----- Original Message ----- > From: "Jason MacChesney" <jason.macches...@ecacs16.ab.ca> > To: "Andrew Martin" <amar...@xes-inc.com> > Cc: "Thomas Simmons" <twsn...@gmail.com>, samba@lists.samba.org > Sent: Wednesday, July 31, 2013 2:24:35 PM > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? > > Hi Andrew, I've been struggling silently with this for quite awhile. > With pretty much an identical set-up (save for my W7 machines being > handled by Virtual Box) I'm at my wit's end. A tcpdump initially > revealed that the server with Samba4(.0.7) and NTP was being sent > packets, but never returning them. Similarly, a Linux box was caught > in stratum 16. Both of these problems were resolved after amending > the ntp.conf file to allow IP's from a specified subnet. So in my > case: > restrict 192.168.1.128 mask 255.255.255.128 nomodify notrap nopeer > > > Now I get this: > > C:\Users\administrator>w32tm /monitor > sambaf.sambafour. LOCAL *** PDC ***[ 192.168.1.131:123 ]: > ICMP: 0ms delay > NTP: +0.0000000s offset from sambaf.sambafour. LOCAL > RefID: mx2.trentu.ca [192.75.12.11] > Stratum: 3 > Warning: > Reverse name resolution is best effort. It may not be > correct since RefID field in time packets differs across > NTP implementations and may not be using IP addresses. > > > BUT, I still get this: > > C:\Users\administrator>w32tm /resync /rediscover > Sending resync command to local computer > The computer did not resync because no time data was available. > C:\Users\administrator>w32tm /config /syncfromflags:DOMHIER /update > The command completed successfully. > C:\Users\administrator>w32tm /query /source > Local CMOS Clock > > > Tried it all. Disabled Windows firewalls, set iptables, net > stop/start, register/unregister, included the signdsocket directory > in both the smb and ntp configuration files. > I'm really surprised to hear that you received mixed results based on > how you launched the ntp service. I've had no such luck. > So I'm pretty baffled. Time drift is potentially a massive issue > where we deploy machines due to PEBKAC. I hate to piggyback on an > issue, but any insight anyone might have would be appreciated. > > > > > > > > > > On Sat, Jul 27, 2013 at 10:43 PM, Andrew Martin < amar...@xes-inc.com > > wrote: > > > > ----- Original Message ----- > > From: "Thomas Simmons" < twsn...@gmail.com > > > To: "Andrew Martin" < amar...@xes-inc.com > > > Cc: samba@lists.samba.org > > > > Sent: Saturday, July 27, 2013 7:07:59 PM > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? > > > > Your Windows client is not able to access the NTP server, which is > > why > > w32tm /resync fails and the reason for the "NTP: ERROR_TIMEOUT - no > > response from server in 1000ms" error when running w32tm /monitor. > > Why? I > > can't say. Can you setup a Linux box to use this server for NTP and > > run > > ntpdate as a test? I've seen this when there is a flaky network > > connection > > (traffic, wifi, or when the DC is a VMware VM under certain > > situations). > > Your DC is not a VM is it? > > > > > > On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin < > > amar...@xes-inc.com > > > wrote: > > > > > ----- Original Message ----- > > > > From: "Andrew Martin" < amar...@xes-inc.com > > > > > To: "Thomas Simmons" < twsn...@gmail.com > > > > > Cc: samba@lists.samba.org > > > > Sent: Saturday, July 27, 2013 2:31:21 PM > > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? > > > > > > > > ----- Original Message ----- > > > > > From: "Thomas Simmons" < twsn...@gmail.com > > > > > > To: "Andrew Martin" < amar...@xes-inc.com > > > > > > Cc: samba@lists.samba.org > > > > > Sent: Saturday, July 27, 2013 12:26:57 PM > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? > > > > > > > > > > Running "w32tm /config /update /syncfromflags:DOMHIER && net > > > > > stop > > > > > w32time > > > > > && net start w32time" should make the client query the > > > > > directory > > > > > for > > > > > it's > > > > > time server. You can verify the configuration with "w32tm > > > > > /query > > > > > /configuration" and look for the "Type" to be NT5DS. This > > > > > means > > > > > it's > > > > > using > > > > > AD. You can also run w32tm /monitor and the Windows time > > > > > service > > > > > will > > > > > go > > > > > through the processes of querying the directory to find a > > > > > time > > > > > server, then > > > > > verify it's accessible. If that works, all is working. I > > > > > found > > > > > w32tm > > > > > /monitor will fail if you have your domain functional level > > > > > at > > > > > 2008 > > > > > or > > > > > 2008_R2. I don't know if this is a bug in Samba as I haven't > > > > > had > > > > > time > > > > > to > > > > > test against a real 2008+ server. Just know it's to be > > > > > expected. > > > > > > > > > > > > > > > On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin > > > > > < amar...