samba - Jun 2024 - Time sync problem samba 4.20.0 chrony debian11

Dear all,

we are running two samba 4.20 on debian 11(as dcs) with  chrony/oldstable,now
4.0-8+deb11u2 amd64 as ntpserver.
Our clients are windows 11 and windows 10 machines. A few of them where in an
old samba 4 domain without any time issues (ntp/centos7)!?
What we see, ist hat none of them syncs his time excactly from our dcs. There is
a difference from 2 to 10 minutes. Can you point us to find the error?

Our chrony.conf just the same of both dcs but bindcmaddress is different:

keyfile /etc/chrony/chrony.keys
driftfile /var/lib/chrony/chrony.drift
log tracking measurements statistics
logdir /var/log/chrony
maxupdateskew 100.0
hwclockfile /etc/adjtime
rtcsync
makestep 1 3
# ipaddress of this DC
bindcmdaddress our.samba.dc.loc
# The source, where we are receiving the time from
server 0.pool.ntp.org     iburst
server 1.pool.ntp.org     iburst
server 2.pool.ntp.org     iburst
# dns netmask
allow 192.168.135.0/24
allow 192.168.134.0/24
allow 192.168.50.0/24
allow 192.168.131.0/24
allow 192.168.139.0/24
allow 192.168.140.0/24
allow 0.0.0.0/0
ntpsigndsocket  /var/lib/samba/ntp_signd
confdir /etc/chrony/conf.d

Verifying  rights to use signed socket:
root at dommaster:~# ls -ld /var/lib/samba/ntp_signd
drwxr-x--- 2 root _chrony 4096  8. Mai 07:26 /var/lib/samba/ntp_signd

Show chrony status, running:

service chrony status
? chrony.service - chrony, an NTP client/server
     Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset:
enabled)
     Active: active (running) since Mon 2024-06-17 16:06:43 CEST; 5s ago
       Docs: man:chronyd(8)
             man:chronyc(1)
             man:chrony.conf(5)
    Process: 926202 ExecStart=/usr/sbin/chronyd $DAEMON_OPTS (code=exited,
status=0/SUCCESS)
   Main PID: 926206 (chronyd)
      Tasks: 2 (limit: 154241)
     Memory: 1.2M
        CPU: 35ms
     CGroup: /system.slice/chrony.service
             ??926206 /usr/sbin/chronyd -F 1
             ??926207 /usr/sbin/chronyd -F 1

Jun 17 16:06:43 dommaster systemd[1]: Starting chrony, an NTP client/server...
Jun 17 16:06:43 dommaster chronyd[926206]: chronyd version 4.0 starting (+CMDMON
+NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND >
Jun 17 16:06:43 dommaster chronyd[926206]: Frequency 26.454 +/- 0.158 ppm read
from /var/lib/chrony/chrony.drift
Jun 17 16:06:43 dommaster chronyd[926206]: MS-SNTP authentication enabled
Jun 17 16:06:43 dommaster chronyd[926206]: Loaded seccomp filter
Jun 17 16:06:43 dommaster systemd[1]: Started chrony, an NTP client/server.

tcpdump udp port 123
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp1s0f0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:22:47.608803 IP pc2304.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3, Client,
length                           120
16:22:53.692770 IP schulung6.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3, Client,
length 120

What we see on our Windows clients, without the right time is set:

w32tm /monitor
dommaster.tlk.loc *** PDC ***[192.168.135.206:123]:
    ICMP: 0ms Verz?gerung
    NTP: +0.0000000s Offset von dommaster.tlk.loc
        RefID: time.convar.net [213.206.165.21]
        Stratum: 3
dom2.tlk.loc[192.168.134.36:123]:
    ICMP: 0ms Verz?gerung
    NTP: +0.0216667s Offset von dommaster.tlk.loc
        RefID: eth2-1201.fsn-lf-e02.productsup.int [185.252.140.126]
        Stratum: 3

w32tm /query /source
Local CMOS Clock

w32tm /query /status
Sprungindikator: 3(nicht synchronisiert)
Stratum: 0 (nicht angegeben)
Pr?zision: -23 (119.209ns pro Tick)
Stammverz?gerung: 0.0000000s
Stammabweichung: 0.0000000s
Referenz-ID: 0x00000000 (nicht angegeben)
Letzte erfolgr. Synchronisierungszeit: nicht angegeben
Quelle: Local CMOS Clock
Abrufintervall: 10 (1024s)

w32tm /query /configuration
[Konfiguration]

EventLogFlags: 2 (Lokal)
AnnounceFlags: 10 (Lokal)
TimeJumpAuditOffset: 28800 (Lokal)
MinPollInterval: 10 (Lokal)
MaxPollInterval: 15 (Lokal)
MaxNegPhaseCorrection: 4294967295 (Lokal)
MaxPosPhaseCorrection: 4294967295 (Lokal)
MaxAllowedPhaseOffset: 300 (Lokal)

FrequencyCorrectRate: 4 (Lokal)
PollAdjustFactor: 5 (Lokal)
LargePhaseOffset: 50000000 (Lokal)
SpikeWatchPeriod: 900 (Lokal)
LocalClockDispersion: 10 (Lokal)
HoldPeriod: 5 (Lokal)
PhaseCorrectRate: 1 (Lokal)
UpdateInterval: 30000 (Lokal)

