samba - Nov 2025 - help with chrony time synchronisation

Hello,

It came to my attention, that recently time synchronisation has stopped 
working properly in my environment, and I can't wrap my head around it, 
maybe someone here can give me some ideas.

I'm running latest samba 4 on debian bookworm (backports) as an AD DC. 
Schema/functionality upgraded.

As time service is chrony. Service is running, I checked with wiki's 
entry, I re-checked permissions on /var/lib/samba/ntp_signd, proper 
entry is there in chrony.conf

Windows clients, domain joined, differend OS's (windows server 2012, 
windows server 2016, windows 11) all show similiar issue:

1) if i set from client the manualpeerlist (w32tm /config 
/manualpeerlist:<FQDN> /syncfromflags:MANUAL /update)and direct them 
precisely at DC1 (that is my samba server with PDC FSMO), it works fine, 
I see windows setting with "w32tm /query /source" dc1 and I see it 
actively syncing

2) If I use the default on the client or re-set it (w32tm /config 
/syncfromflags:DOMHIER /update) and then "w32tm /resync /rediscover"
or
"w32tm /resync /force")

I see two things:

- first client tries to use different DC (one that is not the owner of 
PDC FSMO) - it fails, server receives request, but doesn't respond

- dc2 (the one that is preferred on most clients) has the same chrony 
setup, /var/lib/samba/ntp_signd has valid owner/chmod settings and on 
startup chrony logs

- eventually client tries using dc1 but somehow fails too (even though 
with /manualpeerlist - it doesn't)


I have kerberos normally working fine, gpo, logins work fine across all 
windows platforms that are joined to the AD, DNS is working properly 
(from client side even w32tm /monitor lists proper DC entries with dc1 
as PDC fsmo). On startup i see the "MS-SNTP authentication enabled".

Firewall isn't blocking, because example 1) works fine. When running 
w32tm /resync /rediscover client.


I read long thread on this mailing list from january about chrony 
issues, I found the information, which helped, that on the wiki page in 
the example config:

"keys" directive is uncommented which, should, as far as I understand,
be commented out.

My questions first are:

1) should non-PDC role owners respond to windows clients?

2) if only PDC should,? why windows clients decide to use on-PDC one 
their first time source, even though they can lookup, which DC is 
carrying the PDC fsmo role?

3) what else I might be missing?


Regards,

Kacper Wirski


-- 
Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie
antywirusowe Avast.
www.avast.com

A solution is in this Samba mailing list thread:

https://lists.samba.org/archive/samba/2025-January/250758.html

On 06.11.2025 13:23, Kacper Wirski via samba wrote:
> Hello,
>
> It came to my attention, that recently time synchronisation has 
> stopped working properly in my environment, and I can't wrap my head 
> around it, maybe someone here can give me some ideas.
>
> I'm running latest samba 4 on debian bookworm (backports) as an AD DC. 
> Schema/functionality upgraded.
>
> As time service is chrony. Service is running, I checked with wiki's 
> entry, I re-checked permissions on /var/lib/samba/ntp_signd, proper 
> entry is there in chrony.conf
>
> Windows clients, domain joined, differend OS's (windows server 2012, 
> windows server 2016, windows 11) all show similiar issue:
>
> 1) if i set from client the manualpeerlist (w32tm /config 
> /manualpeerlist:<FQDN> /syncfromflags:MANUAL /update)and direct them 
> precisely at DC1 (that is my samba server with PDC FSMO), it works 
> fine, I see windows setting with "w32tm /query /source" dc1 and I
see
> it actively syncing
>
> 2) If I use the default on the client or re-set it (w32tm /config 
> /syncfromflags:DOMHIER /update) and then "w32tm /resync
/rediscover"
> or "w32tm /resync /force")
>
> I see two things:
>
> - first client tries to use different DC (one that is not the owner of 
> PDC FSMO) - it fails, server receives request, but doesn't respond
>
> - dc2 (the one that is preferred on most clients) has the same chrony 
> setup, /var/lib/samba/ntp_signd has valid owner/chmod settings and on 
> startup chrony logs
>
> - eventually client tries using dc1 but somehow fails too (even though 
> with /manualpeerlist - it doesn't)
>
>
> I have kerberos normally working fine, gpo, logins work fine across 
> all windows platforms that are joined to the AD, DNS is working 
> properly (from client side even w32tm /monitor lists proper DC entries 
> with dc1 as PDC fsmo). On startup i see the "MS-SNTP authentication 
> enabled".
>
> Firewall isn't blocking, because example 1) works fine. When running 
> w32tm /resync /rediscover client.
>
>
> I read long thread on this mailing list from january about chrony 
> issues, I found the information, which helped, that on the wiki page 
> in the example config:
>
> "keys" directive is uncommented which, should, as far as I
understand,
> be commented out.
>
> My questions first are:
>
> 1) should non-PDC role owners respond to windows clients?
>
> 2) if only PDC should,? why windows clients decide to use on-PDC one 
> their first time source, even though they can lookup, which DC is 
> carrying the PDC fsmo role?
>
> 3) what else I might be missing?
>
>
> Regards,
>
> Kacper Wirski
>
>
Hi Kacper,

Here we go again for the n:th time.

