samba - Oct 2015 - net ads info: failed to get server's current time

On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny
wrote:
>On 21/10/15 18:35, Guy-Laurent Subri wrote:
>> Hi all,
>> We're having issues with Samba at work. I've searched a bit and
the only
>> thing that have caught my eye is this: when I run the 'net ads
info'
>> command on our DC --we have a Debian on which samba4 is installed and
>> configured as a AD DC-- I have the message "Failed to get
server's
>> current time!", and "Server time: Thu, 01 Jan 1970 01:00:00
CET".
>
>It works for me on a Debian 4.1.17 DC, so you may have something
>mis-configured, have you altered the smb.conf in any way ?
I don't think the modifications I did to smb.conf are relevant enough to
cause problem, but here's our smb.conf, just in case:

# Global parameters
[global]
    workgroup = TRS-CH
    realm = TRS-CH.COM
    netbios name = PDC
    server role = active directory domain controller
    server services = +s3fs, +rpc, +nbt, +wrepl, +ldap, +cldap, +kdc, +drepl,
                        +winbind, +ntp_signd, +kcc, +dnsupdate 

[netlogon]
   path = /var/lib/samba/sysvol/trs-ch.com/scripts
   read only = No

[sysvol]
   path = /var/lib/samba/sysvol
   read only = No
>do you have ntp installed and configured correctly ?
Yes, I have it installed and everything works fine.

I also already tested the DNS by running the commands described here:
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
Everything is reachable.

I tested kerberos by doing:
'kinit administrator at TRS-CH.COM'
It showed up when I did 'klist'.

Do you need more information ?

Thanks !
Cheers, 

Guy-Laurent Subri

On 22/10/15 21:51, Guy-Laurent Subri wrote:
> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny wrote:
>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
>>> Hi all,
>>> We're having issues with Samba at work. I've searched a bit
and the
>>> only
>>> thing that have caught my eye is this: when I run the 'net ads
info'
>>> command on our DC --we have a Debian on which samba4 is installed
and
>>> configured as a AD DC-- I have the message "Failed to get
server's
>>> current time!", and "Server time: Thu, 01 Jan 1970
01:00:00 CET".
>>
>> It works for me on a Debian 4.1.17 DC, so you may have something
>> mis-configured, have you altered the smb.conf in any way ?
>
> I don't think the modifications I did to smb.conf are relevant enough
to
> cause problem, but here's our smb.conf, just in case:
>
> # Global parameters
> [global]
>    workgroup = TRS-CH
>    realm = TRS-CH.COM
>    netbios name = PDC
>    server role = active directory domain controller
>    server services = +s3fs, +rpc, +nbt, +wrepl, +ldap, +cldap, +kdc, 
> +drepl,
>                        +winbind, +ntp_signd, +kcc, +dnsupdate
> [netlogon]
>   path = /var/lib/samba/sysvol/trs-ch.com/scripts
>   read only = No
>
> [sysvol]
>   path = /var/lib/samba/sysvol
>   read only = No
>
>> do you have ntp installed and configured correctly ?
> Yes, I have it installed and everything works fine.
>
> I also already tested the DNS by running the commands described here:
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>
> Everything is reachable.
>
> I tested kerberos by doing:
> 'kinit administrator at TRS-CH.COM'
> It showed up when I did 'klist'.
>
> Do you need more information ?
>
> Thanks !
> Cheers,
> Guy-Laurent Subri
Are you running with Bind9 ?

I think you need to remove all the '+' signs you have added to the 
'server services' line, you normally only use the '+' sign to
add a
service to the line, I think you may still be using the un-shown 'dns' 
option.
I would also recommend that you use the new separate 'winbindd' instead 
of the 'winbind' that you are using. I think that before long the old 
'winbind' built into the samba daemon is going to disappear, so you 
might as well get used to it now.