FileLogName:  (Lokal)
FileLogEntries: 0-300 (Lokal)
FileLogSize: 16777216 (Lokal)

[Zeitanbieter]

NtpClient (Lokal)
DllName: C:\windows\system32\w32time.dll (Lokal)
Enabled: 1 (Lokal)
InputProvider: 1 (Lokal)
CrossSiteSyncFlags: 2 (Lokal)
AllowNonstandardModeCombinations: 1 (Lokal)
ResolvePeerBackoffMinutes: 15 (Lokal)
ResolvePeerBackoffMaxTimes: 7 (Lokal)
CompatibilityFlags: 2147483648 (Lokal)
EventLogFlags: 1 (Lokal)
LargeSampleSkew: 3 (Lokal)
SpecialPollInterval: 3600 (Lokal)
Type: NT5DS (Lokal)

NtpServer (Lokal)
DllName: C:\windows\system32\w32time.dll (Lokal)
Enabled: 0 (Lokal)
InputProvider: 0 (Lokal)

C:\Users\administrator.TLK>w32tm /resync /nowait
Befehl zum erneuten Synchronisieren wird an den lokalen Computer gesendet.
Der Befehl wurde erfolgreich ausgef?hrt.

C:\Users\administrator.TLK>w32tm /query /status
Sprungindikator: 3(nicht synchronisiert)
Stratum: 0 (nicht angegeben)
Pr?zision: -23 (119.209ns pro Tick)
Stammverz?gerung: 0.0000000s
Stammabweichung: 0.0000000s
Referenz-ID: 0x00000000 (nicht angegeben)
Letzte erfolgr. Synchronisierungszeit: nicht angegeben
Quelle: Local CMOS Clock
Abrufintervall: 10 (1024s)

The log File on a windows 10 pc:
154665 13:43:18.8148252s - Computed Secure Time:
154665 13:46:30.4880028s - ---------- Log File Opened -----------------
154665 13:46:30.4882081s - Initializing Data IO
154665 13:46:30.4884036s - Initializing compute
154665 13:46:30.4884672s - Successfully opened handles to VM Generation counters
154665 13:46:30.4884807s - Failed to read vm genId counter. error: 0x00000006n
154665 13:46:30.4884898s - Secure Time Aggregation initialization complete
154665 13:46:30.5122261s - Computed Secure Time:
154665 13:46:30.6142804s - Computed Secure Time:
154665 13:46:30.6202869s - Computed Secure Time:
154665 13:46:30.8519384s - Computed Secure Time:
154665 13:46:32.0122878s - Computed Secure Time:
154665 13:51:32.0040470s - Computed Secure Time:

Greetings
Daniel

On Mon, 17 Jun 2024 16:23:40 +0200
Daniel M?ller via samba <samba at lists.samba.org> wrote:
> Dear all,
> 
> we are running two samba 4.20 on debian 11(as dcs) with
> chrony/oldstable,now 4.0-8+deb11u2 amd64 as ntpserver. Our clients
> are windows 11 and windows 10 machines. A few of them where in an old
> samba 4 domain without any time issues (ntp/centos7)!? What we see,
> ist hat none of them syncs his time excactly from our dcs. There is a
> difference from 2 to 10 minutes. Can you point us to find the error?
> 
> Our chrony.conf just the same of both dcs but bindcmaddress is
> different:
> 
> keyfile /etc/chrony/chrony.keys
> driftfile /var/lib/chrony/chrony.drift
> log tracking measurements statistics
> logdir /var/log/chrony
> maxupdateskew 100.0
> hwclockfile /etc/adjtime
> rtcsync
> makestep 1 3
> # ipaddress of this DC
> bindcmdaddress our.samba.dc.loc
Is that sanitising a FQDN or an IP, because it should be an IP
 