If you want time synchronization with a recent Samba DC from a Windows 
client, this is the only hack that works:

- Run regedit
- Change the value of 
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed
to 0 (zero)

Open a CMD prompt as administrator on the Windows box
- Run w32tm /config /syncfromflags:DOMHIER /reliable:YES /update
- Run net stop w32time && net start w32time
- Wait a few seconds and run w32tm /query /status

This hack does not allow secure synchronization, but it works. But you 
don't need to hardcode a NTP-server, as the Windows client now uses a DC 
for time synchronization. You could create a GPO to push it out to many 
Windows clients. Not worth the trouble for just a few clients.

Still waiting for a working secure time synchronization with a Samba DC 
for many years...

Best regards,

Peter

I'm getting a crash, pretty frequent, but not really sure what it's 
doing when this happens. Looking for help.
Thanks.

[root at ecuador cathryn]# samba --version
Version 4.22.6


                                                  Stack trace of thread 
12687:
                                                  #0  0x00007fd3643f9735 
abort (libc.so.6 + 0x1735)
                                                  #1  0x00007fd36464810a 
smb_panic_default.isra.0 (libgenrand-private-samba.so + 0x310a)
                                                  #2  0x00007fd3646486a5 
smb_panic (libgenrand-private-samba.so + 0x36a5)
                                                  #3  0x00007fd364648744 
sig_fault (libgenrand-private-samba.so + 0x3744)
                                                  #4  0x00007fd364412070 
__restore_rt (libc.so.6 + 0x1a070)
                                                  #5  0x00007fd36446677c 
__internal_syscall_cancel (libc.so.6 + 0x6e77c)
                                                  #6  0x00007fd3644667a4 
__syscall_cancel (libc.so.6 + 0x6e7a4)
                                                  #7  0x00007fd3644e07fe 
read (libc.so.6 + 0xe87fe)
                                                  #8  0x00007fd36419231e 
sys_read (libsys-rw-private-samba.so + 0x231e)
                                                  #9  0x00007fd364927a8e 
tfork_create (libsamba-util.so.0 + 0x65a8e)
                                                  #10 0x00007fd3622c03dc 
prefork_fork_master (prefork.so + 0x53dc)
                                                  #11 0x00007fd3622c0e43 
prefork_new_task (prefork.so + 0x5e43)
                                                  #12 0x00007fd364aaa1f5 
task_server_startup (libservice-private-samba.so + 0x61f5)
                                                  #13 0x00007fd364aaa2c6 
server_service_startup (libservice-private-samba.so + 0x62c6)
                                                  #14 0x000056280a1fcc61 
binary_smbd_main.constprop.0 (/usr/bin/samba + 0x7c61)
                                                  #15 0x000056280a1fd440 
main (/usr/bin/samba + 0x8440)
                                                  #16 0x00007fd3643fb575 
__libc_start_call_main (libc.so.6 + 0x3575)
                                                  #17 0x00007fd3643fb628 
__libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x3628)
                                                  #18 0x000056280a1fb4b5 
_start (/usr/bin/samba + 0x64b5)
                                                  ELF object binary 
architecture: AMD x86-64

# Global parameters
[global]
         netbios name = ECUADOR
         realm = JUNGLEVISION.JUNGLEVISION.COM
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = JUNGLEVISION
         idmap_ldb:use rfc2307 = yes
         hosts allow = 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 
192.168.3.0/24 192.168.4.0/24 192.168.5.0/24 192.168.6.0/24 192.168.8.0/24
         hosts deny = 0.0.0.0/0
         interfaces = 192.168.1.146 127.0.0.1
         bind interfaces only = yes
         log level 1
         min protocol = SMB2
         time server = yes
         vfs objects = fruit streams_xattr, dfs_samba4, acl_xattr
         username map = /home/etc/samba/user.map
         fruit:metadata = stream
         fruit:model = MacSamba
         fruit:posix_rename = yes
         fruit:veto_appledouble = no
         fruit:wipe_intentionally_left_blank_rfork = yes
         fruit:delete_empty_adfiles = yes

[netlogon]
         path = /var/lib/samba/sysvol/junglevision.junglevision.com/scripts
         read only = No
         vfs objects = dfs_samba4, acl_xattr, full_audit
[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
         vfs objects = dfs_samba4, acl_xattr, full_audit
~