, > > The "NTP: ERROR_TIMEOUT - no response from server in 1000ms" error from my > previous > message only occurred on 1 of 3 DCs, dct, because it is currently offline. > I verified > with "w32tm /query /source" that the Windows client I am using is > connecting to dc1, which is online. The default parameters that ntpd is > run with > on dc1 are: > /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:113 > > 106 and 113 are the ntp user and ntp group respectively. Running several > variations of > these arguments, I find that the Windows client can sync without error > (using w32tm /resync) > when the following arguments are used: > /usr/sbin/ntpd -p /var/run/ntpd.pid -g (running as root:root) > /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106 (running as the ntp user but > not specifying the group) > /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 0:113 (running as root:ntp) > > However, running with "-g 106:113" causes the Windows client to be unable > to connect. A > linux client running ntpdate can connect under all of these circumstances. > Running ntpd in > the foreground did not print any errors or differing messages when run > with these different arguments. > > I believe the problem is that /var/run/samba/ntp_signd/socket is owned by > root:root: > root@dc1:# ls -l /var/run/samba/ntp_signd/socket > srwxrwxrwx 1 root root 0 Jul 27 11:39 /var/run/samba/ntp_signd/socket > > I can also verify that the samba process using the socket is running as > root:root: > root@dc1:# lsof | grep /var/run/samba/ntp_signd/socket > samba 7401 root 21u unix 0xffff880130777400 0t0 > 739534 /var/run/samba/ntp_signd/socket > root@dc1:# ps -eo "%p %c %u %g" | grep 7401 > 7401 samba root root > > Is it acceptable to run ntp as root:root instead of ntp:ntp? It seems that > would solve > this problem, though I am not aware of the full security implications of > running the ntp > daemon as root. > > As a side note, these DCs are in fact VMs (KVM is the hypervisor). > > Thanks, > > Andrew > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