> # The source, where we are receiving the time from
> server 0.pool.ntp.org     iburst
> server 1.pool.ntp.org     iburst
> server 2.pool.ntp.org     iburst
> # dns netmask
> allow 192.168.135.0/24
> allow 192.168.134.0/24
> allow 192.168.50.0/24
> allow 192.168.131.0/24
> allow 192.168.139.0/24
> allow 192.168.140.0/24
> allow 0.0.0.0/0
> ntpsigndsocket  /var/lib/samba/ntp_signd
> confdir /etc/chrony/conf.d
Apart from the line I asked the question about, there doesn't seem to
be anything wrong.
> 
> Verifying  rights to use signed socket:
> root at dommaster:~# ls -ld /var/lib/samba/ntp_signd
> drwxr-x--- 2 root _chrony 4096  8. Mai 07:26 /var/lib/samba/ntp_signd
> 
> Show chrony status, running:
> 
> service chrony status
> ? chrony.service - chrony, an NTP client/server
>      Loaded: loaded (/lib/systemd/system/chrony.service; enabled;
> vendor preset: enabled) Active: active (running) since Mon 2024-06-17
> 16:06:43 CEST; 5s ago Docs: man:chronyd(8)
>              man:chronyc(1)
>              man:chrony.conf(5)
>     Process: 926202 ExecStart=/usr/sbin/chronyd $DAEMON_OPTS
> (code=exited, status=0/SUCCESS) Main PID: 926206 (chronyd)
>       Tasks: 2 (limit: 154241)
>      Memory: 1.2M
>         CPU: 35ms
>      CGroup: /system.slice/chrony.service
>              ??926206 /usr/sbin/chronyd -F 1
>              ??926207 /usr/sbin/chronyd -F 1
> 
> Jun 17 16:06:43 dommaster systemd[1]: Starting chrony, an NTP
> client/server... Jun 17 16:06:43 dommaster chronyd[926206]: chronyd
> version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER
> +SIGND > Jun 17 16:06:43 dommaster chronyd[926206]: Frequency 26.454
> +/- 0.158 ppm read from /var/lib/chrony/chrony.drift Jun 17 16:06:43
> dommaster chronyd[926206]: MS-SNTP authentication enabled Jun 17
> 16:06:43 dommaster chronyd[926206]: Loaded seccomp filter Jun 17
> 16:06:43 dommaster systemd[1]: Started chrony, an NTP client/server.
> 
> tcpdump udp port 123
> tcpdump: verbose output suppressed, use -v[v]... for full protocol
> decode listening on enp1s0f0, link-type EN10MB (Ethernet), snapshot
> length 262144 bytes 16:22:47.608803 IP pc2304.tlk.loc.ntp >
> dom2.tlk.loc.ntp: NTPv3, Client, length                           120
> 16:22:53.692770 IP schulung6.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3,
> Client, length 120
> 
> What we see on our Windows clients, without the right time is set:
> 
> w32tm /monitor
> dommaster.tlk.loc *** PDC ***[192.168.135.206:123]:
>     ICMP: 0ms Verz?gerung
>     NTP: +0.0000000s Offset von dommaster.tlk.loc
>         RefID: time.convar.net [213.206.165.21]
>         Stratum: 3
> dom2.tlk.loc[192.168.134.36:123]:
>     ICMP: 0ms Verz?gerung
>     NTP: +0.0216667s Offset von dommaster.tlk.loc
>         RefID: eth2-1201.fsn-lf-e02.productsup.int [185.252.140.126]
>         Stratum: 3
> 
> w32tm /query /source
> Local CMOS Clock
> 
> w32tm /query /status
> Sprungindikator: 3(nicht synchronisiert)
> Stratum: 0 (nicht angegeben)
> Pr?zision: -23 (119.209ns pro Tick)
> Stammverz?gerung: 0.0000000s
> Stammabweichung: 0.0000000s
> Referenz-ID: 0x00000000 (nicht angegeben)
> Letzte erfolgr. Synchronisierungszeit: nicht angegeben
> Quelle: Local CMOS Clock
> Abrufintervall: 10 (1024s)
> 
> w32tm /query /configuration
> [Konfiguration]
> 
> EventLogFlags: 2 (Lokal)
> AnnounceFlags: 10 (Lokal)
> TimeJumpAuditOffset: 28800 (Lokal)
> MinPollInterval: 10 (Lokal)
> MaxPollInterval: 15 (Lokal)
> MaxNegPhaseCorrection: 4294967295 (Lokal)
> MaxPosPhaseCorrection: 4294967295 (Lokal)
> MaxAllowedPhaseOffset: 300 (Lokal)
> 
> FrequencyCorrectRate: 4 (Lokal)
> PollAdjustFactor: 5 (Lokal)
> LargePhaseOffset: 50000000 (Lokal)
> SpikeWatchPeriod: 900 (Lokal)
> LocalClockDispersion: 10 (Lokal)
> HoldPeriod: 5 (Lokal)
> PhaseCorrectRate: 1 (Lokal)
> UpdateInterval: 30000 (Lokal)
> 
> FileLogName:  (Lokal)
> FileLogEntries: 0-300 (Lokal)
> FileLogSize: 16777216 (Lokal)
> 
> [Zeitanbieter]
> 
> NtpClient (Lokal)
> DllName: C:\windows\system32\w32time.dll (Lokal)
> Enabled: 1 (Lokal)
> InputProvider: 1 (Lokal)
> CrossSiteSyncFlags: 2 (Lokal)
> AllowNonstandardModeCombinations: 1 (Lokal)
> ResolvePeerBackoffMinutes: 15 (Lokal)
> ResolvePeerBackoffMaxTimes: 7 (Lokal)
> CompatibilityFlags: 2147483648 (Lokal)
> EventLogFlags: 1 (Lokal)
> LargeSampleSkew: 3 (Lokal)
> SpecialPollInterval: 3600 (Lokal)
> Type: NT5DS (Lokal)
> 
> NtpServer (Lokal)
> DllName: C:\windows\system32\w32time.dll (Lokal)
> Enabled: 0 (Lokal)
> InputProvider: 0 (Lokal)
> 
> C:\Users\administrator.TLK>w32tm /resync /nowait
> Befehl zum erneuten Synchronisieren wird an den lokalen Computer
> gesendet. Der Befehl wurde erfolgreich ausgef?hrt.
> 
> C:\Users\administrator.TLK>w32tm /query /status
> Sprungindikator: 3(nicht synchronisiert)
> Stratum: 0 (nicht angegeben)
> Pr?zision: -23 (119.209ns pro Tick)
> Stammverz?gerung: 0.0000000s
> Stammabweichung: 0.0000000s
> Referenz-ID: 0x00000000 (nicht angegeben)
> Letzte erfolgr. Synchronisierungszeit: nicht angegeben
> Quelle: Local CMOS Clock
> Abrufintervall: 10 (1024s)
> 
> The log File on a windows 10 pc:
> 154665 13:43:18.8148252s - Computed Secure Time:
> 154665 13:46:30.4880028s - ---------- Log File Opened
> ----------------- 154665 13:46:30.4882081s - Initializing Data IO
> 154665 13:46:30.4884036s - Initializing compute
> 154665 13:46:30.4884672s - Successfully opened handles to VM
> Generation counters 154665 13:46:30.4884807s - Failed to read vm
> genId counter. error: 0x00000006n 154665 13:46:30.4884898s - Secure
> Time Aggregation initialization complete 154665 13:46:30.5122261s -
> Computed Secure Time: 154665 13:46:30.6142804s - Computed Secure Time:
> 154665 13:46:30.6202869s - Computed Secure Time:
> 154665 13:46:30.8519384s - Computed Secure Time:
> 154665 13:46:32.0122878s - Computed Secure Time:
> 154665 13:51:32.0040470s - Computed Secure Time:
> 
> Greetings
> Daniel
> 
There doesn't seem to be anything really wrong on the Samba side, not
sure what to suggest.