Rowland

On 22/10/15 22:33, Guy-Laurent Subri wrote:
> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny wrote:
>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
>>>>> Hi all,
>>>>> We're having issues with Samba at work. I've
searched a bit and the
>>>>> only
>>>>> thing that have caught my eye is this: when I run the
'net ads info'
>>>>> command on our DC --we have a Debian on which samba4 is
installed and
>>>>> configured as a AD DC-- I have the message "Failed to
get server's
>>>>> current time!", and "Server time: Thu, 01 Jan
1970 01:00:00 CET".
>>>>
>>>> It works for me on a Debian 4.1.17 DC, so you may have
something
>>>> mis-configured, have you altered the smb.conf in any way ?
>>>
>>> I don't think the modifications I did to smb.conf are relevant 
>>> enough to
>>> cause problem, but here's our smb.conf, just in case:
>>>
>>> # Global parameters
>>> [global]
>>>    workgroup = TRS-CH
>>>    realm = TRS-CH.COM
>>>    netbios name = PDC
>>>    server role = active directory domain controller
>>>    server services = +s3fs, +rpc, +nbt, +wrepl, +ldap, +cldap,
+kdc,
>>> +drepl,
>>>                        +winbind, +ntp_signd, +kcc, +dnsupdate
>>> [netlogon]
>>>   path = /var/lib/samba/sysvol/trs-ch.com/scripts
>>>   read only = No
>>>
>>> [sysvol]
>>>   path = /var/lib/samba/sysvol
>>>   read only = No
>>>
>>>> do you have ntp installed and configured correctly ?
>>> Yes, I have it installed and everything works fine.
>>>
>>> I also already tested the DNS by running the commands described
here:
>>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>>>
>>>
>>> Everything is reachable.
>>>
>>> I tested kerberos by doing:
>>> 'kinit administrator at TRS-CH.COM'
>>> It showed up when I did 'klist'.
>>>
>>> Do you need more information ?
>>>
>>> Thanks !
>>> Cheers,
>>> Guy-Laurent Subri
>>
>> Are you running with Bind9 ?
>>
>> I think you need to remove all the '+' signs you have added to
the
>> 'server services' line, you normally only use the '+'
sign to add a
>> service to the line, I think you may still be using the un-shown
'dns'
>> option.
>> I would also recommend that you use the new separate 'winbindd'
instead
>> of the 'winbind' that you are using. I think that before long
the old
>> 'winbind' built into the samba daemon is going to disappear, so
you
>> might as well get used to it now.
> Yes, I'm running Bind9.
> If I either remove the + sings or change 'windbind' to
'windbindd' I
> cannot contact the server again. (The result of the command 'net ads
> info' is : no logon servers, didn't find the ldap server).
>
> Cheers,
> Guy-Laurent Subri
OK, I have just joined a new DC to my domain and I am using Bind9 and 
this is what I have in smb.conf:

server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate

Note the lack of '+' signs

This is with Samba 4.3.1

I have also checked and 'net ads info' works as well, so if yours
isn't
working, then something else is wrong, can you post your ntp.conf and 
bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf

Rowland

I have no "server services" line in my smb.conf and "net ads
info" is
working well using DC running Samba 4.3.1 on Centos 7.

Did you tried without "server services" line?