@xes-inc.com > > > > > > wrote: > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Thomas Simmons" < twsn...@gmail.com > > > > > > > > To: "Andrew Martin" < amar...@xes-inc.com > > > > > > > > Cc: samba@lists.samba.org > > > > > > > Sent: Saturday, July 27, 2013 11:03:49 AM > > > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba > > > > > > > 4.0.6? > > > > > > > > > > > > > > > > > > > > > The ls -l command you ran shows the ntp_signd directory > > > > > > > is > > > > > > > empty, > > > > > > > so > > > > > > > it looks like samba is not creating the socket (at least > > > > > > > in > > > > > > > that > > > > > > > location). Do you have the "ntp signd socket directory" > > > > > > > option > > > > > > > in > > > > > > > your smb.conf? If not, try manually it to smb.conf: > > > > > > > > > > > > > > ntp signd socket directory = /var/run/samba/ntp_signd > > > > > > > > > > > > > > > > > > > > > Apart from that, my suggestion would be to stop apparmor > > > > > > > and > > > > > > > iptables > > > > > > > for testing and run ntp and samba with verbose logging on > > > > > > > and > > > > > > > see > > > > > > > what it says. Also, what does "w32tm /query /source" and > > > > > > > "w32tm > > > > > > > /monitor" show on the client? > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin < > > > > > > > amar...@xes-inc.com > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Thomas Simmons" < twsn...@gmail.com > > > > > > > > > To: "Andrew Martin" < amar...@xes-inc.com > > > > > > > > > Cc: samba@lists.samba.org > > > > > > > > Sent: Saturday, July 27, 2013 10:33:49 AM > > > > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba > > > > > > > > 4.0.6? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin < > > > > > > > > amar...@xes-inc.com > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > > > I recently compiled Samba 4.0.6 (as an AD DC) and am > > > > > > > > running > > > > > > > > it > > > > > > > > on > > > > > > > > Ubuntu 12.04. > > > > > > > > I followed the instructions on the Samba wiki ( > > > > > > > > https://wiki.samba.org/index.php/Configure_NTP ) > > > > > > > > for how to configure ntp, however the domain clients > > > > > > > > are > > > > > > > > rejecting > > > > > > > > the DCs as > > > > > > > > being acceptable time sources. Below is my ntp.conf: > > > > > > > > > > > > > > > > server 127.127.1.0 > > > > > > > > fudge 127.127.1.0 stratum 10 > > > > > > > > server 0.pool.ntp.org iburst prefer > > > > > > > > server 1.pool.ntp.org iburst prefer > > > > > > > > driftfile /var/lib/ntp/ntp.drift > > > > > > > > logfile /var/log/ntp > > > > > > > > ntpsigndsocket /var/run/samba/ntp_signd > > > > > > > > restrict default kod nomodify notrap nopeer mssntp > > > > > > > > restrict 127.0.0.1 > > > > > > > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify > > > > > > > > notrap > > > > > > > > nopeer > > > > > > > > noquery > > > > > > > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify > > > > > > > > notrap > > > > > > > > nopeer > > > > > > > > noquery > > > > > > > > > > > > > > > > Using Ubuntu, I am not using SELinux. I do not believe > > > > > > > > there > > > > > > > > to > > > > > > > > be > > > > > > > > any problems > > > > > > > > with apparmor, as it contains these lines in > > > > > > > > /etc/apparmor.d/usr.sbin.ntpd: > > > > > > > > # samba4 ntp signing socket > > > > > > > > /{,var/}run/samba/ntp_signd/socket rw, > > > > > > > > > > > > > > > > What is the correct procedure for configuring NTP for a > > > > > > > > Samba4 > > > > > > > > AD > > > > > > > > DC? > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > Andrew > > > > > > > > > > > > > > > > > > > > > > > > When you compiled Samba, did you not use the standard > > > > > > > > install > > > > > > > > path > > > > > > > > (/usr/local/samba) or did