Rowland

LP
On Jun 17, 2024 at 15:40 +0100, Daniel M?ller via samba <samba at
lists.samba.org>, wrote:
> Dear all,
>
> we are running two samba 4.20 on debian 11(as dcs) with
chrony/oldstable,now 4.0-8+deb11u2 amd64 as ntpserver.
> Our clients are windows 11 and windows 10 machines. A few of them where in
an old samba 4 domain without any time issues (ntp/centos7)!?
> What we see, ist hat none of them syncs his time excactly from our dcs.
There is a difference from 2 to 10 minutes. Can you point us to find the error?
>
> Our chrony.conf just the same of both dcs but bindcmaddress is different:
>
> keyfile /etc/chrony/chrony.keys
> driftfile /var/lib/chrony/chrony.drift
> log tracking measurements statistics
> logdir /var/log/chrony
> maxupdateskew 100.0
> hwclockfile /etc/adjtime
> rtcsync
> makestep 1 3
> # ipaddress of this DC
> bindcmdaddress our.samba.dc.loc
I?d say this should be an IP.
> # The source, where we are receiving the time from
> server 0.pool.ntp.org iburst
> server 1.pool.ntp.org iburst
> server 2.pool.ntp.org iburst
> # dns netmask
> allow 192.168.135.0/24
> allow 192.168.134.0/24
> allow 192.168.50.0/24
> allow 192.168.131.0/24
> allow 192.168.139.0/24
> allow 192.168.140.0/24
> allow 0.0.0.0/0
If you are allowing 0.0.0.0/0, why the other declarations
?
> ntpsigndsocket /var/lib/samba/ntp_signd
> confdir /etc/chrony/conf.d
>
> Verifying rights to use signed socket:
> root at dommaster:~# ls -ld /var/lib/samba/ntp_signd
> drwxr-x--- 2 root _chrony 4096 8. Mai 07:26 /var/lib/samba/ntp_signd
>
> Show chrony status, running:
>
> service chrony status
> ? chrony.service - chrony, an NTP client/server
> Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor preset:
enabled)
> Active: active (running) since Mon 2024-06-17 16:06:43 CEST; 5s ago
> Docs: man:chronyd(8)
> man:chronyc(1)
> man:chrony.conf(5)
> Process: 926202 ExecStart=/usr/sbin/chronyd $DAEMON_OPTS (code=exited,
status=0/SUCCESS)
> Main PID: 926206 (chronyd)
> Tasks: 2 (limit: 154241)
> Memory: 1.2M
> CPU: 35ms
> CGroup: /system.slice/chrony.service
> ??926206 /usr/sbin/chronyd -F 1
> ??926207 /usr/sbin/chronyd -F 1
>
> Jun 17 16:06:43 dommaster systemd[1]: Starting chrony, an NTP
client/server...
> Jun 17 16:06:43 dommaster chronyd[926206]: chronyd version 4.0 starting
(+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND >
> Jun 17 16:06:43 dommaster chronyd[926206]: Frequency 26.454 +/- 0.158 ppm
read from /var/lib/chrony/chrony.drift
> Jun 17 16:06:43 dommaster chronyd[926206]: MS-SNTP authentication enabled
> Jun 17 16:06:43 dommaster chronyd[926206]: Loaded seccomp filter
> Jun 17 16:06:43 dommaster systemd[1]: Started chrony, an NTP client/server.
>
> tcpdump udp port 123
> tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
> listening on enp1s0f0, link-type EN10MB (Ethernet), snapshot length 262144
bytes
> 16:22:47.608803 IP pc2304.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3, Client,
length 120
> 16:22:53.692770 IP schulung6.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3,
Client, length 120
I don?t see your windows machines talking to your server. Only to stratum
servers in the internet.