Cheers,

mathias

2015-10-22 23:53 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 22/10/15 22:33, Guy-Laurent Subri wrote:
>
>> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
>>
>>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
>>>
>>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny wrote:
>>>>
>>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
>>>>>
>>>>>> Hi all,
>>>>>> We're having issues with Samba at work. I've
searched a bit and the
>>>>>> only
>>>>>> thing that have caught my eye is this: when I run the
'net ads info'
>>>>>> command on our DC --we have a Debian on which samba4 is
installed and
>>>>>> configured as a AD DC-- I have the message "Failed
to get server's
>>>>>> current time!", and "Server time: Thu, 01 Jan
1970 01:00:00 CET".
>>>>>>
>>>>>
>>>>> It works for me on a Debian 4.1.17 DC, so you may have
something
>>>>> mis-configured, have you altered the smb.conf in any way ?
>>>>>
>>>>
>>>> I don't think the modifications I did to smb.conf are
relevant enough to
>>>> cause problem, but here's our smb.conf, just in case:
>>>>
>>>> # Global parameters
>>>> [global]
>>>>    workgroup = TRS-CH
>>>>    realm = TRS-CH.COM
>>>>    netbios name = PDC
>>>>    server role = active directory domain controller
>>>>    server services = +s3fs, +rpc, +nbt, +wrepl, +ldap, +cldap,
+kdc,
>>>> +drepl,
>>>>                        +winbind, +ntp_signd, +kcc, +dnsupdate
>>>> [netlogon]
>>>>   path = /var/lib/samba/sysvol/trs-ch.com/scripts
>>>>   read only = No
>>>>
>>>> [sysvol]
>>>>   path = /var/lib/samba/sysvol
>>>>   read only = No
>>>>
>>>> do you have ntp installed and configured correctly ?
>>>>>
>>>> Yes, I have it installed and everything works fine.
>>>>
>>>> I also already tested the DNS by running the commands described
here:
>>>>
>>>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>>>>
>>>> Everything is reachable.
>>>>
>>>> I tested kerberos by doing:
>>>> 'kinit administrator at TRS-CH.COM'
>>>> It showed up when I did 'klist'.
>>>>
>>>> Do you need more information ?
>>>>
>>>> Thanks !
>>>> Cheers,
>>>> Guy-Laurent Subri
>>>>
>>>
>>> Are you running with Bind9 ?
>>>
>>> I think you need to remove all the '+' signs you have added
to the
>>> 'server services' line, you normally only use the
'+' sign to add a
>>> service to the line, I think you may still be using the un-shown
'dns'
>>> option.
>>> I would also recommend that you use the new separate
'winbindd' instead
>>> of the 'winbind' that you are using. I think that before
long the old
>>> 'winbind' built into the samba daemon is going to
disappear, so you
>>> might as well get used to it now.
>>>
>> Yes, I'm running Bind9.
>> If I either remove the + sings or change 'windbind' to
'windbindd' I
>> cannot contact the server again. (The result of the command 'net
ads
>> info' is : no logon servers, didn't find the ldap server).
>>
>> Cheers,
>> Guy-Laurent Subri
>>
>
> OK, I have just joined a new DC to my domain and I am using Bind9 and this
> is what I have in smb.conf:
>
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>
> Note the lack of '+' signs
>
> This is with Samba 4.3.1
>
> I have also checked and 'net ads info' works as well, so if yours
isn't
> working, then something else is wrong, can you post your ntp.conf and bind9
> conf files, also your /etc/resolv.conf & /etc/krb5.conf
>
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Run : echo "\n" | samba-tool testparm | grep "server
service"

