On 09/08/2023 18:44, Michael Tokarev via samba wrote:> 09.08.2023 20:41, Michael Tokarev ?????: >> 09.08.2023 20:26, Elias Pereira via samba ?????: >>> hello, >>> >>> The wiki configuration for ntp does not work with this >>> configuration samba4.18.5 + debian 12 + ntpsec. At least for me, it >>> didn't >>> work. >>> >>> I had to remove the "notrap" and "mssntp" options so that the Windows >>> clients could synchronize with the DCs again. >>> >>> # Access control >>> # Default restriction: Allow clients only to query the time >>> restrict default kod nomodify notrap nopeer limited mssntp > > FWIW, I have: > ?restrict default kod nomodify nopeer noquery limitedOn your DCs, you should have 'mssntp' on the end of that line and also have a line similar to this: ntpsigndsocket /var/lib/samba/ntp_signd Rowland
With "mssntp" it does not work. On Wed, Aug 9, 2023 at 2:55?PM Rowland Penny via samba < samba at lists.samba.org> wrote:> > > On 09/08/2023 18:44, Michael Tokarev via samba wrote: > > 09.08.2023 20:41, Michael Tokarev ?????: > >> 09.08.2023 20:26, Elias Pereira via samba ?????: > >>> hello, > >>> > >>> The wiki configuration for ntp does not work with this > >>> configuration samba4.18.5 + debian 12 + ntpsec. At least for me, it > >>> didn't > >>> work. > >>> > >>> I had to remove the "notrap" and "mssntp" options so that the Windows > >>> clients could synchronize with the DCs again. > >>> > >>> # Access control > >>> # Default restriction: Allow clients only to query the time > >>> restrict default kod nomodify notrap nopeer limited mssntp > > > > FWIW, I have: > > restrict default kod nomodify nopeer noquery limited > > On your DCs, you should have 'mssntp' on the end of that line and also > have a line similar to this: > > ntpsigndsocket /var/lib/samba/ntp_signd > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
On 09.08.2023 19:54, Rowland Penny via samba wrote:> > > On 09/08/2023 18:44, Michael Tokarev via samba wrote: >> 09.08.2023 20:41, Michael Tokarev ?????: >>> 09.08.2023 20:26, Elias Pereira via samba ?????: >>>> hello, >>>> >>>> The wiki configuration for ntp does not work with this >>>> configuration samba4.18.5 + debian 12 + ntpsec. At least for me, it >>>> didn't >>>> work. >>>> >>>> I had to remove the "notrap" and "mssntp" options so that the Windows >>>> clients could synchronize with the DCs again. >>>> >>>> # Access control >>>> # Default restriction: Allow clients only to query the time >>>> restrict default kod nomodify notrap nopeer limited mssntp >> >> FWIW, I have: >> ??restrict default kod nomodify nopeer noquery limited > > On your DCs, you should have 'mssntp' on the end of that line and also > have a line similar to this: > > ntpsigndsocket /var/lib/samba/ntp_signd > > Rowland >Hi, I assume that you cannot synchronize a Windows client with a DC using the setting "w32tm /config /syncfromflags:domhier", if ntpsignd and mssntp is missing. I haven't tested it, however. Well, you could always setup a GPO synchronizing clients with whatever NTP servers you want using "w32tm /config /manualpeerlist:"server server server". Maybe it's a better and more fault tolerant solution. But in a scenario where there's no internet connection, you're out of luck. After my battle with ntpsec yesterday, I have switched to Chrony permanently. Best regards, Peter