This is all I know about crony for samba:

http://samba.bigbird.es/doku.php?id=samba:install-chrony


>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

This is an example of the right conversation:


tcpdump -v port 123 udp
17:38:48.912484 IP (tos 0x0, ttl 128, id 12922, offset 0, flags [none], proto
UDP (17), length 96)
??PCSEC01.mad.caponato.es.ntp > bwing.mad.caponato.es.ntp: NTPv3, Client,
length 68
Leap indicator:??(0), Stratum 5 (secondary reference), poll 10 (1024s),
precision -23
Root Delay: 0.032287, Root dispersion: 3.784896, Reference-ID: 0xc0a8000d
??Reference Timestamp:??3927626518.829402699 (2024-06-17T15:21:58Z)
??Originator Timestamp: 3927626504.901653134 (2024-06-17T15:21:44Z)
??Receive Timestamp:?? ?3927626504.899602399 (2024-06-17T15:21:44Z)
??Transmit Timestamp:? ?3927627528.907404599 (2024-06-17T15:38:48Z)
?? ?Originator - Receive Timestamp:??-0.002050734
?? ?Originator - Transmit Timestamp: +1024.005751465
Key id: 805699584
Authentication: 00000000000000000000000000000000

17:38:48.913407 IP (tos 0x0, ttl 64, id 64754, offset 0, flags [DF], proto UDP
(17), length 96)
??bwing.mad.caponato.es.ntp > PCSEC01.mad.caponato.es.ntp: NTPv3, Server,
length 68
Leap indicator:??(0), Stratum 4 (secondary reference), poll 10 (1024s),
precision -24
Root Delay: 0.030212, Root dispersion: 0.001159, Reference-ID: 0xa29fc87b
??Reference Timestamp:??3927626832.614725473 (2024-06-17T15:27:12Z)
??Originator Timestamp: 3927627528.907404599 (2024-06-17T15:38:48Z)
??Receive Timestamp:?? ?3927627528.912293049 (2024-06-17T15:38:48Z)
??Transmit Timestamp:? ?3927627528.912419205 (2024-06-17T15:38:48Z)
?? ?Originator - Receive Timestamp:??+0.004888449
?? ?Originator - Transmit Timestamp: +0.005014606
Key id: 805699584
Authentication: 6f00cdb623536b5965a248829911b808


LP
On Jun 17, 2024 at 15:40 +0100, mueller at tropenklinik.de,
wrote:
>
> tcpdump udp port 123
> tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
> listening on enp1s0f0, link-type EN10MB (Ethernet), snapshot length 262144
bytes
> 16:22:47.608803 IP pc2304.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3, Client,
length 120
> 16:22:53.692770 IP schulung6.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3,
Client, length 120

Try resetting the time service on your Windows domain members:
Do this in an elevated prompt:
=========================net stop w32time
w32tm /unregister
w32tm /register
net start w32time
=========================

On Mon, Jun 17, 2024 at 10:41?AM Daniel M?ller via samba <
samba at lists.samba.org> wrote:
> Dear all,
>
> we are running two samba 4.20 on debian 11(as dcs) with
> chrony/oldstable,now 4.0-8+deb11u2 amd64 as ntpserver.
> Our clients are windows 11 and windows 10 machines. A few of them where in
> an old samba 4 domain without any time issues (ntp/centos7)!?
> What we see, ist hat none of them syncs his time excactly from our dcs.
> There is a difference from 2 to 10 minutes. Can you point us to find the
> error?
>
> Our chrony.conf just the same of both dcs but bindcmaddress is different:
>
> keyfile /etc/chrony/chrony.keys
> driftfile /var/lib/chrony/chrony.drift
> log tracking measurements statistics
> logdir /var/log/chrony
> maxupdateskew 100.0
> hwclockfile /etc/adjtime
> rtcsync
> makestep 1 3
> # ipaddress of this DC
> bindcmdaddress our.samba.dc.loc
> # The source, where we are receiving the time from
> server 0.pool.ntp.org     iburst
> server 1.pool.ntp.org     iburst
> server 2.pool.ntp.org     iburst
> # dns netmask
> allow 192.168.135.0/24
> allow 192.168.134.0/24
> allow 192.168.50.0/24
> allow 192.168.131.0/24
> allow 192.168.139.0/24
> allow 192.168.140.0/24
> allow 0.0.0.0/0
> ntpsigndsocket  /var/lib/samba/ntp_signd
> confdir /etc/chrony/conf.d
>
> Verifying  rights to use signed socket:
> root at dommaster:~# ls -ld /var/lib/samba/ntp_signd
> drwxr-x--- 2 root _chrony 4096  8. Mai 07:26 /var/lib/samba/ntp_signd
>
> Show chrony status, running:
>
> service chrony status
> ? chrony.service - chrony, an NTP client/server
>      Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor
> preset: enabled)
>      Active: active (running) since Mon 2024-06-17 16:06:43 CEST; 5s ago
>        Docs: man:chronyd(8)
>              man:chronyc(1)
>              man:chrony.conf(5)
>     Process: 926202 ExecStart=/usr/sbin/chronyd $DAEMON_OPTS (code=exited,
> status=0/SUCCESS)
>    Main PID: 926206 (chronyd)
>       Tasks: 2 (limit: 154241)
>      Memory: 1.2M
>         CPU: 35ms
>      CGroup: /system.slice/chrony.service
>              ??926206 /usr/sbin/chronyd -F 1
>              ??926207 /usr/sbin/chronyd -F 1
>
> Jun 17 16:06:43 dommaster systemd[1]: Starting chrony, an NTP
> client/server...
> Jun 17 16:06:43 dommaster chronyd[926206]: chronyd version 4.0 starting
> (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND >
> Jun 17 16:06:43 dommaster chronyd[926206]: Frequency 26.454 +/- 0.158 ppm
> read from /var/lib/chrony/chrony.drift
> Jun 17 16:06:43 dommaster chronyd[926206]: MS-SNTP authentication enabled
> Jun 17 16:06:43 dommaster chronyd[926206]: Loaded seccomp filter
> Jun 17 16:06:43 dommaster systemd[1]: Started chrony, an NTP client/server.
>
> tcpdump udp port 123
> tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
> listening on enp1s0f0, link-type EN10MB (Ethernet), snapshot length 262144
> bytes
> 16:22:47.608803 IP pc2304.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3, Client,
> length                           120
> 16:22:53.692770 IP schulung6.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3,
> Client, length 120
>
> What we see on our Windows clients, without the right time is set:
>
> w32tm /monitor
> dommaster.tlk.loc *** PDC ***[192.168.135.206:123]:
>     ICMP: 0ms Verz?gerung
>     NTP: +0.0000000s Offset von dommaster.tlk.loc
>         RefID: time.convar.net [213.206.165.21]
>         Stratum: 3
> dom2.tlk.loc[192.168.134.36:123]:
>     ICMP: 0ms Verz?gerung
>     NTP: +0.0216667s Offset von dommaster.tlk.loc
>         RefID: eth2-1201.fsn-lf-e02.productsup.int [185.252.140.126]
>         Stratum: 3
>
> w32tm /query /source
> Local CMOS Clock
>
> w32tm /query /status
> Sprungindikator: 3(nicht synchronisiert)
> Stratum: 0 (nicht angegeben)
> Pr?zision: -23 (119.209ns pro Tick)
> Stammverz?gerung: 0.0000000s
> Stammabweichung: 0.0000000s
> Referenz-ID: 0x00000000 (nicht angegeben)
> Letzte erfolgr. Synchronisierungszeit: nicht angegeben
> Quelle: Local CMOS Clock
> Abrufintervall: 10 (1024s)
>
> w32tm /query /configuration
> [Konfiguration]
>
> EventLogFlags: 2 (Lokal)
> AnnounceFlags: 10 (Lokal)
> TimeJumpAuditOffset: 28800 (Lokal)
> MinPollInterval: 10 (Lokal)
> MaxPollInterval: 15 (Lokal)
> MaxNegPhaseCorrection: 4294967295 (Lokal)
> MaxPosPhaseCorrection: 4294967295 (Lokal)
> MaxAllowedPhaseOffset: 300 (Lokal)
>
> FrequencyCorrectRate: 4 (Lokal)
> PollAdjustFactor: 5 (Lokal)
> LargePhaseOffset: 50000000 (Lokal)
> SpikeWatchPeriod: 900 (Lokal)
> LocalClockDispersion: 10 (Lokal)
> HoldPeriod: 5 (Lokal)
> PhaseCorrectRate: 1 (Lokal)
> UpdateInterval: 30000 (Lokal)
>
> FileLogName:  (Lokal)
> FileLogEntries: 0-300 (Lokal)
> FileLogSize: 16777216 (Lokal)
>
> [Zeitanbieter]
>
> NtpClient (Lokal)
> DllName: C:\windows\system32\w32time.dll (Lokal)
> Enabled: 1 (Lokal)
> InputProvider: 1 (Lokal)
> CrossSiteSyncFlags: 2 (Lokal)
> AllowNonstandardModeCombinations: 1 (Lokal)
> ResolvePeerBackoffMinutes: 15 (Lokal)
> ResolvePeerBackoffMaxTimes: 7 (Lokal)
> CompatibilityFlags: 2147483648 (Lokal)
> EventLogFlags: 1 (Lokal)
> LargeSampleSkew: 3 (Lokal)
> SpecialPollInterval: 3600 (Lokal)
> Type: NT5DS (Lokal)
>
> NtpServer (Lokal)
> DllName: C:\windows\system32\w32time.dll (Lokal)
> Enabled: 0 (Lokal)
> InputProvider: 0 (Lokal)
>
> C:\Users\administrator.TLK>w32tm /resync /nowait
> Befehl zum erneuten Synchronisieren wird an den lokalen Computer gesendet.
> Der Befehl wurde erfolgreich ausgef?hrt.
>
> C:\Users\administrator.TLK>w32tm /query /status
> Sprungindikator: 3(nicht synchronisiert)
> Stratum: 0 (nicht angegeben)
> Pr?zision: -23 (119.209ns pro Tick)
> Stammverz?gerung: 0.0000000s
> Stammabweichung: 0.0000000s
> Referenz-ID: 0x00000000 (nicht angegeben)
> Letzte erfolgr. Synchronisierungszeit: nicht angegeben
> Quelle: Local CMOS Clock
> Abrufintervall: 10 (1024s)
>
> The log File on a windows 10 pc:
> 154665 13:43:18.8148252s - Computed Secure Time:
> 154665 13:46:30.4880028s - ---------- Log File Opened -----------------
> 154665 13:46:30.4882081s - Initializing Data IO
> 154665 13:46:30.4884036s - Initializing compute
> 154665 13:46:30.4884672s - Successfully opened handles to VM Generation
> counters
> 154665 13:46:30.4884807s - Failed to read vm genId counter. error:
> 0x00000006n
> 154665 13:46:30.4884898s - Secure Time Aggregation initialization complete
> 154665 13:46:30.5122261s - Computed Secure Time:
> 154665 13:46:30.6142804s - Computed Secure Time:
> 154665 13:46:30.6202869s - Computed Secure Time:
> 154665 13:46:30.8519384s - Computed Secure Time:
> 154665 13:46:32.0122878s - Computed Secure Time:
> 154665 13:51:32.0040470s - Computed Secure Time:
>
> Greetings
> Daniel
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Ahoi,