What do you see now... 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
dufresne
> Verzonden: maandag 26 oktober 2015 14:56
> Aan: sambalist
> Onderwerp: Re: [Samba] net ads info: failed to get server's current
time
> 
> I have no "server services" line in my smb.conf and "net ads
info" is
> working well using DC running Samba 4.3.1 on Centos 7.
> 
> Did you tried without "server services" line?
> 
> Cheers,
> 
> mathias
> 
> 2015-10-22 23:53 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> 
> > On 22/10/15 22:33, Guy-Laurent Subri wrote:
> >
> >> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
> >>
> >>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
> >>>
> >>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny
wrote:
> >>>>
> >>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
> >>>>>
> >>>>>> Hi all,
> >>>>>> We're having issues with Samba at work.
I've searched a bit and the
> >>>>>> only
> >>>>>> thing that have caught my eye is this: when I run
the 'net ads
> info'
> >>>>>> command on our DC --we have a Debian on which
samba4 is installed
> and
> >>>>>> configured as a AD DC-- I have the message
"Failed to get server's
> >>>>>> current time!", and "Server time: Thu,
01 Jan 1970 01:00:00 CET".
> >>>>>>
> >>>>>
> >>>>> It works for me on a Debian 4.1.17 DC, so you may have
something
> >>>>> mis-configured, have you altered the smb.conf in any
way ?
> >>>>>
> >>>>
> >>>> I don't think the modifications I did to smb.conf are
relevant enough
> to
> >>>> cause problem, but here's our smb.conf, just in case:
> >>>>
> >>>> # Global parameters
> >>>> [global]
> >>>>    workgroup = TRS-CH
> >>>>    realm = TRS-CH.COM
> >>>>    netbios name = PDC
> >>>>    server role = active directory domain controller
> >>>>    server services = +s3fs, +rpc, +nbt, +wrepl, +ldap,
+cldap, +kdc,
> >>>> +drepl,
> >>>>                        +winbind, +ntp_signd, +kcc,
+dnsupdate
> >>>> [netlogon]
> >>>>   path = /var/lib/samba/sysvol/trs-ch.com/scripts
> >>>>   read only = No
> >>>>
> >>>> [sysvol]
> >>>>   path = /var/lib/samba/sysvol
> >>>>   read only = No
> >>>>
> >>>> do you have ntp installed and configured correctly ?
> >>>>>
> >>>> Yes, I have it installed and everything works fine.
> >>>>
> >>>> I also already tested the DNS by running the commands
described here:
> >>>>
> >>>>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
> troller
> >>>>
> >>>> Everything is reachable.
> >>>>
> >>>> I tested kerberos by doing:
> >>>> 'kinit administrator at TRS-CH.COM'
> >>>> It showed up when I did 'klist'.
> >>>>
> >>>> Do you need more information ?
> >>>>
> >>>> Thanks !
> >>>> Cheers,
> >>>> Guy-Laurent Subri
> >>>>
> >>>
> >>> Are you running with Bind9 ?
> >>>
> >>> I think you need to remove all the '+' signs you have
added to the
> >>> 'server services' line, you normally only use the
'+' sign to add a
> >>> service to the line, I think you may still be using the
un-shown 'dns'
> >>> option.
> >>> I would also recommend that you use the new separate
'winbindd'
> instead
> >>> of the 'winbind' that you are using. I think that
before long the old
> >>> 'winbind' built into the samba daemon is going to
disappear, so you
> >>> might as well get used to it now.
> >>>
> >> Yes, I'm running Bind9.
> >> If I either remove the + sings or change 'windbind' to
'windbindd' I
> >> cannot contact the server again. (The result of the command
'net ads
> >> info' is : no logon servers, didn't find the ldap server).
> >>
> >> Cheers,
> >> Guy-Laurent Subri
> >>
> >
> > OK, I have just joined a new DC to my domain and I am using Bind9 and
> this
> > is what I have in smb.conf:
> >
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd, ntp_signd, kcc, dnsupdate
> >
> > Note the lack of '+' signs
> >
> > This is with Samba 4.3.1
> >
> > I have also checked and 'net ads info' works as well, so if
yours isn't
> > working, then something else is wrong, can you post your ntp.conf and
> bind9
> > conf files, also your /etc/resolv.conf & /etc/krb5.conf
> >
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny
wrote:
>On 22/10/15 22:33, Guy-Laurent Subri wrote:
>> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
>>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
>>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny wrote:
>>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
>>>>>> Hi all,
>>>>>> We're having issues with Samba at work. I've
searched a bit and the
>>>>>> only
>>>>>> thing that have caught my eye is this: when I run the
'net ads info'
>>>>>> command on our DC --we have a Debian on which samba4 is
installed and
>>>>>> configured as a AD DC-- I have the message "Failed
to get server's
>>>>>> current time!", and "Server time: Thu, 01 Jan
1970 01:00:00 CET".
>>>>>
>>>>> It works for me on a Debian 4.1.17 DC, so you may have
something
>>>>> mis-configured, have you altered the smb.conf in any way ?
>>>>
>>>> I don't think the modifications I did to smb.conf are
relevant
>>>> enough to
>>>> cause problem, but here's our smb.conf, just in case:
>>>>
>>>> # Global parameters
>>>> [global]
>>>>    workgroup = TRS-CH
>>>>    realm = TRS-CH.COM
>>>>    netbios name = PDC
>>>>    server role = active directory domain controller
>>>>    server services = +s3fs, +rpc, +nbt, +wrepl, +ldap, +cldap,
+kdc,
>>>> +drepl,
>>>>                        +winbind, +ntp_signd, +kcc, +dnsupdate
>>>> [netlogon]
>>>>   path = /var/lib/samba/sysvol/trs-ch.com/scripts
>>>>   read only = No
>>>>
>>>> [sysvol]
>>>>   path = /var/lib/samba/sysvol
>>>>   read only = No
>>>>
>>>>> do you have ntp installed and configured correctly ?
>>>> Yes, I have it installed and everything works fine.
>>>>
>>>> I also already tested the DNS by running the commands described
here:
>>>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>>>>
>>>>
>>>> Everything is reachable.
>>>>
>>>> I tested kerberos by doing:
>>>> 'kinit administrator at TRS-CH.COM'
>>>> It showed up when I did 'klist'.
>>>>
>>>> Do you need more information ?
>>>>
>>>> Thanks !
>>>> Cheers,
>>>> Guy-Laurent Subri
>>>
>>> Are you running with Bind9 ?
>>>
>>> I think you need to remove all the '+' signs you have added
to the
>>> 'server services' line, you normally only use the
'+' sign to add a
>>> service to the line, I think you may still be using the un-shown
'dns'
>>> option.
>>> I would also recommend that you use the new separate
'winbindd' instead
>>> of the 'winbind' that you are using. I think that before
long the old
>>> 'winbind' built into the samba daemon is going to
disappear, so you
>>> might as well get used to it now.
>> Yes, I'm running Bind9.
>> If I either remove the + sings or change 'windbind' to
'windbindd' I
>> cannot contact the server again. (The result of the command 'net
ads
>> info' is : no logon servers, didn't find the ldap server).
>>
>> Cheers,
>> Guy-Laurent Subri
>
>OK, I have just joined a new DC to my domain and I am using Bind9 and
>this is what I have in smb.conf:
>
>server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>winbindd, ntp_signd, kcc, dnsupdate
>
>Note the lack of '+' signs
>
>This is with Samba 4.3.1
My version of Samba is 4.1.17. I don't think this changes anything, but
I can try to upgrade if needed.
>I have also checked and 'net ads info' works as well, so if yours
isn't
>working, then something else is wrong, can you post your ntp.conf and
>bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
>
>Rowland
Here are the files:

/etc/ntp.conf
-------------
driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd

statsdir /var/log/ntpstats/

server 0.ch.pool.ntp.org
server 1.ch.pool.ntp.org
server 2.ch.pool.ntp.org
server 3.ch.pool.ntp.org

restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp

restrict 127.0.0.1
restrict ::1

restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer noquery

broadcast 192.168.123.255

/etc/bind/named.conf
--------------------
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

/etc/bind/named.conf.options
----------------------------
options {
    directory "/var/cache/bind";

    forwarders {
        192.168.1.185;
    };
    
    dnssec-validation auto;

    auth-nxdomain no;
    allow-query { localhost; any; };
    listen-on port 53 { 127.0.0.1; 192.168.1.17; };
    listen-on-v6 { any; };
};

/etc/bind/named.conf.local 
--------------------------
is empty

/etc/bind/named.conf.default-zones
----------------------------------
zone "." {
    type hint;
    file "/etc/bind/db.root";
};

zone "localhost" {
    type master;
    file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
};

/var/lib/samba/private/named.conf
---------------------------------
zone "trs-ch.com." IN {
    type master;
    file "/var/lib/samba/private/dns/trs-ch.com.zone";
    include "/var/lib/samba/private/named.conf.update";
    check-names ignore;
};

resolv.conf
-----------
search trs-ch.com
nameserver 192.168.1.17
nameserver 192.168.1.7

krb5.conf
---------
[libdefaults]
default_realm = TRS-CH.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
TRS-CH.COM = {
    kdc = 192.168.1.17
        admin_server = 192.168.1.17
        default_domain = trs-ch.com
}
[TRS-CH.COM]
.trs-ch.com = TRS-CH.COM
trs.ch.com TRS-CH.COM

Thank you for your time!

Cheers,
Guy-Laurent

Hai, 


Copy the code and Set these variable
Run the script, restart samba and login again with an pc. 
Should work now, your missing something and. Your not using good ntp servers.