you add an entry in smb.conf > > > > > > > > to > > > > > > > > use > > > > > > > > /var/run/samba/ntp_signd for the socket? > > > > > > > > > > > > > > > Thomas, > > > > > > > > > > > > > > When compiling Samba, I specified custom paths to be in > > > > > > > line > > > > > > > with > > > > > > > Debian's > > > > > > > conventions for file locations: > > > > > > > conf_args = \ > > > > > > > --prefix=/usr \ > > > > > > > --enable-fhs \ > > > > > > > --sysconfdir=/etc \ > > > > > > > --localstatedir=/var \ > > > > > > > --with-privatedir=/var/lib/samba/private \ > > > > > > > --with-smbpasswd-file=/etc/samba/smbpasswd \ > > > > > > > --with-piddir=/var/run/samba \ > > > > > > > --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security > > > > > > > \ > > > > > > > --with-pam \ > > > > > > > --with-syslog \ > > > > > > > --with-utmp \ > > > > > > > --with-pam_smbpass \ > > > > > > > --with-winbind \ > > > > > > > > > > > > > > > > --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 > > > > > > > \ > > > > > > > --with-automount \ > > > > > > > --with-ldap \ > > > > > > > --with-ads \ > > > > > > > --with-dnsupdate \ > > > > > > > --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ > > > > > > > --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ > > > > > > > --datadir=/usr/share \ > > > > > > > --with-lockdir=/var/run/samba \ > > > > > > > --with-statedir=/var/lib/samba \ > > > > > > > --with-cachedir=/var/cache/samba \ > > > > > > > --disable-avahi \ > > > > > > > --with-ctdb=/usr \ > > > > > > > --disable-rpath \ > > > > > > > --disable-ntdb \ > > > > > > > --disable-rpath-install \ > > > > > > > --bundled-libraries=NONE,pytevent,iniparser \ > > > > > > > --builtin-libraries=replace,ccan \ > > > > > > > --minimum-library-version="$(shell ./debian/autodeps.py > > > > > > > --minimum-library-version)" \ > > > > > > > --without-getpass-replacement \ > > > > > > > --enable-debug > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Andrew > > > > > > > > > > > > > > > > > > > > Thomas, > > > > > > > > > > > > Adding that parameter to the smb.conf file, as well as > > > > > > removing > > > > > > the > > > > > > ntp_signd directory > > > > > > so that samba itself could create it appears to have > > > > > > worked: > > > > > > root@dc0:/# ls -l /var/run/samba/ntp_signd/ > > > > > > total 0 > > > > > > srwxrwxrwx 1 root root 0 Jul 27 11:41 socket > > > > > > > > > > > > I also needed a few extra lines in ntp.conf, otherwise the > > > > > > Windows > > > > > > client > > > > > > would fail > > > > > > with the error "The computer did not resync beacuse no time > > > > > > data > > > > > > was > > > > > > available": > > > > > > server 0.us.pool.ntp.org > > > > > > server 1.us.pool.ntp.org > > > > > > server 2.us.pool.ntp.org > > > > > > server 3.us.pool.ntp.org > > > > > > server 127.127.1.0 > > > > > > fudge 127.127.1.0 stratum 10 > > > > > > server 0.pool.ntp.org iburst prefer > > > > > > server 1.pool.ntp.org iburst prefer > > > > > > driftfile /var/lib/ntp/ntp.drift > > > > > > logfile /var/log/ntp > > > > > > ntpsigndsocket /var/run/samba/ntp_signd > > > > > > restrict default kod nomodify notrap nopeer mssntp > > > > > > restrict 127.0.0.1 > > > > > > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify > > > > > > notrap > > > > > > nopeer > > > > > > noquery > > > > > > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify > > > > > > notrap > > > > > > nopeer > > > > > > noquery > > > > > > > > > > > > > > > > > > Do the Windows clients prefer ntp information from the DHCP > > > > > > lease, > > > > > > or from > > > > > > the DC that > > > > > > they are connected to? My DHCP configuration currently is > > > > > > using > > > > > > an > > > > > > old NTP > > > > > > server until > > > > > > I get Samba4's NTP up and running. Thus, when I run w32tm > > > > > > /query > > > > > > /source > > > > > > on the client, > > > > > > it still shows the old server. I ran the following command > > > > > > to > > > > > > manually set > > > > > > it to one of the DCs: > > > > > > w32tm /config /update /manualpeerlist:dc0 > > > > > > /syncfromflags:MANUAL > > > > > > > > > > > > Then, running w32tm /resync succeeds and w32tm /query > > > > > > /source > > > > > > lists > > > > > > dc0 as > > > > > > the NTP source. > > > > > > > > > > > > Are there any other tests I should run to verify that NTP > > > > > > is > > > > > > working > > > > > > correctly? > > > > > > > > > > > > Thanks, > > > > > > > > > > > > Andrew > > > > > > > > > > > > > > > > > > > Thomas, > > > > > > > > After following your instructions, I have verified that the > > > > type > > > > is > > > > listed > > > > as NT5DS. Thanks again for your help in getting this working! > > > > > > > > Regarding DHCP settings, is it okay to have the DHCP lease push > > > > out > > > > NTP settings (e.g. they'll just get overridden by the DC), or > > > > should > > > > I > > > > completely remove NTP settings in dhcpd.conf for all domain > > > > members? > > > > > > > > Thanks, > > > > > > > > Andrew > > > > -- > > > > To unsubscribe from this list go to the following URL and read > > > > the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > Thomas, > > > > > > I now notice that w32tm /resync does not work, failing with the > > > error > > > "The computer did not resync because no time data was available". > > > As I > > > mentioned in my last message, w32tm /monitor correctly shows all > > > 3 > > > of my > > > Samba4 DCs (although one of them is currently offline): > > > dc0.mydomain.com *** PDC ***[ 192.168.0.101:123 ]: > > > ICMP: 0ms delay > > > NTP: +0.0000000s offset from dc0.x-es.com > > > RefID: vimo.dorui.net [97.107.128.58] > > > Stratum: 4 > > > > > > DC1.mydomain.com *** PDC ***[ 192.168.0.102:123 ]: > > > ICMP: 0ms delay > > > NTP: +0.0049947s offset from dc0.x-es.com > > > RefID: 'INIT' [0x54494E49] > > > Stratum: 0 > > > > > > DCT.mydomain.com *** PDC ***[ 192.168.0.103:123 ]: > > > ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms > > > NTP: ERROR_TIMEOUT - no response from server in 1000ms > > > > > > Does the w32tm /resync command simply not operate correctly in a > > > domain > > > environment (even though it returns an error, domain time sync is > > > working)? > > > > > > Thanks, > > > > > > Andrew > > > > > > Thomas, > > The "NTP: ERROR_TIMEOUT - no response from server in 1000ms" error > from my previous > message only occurred on 1 of 3 DCs, dct, because it is currently > offline. I verified > with "w32tm /query /source" that the Windows client I am using is > connecting to dc1, which is online. The default parameters that ntpd > is run with > on dc1 are: > /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:113 > > 106 and 113 are the ntp user and ntp group respectively. Running > several variations of > these arguments, I find that the Windows client can sync without > error (using w32tm /resync) > when the following arguments are used: > /usr/sbin/ntpd -p /var/run/ntpd.pid -g (running as root:root) > /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106 (running as the ntp > user but not specifying the group) > /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 0:113 (running as root:ntp) > > However, running with "-g 106:113" causes the Windows client to be > unable to connect. A > linux client running ntpdate can connect under all of these > circumstances. Running ntpd in > the foreground did not print any errors or differing messages when > run with these different arguments. > > I believe the problem is that /var/run/samba/ntp_signd/socket is > owned by root:root: > root@dc1:# ls -l /var/run/samba/ntp_signd/socket > srwxrwxrwx 1 root root 0 Jul 27 11:39 /var/run/samba/ntp_signd/socket > > I can also verify that the samba process using the socket is running > as root:root: > root@dc1:# lsof | grep /var/run/samba/ntp_signd/socket > samba 7401 root 21u unix 0xffff880130777400 0t0 739534 > /var/run/samba/ntp_signd/socket > root@dc1:# ps -eo "%p %c %u %g" | grep 7401 > 7401 samba root root > > Is it acceptable to run ntp as root:root instead of ntp:ntp? It seems > that would solve > this problem, though I am not aware of the full security implications > of running the ntp > daemon as root. > > As a side note, these DCs are in fact VMs (KVM is the hypervisor). > > > > Thanks, > > Andrew > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > Jason,
A couple things to test: - does it make any difference if you set it manually to point at one of your DCs using w32tm /config /update /manualpeerlist:192.168.xxx.xxx /syncfromflags:MANUAL - does the socket file actually exist on your DCs? - are you running ntpd as root? Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