its more the windows ntp client that doesnt work correctly....

try this one on your win machines:

https://www.meinberg.de/german/sw/ntp.htm#ntp_stable

greetz

Stefan


Am 17.06.24 um 16:23 schrieb Daniel M?ller via samba:
> Dear all,
>
> we are running two samba 4.20 on debian 11(as dcs) with 
chrony/oldstable,now 4.0-8+deb11u2 amd64 as ntpserver.
> Our clients are windows 11 and windows 10 machines. A few of them where in
an old samba 4 domain without any time issues (ntp/centos7)!?
> What we see, ist hat none of them syncs his time excactly from our dcs.
There is a difference from 2 to 10 minutes. Can you point us to find the error?
>
> Our chrony.conf just the same of both dcs but bindcmaddress is different:
>
> keyfile /etc/chrony/chrony.keys
> driftfile /var/lib/chrony/chrony.drift
> log tracking measurements statistics
> logdir /var/log/chrony
> maxupdateskew 100.0
> hwclockfile /etc/adjtime
> rtcsync
> makestep 1 3
> # ipaddress of this DC
> bindcmdaddress our.samba.dc.loc
> # The source, where we are receiving the time from
> server 0.pool.ntp.org     iburst
> server 1.pool.ntp.org     iburst
> server 2.pool.ntp.org     iburst
> # dns netmask
> allow 192.168.135.0/24
> allow 192.168.134.0/24
> allow 192.168.50.0/24
> allow 192.168.131.0/24
> allow 192.168.139.0/24
> allow 192.168.140.0/24
> allow 0.0.0.0/0
> ntpsigndsocket  /var/lib/samba/ntp_signd
> confdir /etc/chrony/conf.d
>
> Verifying  rights to use signed socket:
> root at dommaster:~# ls -ld /var/lib/samba/ntp_signd
> drwxr-x--- 2 root _chrony 4096  8. Mai 07:26 /var/lib/samba/ntp_signd
>
> Show chrony status, running:
>
> service chrony status
> ? chrony.service - chrony, an NTP client/server
>       Loaded: loaded (/lib/systemd/system/chrony.service; enabled; vendor
preset: enabled)
>       Active: active (running) since Mon 2024-06-17 16:06:43 CEST; 5s ago
>         Docs: man:chronyd(8)
>               man:chronyc(1)
>               man:chrony.conf(5)
>      Process: 926202 ExecStart=/usr/sbin/chronyd $DAEMON_OPTS (code=exited,
status=0/SUCCESS)
>     Main PID: 926206 (chronyd)
>        Tasks: 2 (limit: 154241)
>       Memory: 1.2M
>          CPU: 35ms
>       CGroup: /system.slice/chrony.service
>               ??926206 /usr/sbin/chronyd -F 1
>               ??926207 /usr/sbin/chronyd -F 1
>
> Jun 17 16:06:43 dommaster systemd[1]: Starting chrony, an NTP
client/server...
> Jun 17 16:06:43 dommaster chronyd[926206]: chronyd version 4.0 starting
(+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND >
> Jun 17 16:06:43 dommaster chronyd[926206]: Frequency 26.454 +/- 0.158 ppm
read from /var/lib/chrony/chrony.drift
> Jun 17 16:06:43 dommaster chronyd[926206]: MS-SNTP authentication enabled
> Jun 17 16:06:43 dommaster chronyd[926206]: Loaded seccomp filter
> Jun 17 16:06:43 dommaster systemd[1]: Started chrony, an NTP client/server.
>
> tcpdump udp port 123
> tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
> listening on enp1s0f0, link-type EN10MB (Ethernet), snapshot length 262144
bytes
> 16:22:47.608803 IP pc2304.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3, Client,
length                           120
> 16:22:53.692770 IP schulung6.tlk.loc.ntp > dom2.tlk.loc.ntp: NTPv3,
Client, length 120
>
> What we see on our Windows clients, without the right time is set:
>
> w32tm /monitor
> dommaster.tlk.loc *** PDC ***[192.168.135.206:123]:
>      ICMP: 0ms Verz?gerung
>      NTP: +0.0000000s Offset von dommaster.tlk.loc
>          RefID: time.convar.net [213.206.165.21]
>          Stratum: 3
> dom2.tlk.loc[192.168.134.36:123]:
>      ICMP: 0ms Verz?gerung
>      NTP: +0.0216667s Offset von dommaster.tlk.loc
>          RefID: eth2-1201.fsn-lf-e02.productsup.int [185.252.140.126]
>          Stratum: 3
>
> w32tm /query /source
> Local CMOS Clock
>
> w32tm /query /status
> Sprungindikator: 3(nicht synchronisiert)
> Stratum: 0 (nicht angegeben)
> Pr?zision: -23 (119.209ns pro Tick)
> Stammverz?gerung: 0.0000000s
> Stammabweichung: 0.0000000s
> Referenz-ID: 0x00000000 (nicht angegeben)
> Letzte erfolgr. Synchronisierungszeit: nicht angegeben
> Quelle: Local CMOS Clock
> Abrufintervall: 10 (1024s)
>
> w32tm /query /configuration
> [Konfiguration]
>
> EventLogFlags: 2 (Lokal)
> AnnounceFlags: 10 (Lokal)
> TimeJumpAuditOffset: 28800 (Lokal)
> MinPollInterval: 10 (Lokal)
> MaxPollInterval: 15 (Lokal)
> MaxNegPhaseCorrection: 4294967295 (Lokal)
> MaxPosPhaseCorrection: 4294967295 (Lokal)
> MaxAllowedPhaseOffset: 300 (Lokal)
>
> FrequencyCorrectRate: 4 (Lokal)
> PollAdjustFactor: 5 (Lokal)
> LargePhaseOffset: 50000000 (Lokal)
> SpikeWatchPeriod: 900 (Lokal)
> LocalClockDispersion: 10 (Lokal)
> HoldPeriod: 5 (Lokal)
> PhaseCorrectRate: 1 (Lokal)
> UpdateInterval: 30000 (Lokal)
>
> FileLogName:  (Lokal)
> FileLogEntries: 0-300 (Lokal)
> FileLogSize: 16777216 (Lokal)
>
> [Zeitanbieter]
>
> NtpClient (Lokal)
> DllName: C:\windows\system32\w32time.dll (Lokal)
> Enabled: 1 (Lokal)
> InputProvider: 1 (Lokal)
> CrossSiteSyncFlags: 2 (Lokal)
> AllowNonstandardModeCombinations: 1 (Lokal)
> ResolvePeerBackoffMinutes: 15 (Lokal)
> ResolvePeerBackoffMaxTimes: 7 (Lokal)
> CompatibilityFlags: 2147483648 (Lokal)
> EventLogFlags: 1 (Lokal)
> LargeSampleSkew: 3 (Lokal)
> SpecialPollInterval: 3600 (Lokal)
> Type: NT5DS (Lokal)
>
> NtpServer (Lokal)
> DllName: C:\windows\system32\w32time.dll (Lokal)
> Enabled: 0 (Lokal)
> InputProvider: 0 (Lokal)
>
> C:\Users\administrator.TLK>w32tm /resync /nowait
> Befehl zum erneuten Synchronisieren wird an den lokalen Computer gesendet.
> Der Befehl wurde erfolgreich ausgef?hrt.
>
> C:\Users\administrator.TLK>w32tm /query /status
> Sprungindikator: 3(nicht synchronisiert)
> Stratum: 0 (nicht angegeben)
> Pr?zision: -23 (119.209ns pro Tick)
> Stammverz?gerung: 0.0000000s
> Stammabweichung: 0.0000000s
> Referenz-ID: 0x00000000 (nicht angegeben)
> Letzte erfolgr. Synchronisierungszeit: nicht angegeben
> Quelle: Local CMOS Clock
> Abrufintervall: 10 (1024s)
>
> The log File on a windows 10 pc:
> 154665 13:43:18.8148252s - Computed Secure Time:
> 154665 13:46:30.4880028s - ---------- Log File Opened -----------------
> 154665 13:46:30.4882081s - Initializing Data IO
> 154665 13:46:30.4884036s - Initializing compute
> 154665 13:46:30.4884672s - Successfully opened handles to VM Generation
counters
> 154665 13:46:30.4884807s - Failed to read vm genId counter. error:
0x00000006n
> 154665 13:46:30.4884898s - Secure Time Aggregation initialization complete
> 154665 13:46:30.5122261s - Computed Secure Time:
> 154665 13:46:30.6142804s - Computed Secure Time:
> 154665 13:46:30.6202869s - Computed Secure Time:
> 154665 13:46:30.8519384s - Computed Secure Time:
> 154665 13:46:32.0122878s - Computed Secure Time:
> 154665 13:51:32.0040470s - Computed Secure Time:
>
> Greetings
> Daniel
>
>
>
>