#!/bin/bash 
########## NTP Settings needed for a correct funtioning samba AD DC server
## Set to 1 installs the ntp server. (default is ok )
## (default is ok )
NTPD_INSTALL="1"
# if you run the server on a XEN Server, set to 1.
NTPD_XEN_GUEST="0"
## important look for a stratum 1 server in your area
## for a server joining a domain put the ip of the AD server here.
## see also http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
## (default is not ok, change this one to a ntp in your country )
NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
## if you dont have a second ntp server leave empty
NTPD_SERVER2_EXTERNAL=""
## restrict ntpd bind to which interfaces.
## choose, multple options are allowed.
## the options are:  lo eth(0..9) wildcard ipv6
## (default is ok, if you interface name is eth0 and you dont use ipv6. )
NTPD_RESTRICT_INTERFACE="lo eth0"
NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
## default for sernet samba and debian samba ( should normaly not be changed )
SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
## debian default, leave it as is.
NTPD_GROUP="ntp"


########### NTP
apt-get -y --no-install-recommends install ntp
cp /etc/ntp.conf /etc/ntp.conf.backup
echo " " >> /etc/ntp.conf
for x in 0 1 2 3 ; do     sed -i "s]server ${x}.debian]#server
${x}.debian]g" /etc/ntp.conf ;     done
for i in ${NTPD_RESTRICT_INTERFACE} ; do     echo " " >>
/etc/ntp.conf;     echo "interface listen ${i}" >>
/etc/ntp.conf;     done
for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do     echo "interface ignore
${i2}" >> /etc/ntp.conf;     done
## setup the ntp source server.
if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then     sed -i
"s]#server ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL}
]g" /etc/ntp.conf; fi
if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then     echo "server
${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
sed -i "s]restrict -4 default kod notrap nomodify nopeer noquery]restrict
-4 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
sed -i "s]restrict -6 default kod notrap nomodify nopeer noquery]restrict
-6 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
cat << EOF >> /etc/ntp.conf

ntpsigndsocket /var/lib/samba/ntp_signd

EOF

install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
service ntp start


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent
Subri
> Verzonden: woensdag 28 oktober 2015 11:09
> Aan: Rowland Penny
> CC: sambalist
> Onderwerp: Re: [Samba] net ads info: failed to get server's current
time
> 
> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
> >On 22/10/15 22:33, Guy-Laurent Subri wrote:
> >> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
> >>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
> >>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny
wrote:
> >>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
> >>>>>> Hi all,
> >>>>>> We're having issues with Samba at work.
I've searched a bit and the
> >>>>>> only
> >>>>>> thing that have caught my eye is this: when I run
the 'net ads
> info'
> >>>>>> command on our DC --we have a Debian on which
samba4 is installed
> and
> >>>>>> configured as a AD DC-- I have the message
"Failed to get server's
> >>>>>> current time!", and "Server time: Thu,
01 Jan 1970 01:00:00 CET".
> >>>>>
> >>>>> It works for me on a Debian 4.1.17 DC, so you may have
something
> >>>>> mis-configured, have you altered the smb.conf in any
way ?
> >>>>
> >>>> I don't think the modifications I did to smb.conf are
relevant
> >>>> enough to
> >>>> cause problem, but here's our smb.conf, just in case:
> >>>>
> >>>> # Global parameters
> >>>> [global]
> >>>>    workgroup = TRS-CH
> >>>>    realm = TRS-CH.COM
> >>>>    netbios name = PDC
> >>>>    server role = active directory domain controller
> >>>>    server services = +s3fs, +rpc, +nbt, +wrepl, +ldap,
+cldap, +kdc,
> >>>> +drepl,
> >>>>                        +winbind, +ntp_signd, +kcc,
+dnsupdate
> >>>> [netlogon]
> >>>>   path = /var/lib/samba/sysvol/trs-ch.com/scripts
> >>>>   read only = No
> >>>>
> >>>> [sysvol]
> >>>>   path = /var/lib/samba/sysvol
> >>>>   read only = No
> >>>>
> >>>>> do you have ntp installed and configured correctly ?
> >>>> Yes, I have it installed and everything works fine.
> >>>>
> >>>> I also already tested the DNS by running the commands
described here:
> >>>>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
> troller
> >>>>
> >>>>
> >>>> Everything is reachable.
> >>>>
> >>>> I tested kerberos by doing:
> >>>> 'kinit administrator at TRS-CH.COM'
> >>>> It showed up when I did 'klist'.
> >>>>
> >>>> Do you need more information ?
> >>>>
> >>>> Thanks !
> >>>> Cheers,
> >>>> Guy-Laurent Subri
> >>>
> >>> Are you running with Bind9 ?
> >>>
> >>> I think you need to remove all the '+' signs you have
added to the
> >>> 'server services' line, you normally only use the
'+' sign to add a
> >>> service to the line, I think you may still be using the
un-shown 'dns'
> >>> option.
> >>> I would also recommend that you use the new separate
'winbindd'
> instead
> >>> of the 'winbind' that you are using. I think that
before long the old
> >>> 'winbind' built into the samba daemon is going to
disappear, so you
> >>> might as well get used to it now.
> >> Yes, I'm running Bind9.
> >> If I either remove the + sings or change 'windbind' to
'windbindd' I
> >> cannot contact the server again. (The result of the command
'net ads
> >> info' is : no logon servers, didn't find the ldap server).
> >>
> >> Cheers,
> >> Guy-Laurent Subri
> >
> >OK, I have just joined a new DC to my domain and I am using Bind9 and
> >this is what I have in smb.conf:
> >
> >server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> >winbindd, ntp_signd, kcc, dnsupdate
> >
> >Note the lack of '+' signs
> >
> >This is with Samba 4.3.1
> My version of Samba is 4.1.17. I don't think this changes anything, but
> I can try to upgrade if needed.
> >I have also checked and 'net ads info' works as well, so if
yours isn't
> >working, then something else is wrong, can you post your ntp.conf and
> >bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
> >
> >Rowland
> 
> Here are the files:
> 
> /etc/ntp.conf
> -------------
> driftfile /var/lib/ntp/ntp.drift
> ntpsigndsocket /var/lib/samba/ntp_signd
> 
> statsdir /var/log/ntpstats/
> 
> server 0.ch.pool.ntp.org
> server 1.ch.pool.ntp.org
> server 2.ch.pool.ntp.org
> server 3.ch.pool.ntp.org
> 
> restrict -4 default kod notrap nomodify nopeer noquery mssntp
> restrict -6 default kod notrap nomodify nopeer noquery mssntp
> 
> restrict 127.0.0.1
> restrict ::1
> 
> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer noquery
> 
> broadcast 192.168.123.255
> 
> /etc/bind/named.conf
> --------------------
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> /etc/bind/named.conf.options
> ----------------------------
> options {
>     directory "/var/cache/bind";
> 
>     forwarders {
>         192.168.1.185;
>     };
> 
>     dnssec-validation auto;
> 
>     auth-nxdomain no;
>     allow-query { localhost; any; };
>     listen-on port 53 { 127.0.0.1; 192.168.1.17; };
>     listen-on-v6 { any; };
> };
> 
> /etc/bind/named.conf.local
> --------------------------
> is empty
> 
> /etc/bind/named.conf.default-zones
> ----------------------------------
> zone "." {
>     type hint;
>     file "/etc/bind/db.root";
> };
> 
> zone "localhost" {
>     type master;
>     file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.255";
> };
> 
> /var/lib/samba/private/named.conf
> ---------------------------------
> zone "trs-ch.com." IN {
>     type master;
>     file "/var/lib/samba/private/dns/trs-ch.com.zone";
>     include "/var/lib/samba/private/named.conf.update";
>     check-names ignore;
> };
> 
> resolv.conf
> -----------
> search trs-ch.com
> nameserver 192.168.1.17
> nameserver 192.168.1.7
> 
> krb5.conf
> ---------
> [libdefaults]
> default_realm = TRS-CH.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> [realms]
> TRS-CH.COM = {
>     kdc = 192.168.1.17
>         admin_server = 192.168.1.17
>         default_domain = trs-ch.com
> }
> [TRS-CH.COM]
> .trs-ch.com = TRS-CH.COM
> trs.ch.com > TRS-CH.COM
> 
> Thank you for your time!
> 
> Cheers,
> Guy-Laurent
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba