samba - Oct 2015 - net ads info: failed to get server's current time

Hai, 


Copy the code and Set these variable
Run the script, restart samba and login again with an pc. 
Should work now, your missing something and. Your not using good ntp servers.

#!/bin/bash 
########## NTP Settings needed for a correct funtioning samba AD DC server
## Set to 1 installs the ntp server. (default is ok )
## (default is ok )
NTPD_INSTALL="1"
# if you run the server on a XEN Server, set to 1.
NTPD_XEN_GUEST="0"
## important look for a stratum 1 server in your area
## for a server joining a domain put the ip of the AD server here.
## see also http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
## (default is not ok, change this one to a ntp in your country )
NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
## if you dont have a second ntp server leave empty
NTPD_SERVER2_EXTERNAL=""
## restrict ntpd bind to which interfaces.
## choose, multple options are allowed.
## the options are:  lo eth(0..9) wildcard ipv6
## (default is ok, if you interface name is eth0 and you dont use ipv6. )
NTPD_RESTRICT_INTERFACE="lo eth0"
NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
## default for sernet samba and debian samba ( should normaly not be changed )
SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
## debian default, leave it as is.
NTPD_GROUP="ntp"


########### NTP
apt-get -y --no-install-recommends install ntp
cp /etc/ntp.conf /etc/ntp.conf.backup
echo " " >> /etc/ntp.conf
for x in 0 1 2 3 ; do     sed -i "s]server ${x}.debian]#server
${x}.debian]g" /etc/ntp.conf ;     done
for i in ${NTPD_RESTRICT_INTERFACE} ; do     echo " " >>
/etc/ntp.conf;     echo "interface listen ${i}" >>
/etc/ntp.conf;     done
for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do     echo "interface ignore
${i2}" >> /etc/ntp.conf;     done
## setup the ntp source server.
if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then     sed -i
"s]#server ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL}
]g" /etc/ntp.conf; fi
if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then     echo "server
${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
sed -i "s]restrict -4 default kod notrap nomodify nopeer noquery]restrict
-4 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
sed -i "s]restrict -6 default kod notrap nomodify nopeer noquery]restrict
-6 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
cat << EOF >> /etc/ntp.conf

ntpsigndsocket /var/lib/samba/ntp_signd

EOF

install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
service ntp start


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent
Subri
> Verzonden: woensdag 28 oktober 2015 11:09
> Aan: Rowland Penny
> CC: sambalist
> Onderwerp: Re: [Samba] net ads info: failed to get server's current
time
> 
> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
> >On 22/10/15 22:33, Guy-Laurent Subri wrote:
> >> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
> >>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
> >>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny
wrote:
> >>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
> >>>>>> Hi all,
> >>>>>> We're having issues with Samba at work.
I've searched a bit and the
> >>>>>> only
> >>>>>> thing that have caught my eye is this: when I run
the 'net ads
> info'
> >>>>>> command on our DC --we have a Debian on which
samba4 is installed
> and
> >>>>>> configured as a AD DC-- I have the message
"Failed to get server's
> >>>>>> current time!", and "Server time: Thu,
01 Jan 1970 01:00:00 CET".
> >>>>>
> >>>>> It works for me on a Debian 4.1.17 DC, so you may have
something
> >>>>> mis-configured, have you altered the smb.conf in any
way ?
> >>>>
> >>>> I don't think the modifications I did to smb.conf are
relevant
> >>>> enough to
> >>>> cause problem, but here's our smb.conf, just in case:
> >>>>
> >>>> # Global parameters
> >>>> [global]
> >>>>    workgroup = TRS-CH
> >>>>    realm = TRS-CH.COM
> >>>>    netbios name = PDC
> >>>>    server role = active directory domain controller
> >>>>    server services = +s3fs, +rpc, +nbt, +wrepl, +ldap,
+cldap, +kdc,
> >>>> +drepl,
> >>>>                        +winbind, +ntp_signd, +kcc,
+dnsupdate
> >>>> [netlogon]
> >>>>   path = /var/lib/samba/sysvol/trs-ch.com/scripts
> >>>>   read only = No
> >>>>
> >>>> [sysvol]
> >>>>   path = /var/lib/samba/sysvol
> >>>>   read only = No
> >>>>
> >>>>> do you have ntp installed and configured correctly ?
> >>>> Yes, I have it installed and everything works fine.
> >>>>
> >>>> I also already tested the DNS by running the commands
described here:
> >>>>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
> troller
> >>>>
> >>>>
> >>>> Everything is reachable.
> >>>>
> >>>> I tested kerberos by doing:
> >>>> 'kinit administrator at TRS-CH.COM'
> >>>> It showed up when I did 'klist'.
> >>>>
> >>>> Do you need more information ?
> >>>>
> >>>> Thanks !
> >>>> Cheers,
> >>>> Guy-Laurent Subri
> >>>
> >>> Are you running with Bind9 ?
> >>>
> >>> I think you need to remove all the '+' signs you have
added to the
> >>> 'server services' line, you normally only use the
'+' sign to add a
> >>> service to the line, I think you may still be using the
un-shown 'dns'
> >>> option.
> >>> I would also recommend that you use the new separate
'winbindd'
> instead
> >>> of the 'winbind' that you are using. I think that
before long the old
> >>> 'winbind' built into the samba daemon is going to
disappear, so you
> >>> might as well get used to it now.
> >> Yes, I'm running Bind9.
> >> If I either remove the + sings or change 'windbind' to
'windbindd' I
> >> cannot contact the server again. (The result of the command
'net ads
> >> info' is : no logon servers, didn't find the ldap server).
> >>
> >> Cheers,
> >> Guy-Laurent Subri
> >
> >OK, I have just joined a new DC to my domain and I am using Bind9 and
> >this is what I have in smb.conf:
> >
> >server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> >winbindd, ntp_signd, kcc, dnsupdate
> >
> >Note the lack of '+' signs
> >
> >This is with Samba 4.3.1
> My version of Samba is 4.1.17. I don't think this changes anything, but
> I can try to upgrade if needed.
> >I have also checked and 'net ads info' works as well, so if
yours isn't
> >working, then something else is wrong, can you post your ntp.conf and
> >bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
> >
> >Rowland
> 
> Here are the files:
> 
> /etc/ntp.conf
> -------------
> driftfile /var/lib/ntp/ntp.drift
> ntpsigndsocket /var/lib/samba/ntp_signd
> 
> statsdir /var/log/ntpstats/
> 
> server 0.ch.pool.ntp.org
> server 1.ch.pool.ntp.org
> server 2.ch.pool.ntp.org
> server 3.ch.pool.ntp.org
> 
> restrict -4 default kod notrap nomodify nopeer noquery mssntp
> restrict -6 default kod notrap nomodify nopeer noquery mssntp
> 
> restrict 127.0.0.1
> restrict ::1
> 
> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer noquery
> 
> broadcast 192.168.123.255
> 
> /etc/bind/named.conf
> --------------------
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> /etc/bind/named.conf.options
> ----------------------------
> options {
>     directory "/var/cache/bind";
> 
>     forwarders {
>         192.168.1.185;
>     };
> 
>     dnssec-validation auto;
> 
>     auth-nxdomain no;
>     allow-query { localhost; any; };
>     listen-on port 53 { 127.0.0.1; 192.168.1.17; };
>     listen-on-v6 { any; };
> };
> 
> /etc/bind/named.conf.local
> --------------------------
> is empty
> 
> /etc/bind/named.conf.default-zones
> ----------------------------------
> zone "." {
>     type hint;
>     file "/etc/bind/db.root";
> };
> 
> zone "localhost" {
>     type master;
>     file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
>     type master;
>     file "/etc/bind/db.255";
> };
> 
> /var/lib/samba/private/named.conf
> ---------------------------------
> zone "trs-ch.com." IN {
>     type master;
>     file "/var/lib/samba/private/dns/trs-ch.com.zone";
>     include "/var/lib/samba/private/named.conf.update";
>     check-names ignore;
> };
> 
> resolv.conf
> -----------
> search trs-ch.com
> nameserver 192.168.1.17
> nameserver 192.168.1.7
> 
> krb5.conf
> ---------
> [libdefaults]
> default_realm = TRS-CH.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> [realms]
> TRS-CH.COM = {
>     kdc = 192.168.1.17
>         admin_server = 192.168.1.17
>         default_domain = trs-ch.com
> }
> [TRS-CH.COM]
> .trs-ch.com = TRS-CH.COM
> trs.ch.com > TRS-CH.COM
> 
> Thank you for your time!
> 
> Cheers,
> Guy-Laurent
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 28/10/15 10:33, L.P.H. van Belle wrote:
> Hai,
>
>
> Copy the code and Set these variable
> Run the script, restart samba and login again with an pc.
> Should work now, your missing something and. Your not using good ntp
servers.
They all reply to a ping and a quick google seems to prove they exist 
(they must be good time servers, they are Swiss :-D     )

I don't think that is the problem though, the OP is using a very strange 
Bind setup>

Rowland
>
> #!/bin/bash
> ########## NTP Settings needed for a correct funtioning samba AD DC server
> ## Set to 1 installs the ntp server. (default is ok )
> ## (default is ok )
> NTPD_INSTALL="1"
> # if you run the server on a XEN Server, set to 1.
> NTPD_XEN_GUEST="0"
> ## important look for a stratum 1 server in your area
> ## for a server joining a domain put the ip of the AD server here.
> ## see also http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
> ## (default is not ok, change this one to a ntp in your country )
> NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
> ## if you dont have a second ntp server leave empty
> NTPD_SERVER2_EXTERNAL=""
> ## restrict ntpd bind to which interfaces.
> ## choose, multple options are allowed.
> ## the options are:  lo eth(0..9) wildcard ipv6
> ## (default is ok, if you interface name is eth0 and you dont use ipv6. )
> NTPD_RESTRICT_INTERFACE="lo eth0"
> NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
> ## default for sernet samba and debian samba ( should normaly not be
changed )
> SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
> ## debian default, leave it as is.
> NTPD_GROUP="ntp"
>
>
> ########### NTP
> apt-get -y --no-install-recommends install ntp
> cp /etc/ntp.conf /etc/ntp.conf.backup
> echo " " >> /etc/ntp.conf
> for x in 0 1 2 3 ; do     sed -i "s]server ${x}.debian]#server
${x}.debian]g" /etc/ntp.conf ;     done
> for i in ${NTPD_RESTRICT_INTERFACE} ; do     echo " " >>
/etc/ntp.conf;     echo "interface listen ${i}" >>
/etc/ntp.conf;     done
> for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do     echo "interface
ignore ${i2}" >> /etc/ntp.conf;     done
> ## setup the ntp source server.
> if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then     sed -i
"s]#server ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL}
]g" /etc/ntp.conf; fi
> if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then     echo
"server ${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
> sed -i "s]restrict -4 default kod notrap nomodify nopeer
noquery]restrict -4 default kod notrap nomodify nopeer noquery mssntp]g"
/etc/ntp.conf
> sed -i "s]restrict -6 default kod notrap nomodify nopeer
noquery]restrict -6 default kod notrap nomodify nopeer noquery mssntp]g"
/etc/ntp.conf
> cat << EOF >> /etc/ntp.conf
>
> ntpsigndsocket /var/lib/samba/ntp_signd
>
> EOF
>
> install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
> service ntp start
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent
Subri
>> Verzonden: woensdag 28 oktober 2015 11:09
>> Aan: Rowland Penny
>> CC: sambalist
>> Onderwerp: Re: [Samba] net ads info: failed to get server's current
time
>>
>> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
>>> On 22/10/15 22:33, Guy-Laurent Subri wrote:
>>>> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
>>>>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
>>>>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland Penny
wrote:
>>>>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
>>>>>>>> Hi all,
>>>>>>>> We're having issues with Samba at work.
I've searched a bit and the
>>>>>>>> only
>>>>>>>> thing that have caught my eye is this: when I
run the 'net ads
>> info'
>>>>>>>> command on our DC --we have a Debian on which
samba4 is installed
>> and
>>>>>>>> configured as a AD DC-- I have the message
"Failed to get server's
>>>>>>>> current time!", and "Server time:
Thu, 01 Jan 1970 01:00:00 CET".
>>>>>>> It works for me on a Debian 4.1.17 DC, so you may
have something
>>>>>>> mis-configured, have you altered the smb.conf in
any way ?
>>>>>> I don't think the modifications I did to smb.conf
are relevant
>>>>>> enough to
>>>>>> cause problem, but here's our smb.conf, just in
case:
>>>>>>
>>>>>> # Global parameters
>>>>>> [global]
>>>>>>     workgroup = TRS-CH
>>>>>>     realm = TRS-CH.COM
>>>>>>     netbios name = PDC
>>>>>>     server role = active directory domain controller
>>>>>>     server services = +s3fs, +rpc, +nbt, +wrepl, +ldap,
+cldap, +kdc,
>>>>>> +drepl,
>>>>>>                         +winbind, +ntp_signd, +kcc,
+dnsupdate
>>>>>> [netlogon]
>>>>>>    path = /var/lib/samba/sysvol/trs-ch.com/scripts
>>>>>>    read only = No
>>>>>>
>>>>>> [sysvol]
>>>>>>    path = /var/lib/samba/sysvol
>>>>>>    read only = No
>>>>>>
>>>>>>> do you have ntp installed and configured correctly
?
>>>>>> Yes, I have it installed and everything works fine.
>>>>>>
>>>>>> I also already tested the DNS by running the commands
described here:
>>>>>>
>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
>> troller
>>>>>>
>>>>>> Everything is reachable.
>>>>>>
>>>>>> I tested kerberos by doing:
>>>>>> 'kinit administrator at TRS-CH.COM'
>>>>>> It showed up when I did 'klist'.
>>>>>>
>>>>>> Do you need more information ?
>>>>>>
>>>>>> Thanks !
>>>>>> Cheers,
>>>>>> Guy-Laurent Subri
>>>>> Are you running with Bind9 ?
>>>>>
>>>>> I think you need to remove all the '+' signs you
have added to the
>>>>> 'server services' line, you normally only use the
'+' sign to add a
>>>>> service to the line, I think you may still be using the
un-shown 'dns'
>>>>> option.
>>>>> I would also recommend that you use the new separate
'winbindd'
>> instead
>>>>> of the 'winbind' that you are using. I think that
before long the old
>>>>> 'winbind' built into the samba daemon is going to
disappear, so you
>>>>> might as well get used to it now.
>>>> Yes, I'm running Bind9.
>>>> If I either remove the + sings or change 'windbind' to
'windbindd' I
>>>> cannot contact the server again. (The result of the command
'net ads
>>>> info' is : no logon servers, didn't find the ldap
server).
>>>>
>>>> Cheers,
>>>> Guy-Laurent Subri
>>> OK, I have just joined a new DC to my domain and I am using Bind9
and
>>> this is what I have in smb.conf:
>>>
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbindd, ntp_signd, kcc, dnsupdate
>>>
>>> Note the lack of '+' signs
>>>
>>> This is with Samba 4.3.1
>> My version of Samba is 4.1.17. I don't think this changes anything,
but
>> I can try to upgrade if needed.
>>> I have also checked and 'net ads info' works as well, so if
yours isn't
>>> working, then something else is wrong, can you post your ntp.conf
and
>>> bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
>>>
>>> Rowland
>> Here are the files:
>>
>> /etc/ntp.conf
>> -------------
>> driftfile /var/lib/ntp/ntp.drift
>> ntpsigndsocket /var/lib/samba/ntp_signd
>>
>> statsdir /var/log/ntpstats/
>>
>> server 0.ch.pool.ntp.org
>> server 1.ch.pool.ntp.org
>> server 2.ch.pool.ntp.org
>> server 3.ch.pool.ntp.org
>>
>> restrict -4 default kod notrap nomodify nopeer noquery mssntp
>> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>>
>> restrict 127.0.0.1
>> restrict ::1
>>
>> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer
noquery
>>
>> broadcast 192.168.123.255
>>
>> /etc/bind/named.conf
>> --------------------
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> include "/var/lib/samba/private/named.conf";
>>
>> /etc/bind/named.conf.options
>> ----------------------------
>> options {
>>      directory "/var/cache/bind";
>>
>>      forwarders {
>>          192.168.1.185;
>>      };
>>
>>      dnssec-validation auto;
>>
>>      auth-nxdomain no;
>>      allow-query { localhost; any; };
>>      listen-on port 53 { 127.0.0.1; 192.168.1.17; };
>>      listen-on-v6 { any; };
>> };
>>
>> /etc/bind/named.conf.local
>> --------------------------
>> is empty
>>
>> /etc/bind/named.conf.default-zones
>> ----------------------------------
>> zone "." {
>>      type hint;
>>      file "/etc/bind/db.root";
>> };
>>
>> zone "localhost" {
>>      type master;
>>      file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>>      type master;
>>      file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>>      type master;
>>      file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>>      type master;
>>      file "/etc/bind/db.255";
>> };
>>
>> /var/lib/samba/private/named.conf
>> ---------------------------------
>> zone "trs-ch.com." IN {
>>      type master;
>>      file "/var/lib/samba/private/dns/trs-ch.com.zone";
>>      include "/var/lib/samba/private/named.conf.update";
>>      check-names ignore;
>> };
>>
>> resolv.conf
>> -----------
>> search trs-ch.com
>> nameserver 192.168.1.17
>> nameserver 192.168.1.7
>>
>> krb5.conf
>> ---------
>> [libdefaults]
>> default_realm = TRS-CH.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> [realms]
>> TRS-CH.COM = {
>>      kdc = 192.168.1.17
>>          admin_server = 192.168.1.17
>>          default_domain = trs-ch.com
>> }
>> [TRS-CH.COM]
>> .trs-ch.com = TRS-CH.COM
>> trs.ch.com >> TRS-CH.COM
>>
>> Thank you for your time!
>>
>> Cheers,
>> Guy-Laurent
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

Hm, the bind setup looks ok ,to me, its a debian Jessie as far i can see. 
Its a default setup, almost the same im using and bind is configured to 9.9 

So i think one of these 4 problems. 

Incorrect rights on  /var/lib/samba/ntp_signd
chown root:ntp /var/lib/samba/ntp_signd 
chmod 750 /var/lib/samba/ntp_signd 

OR 
The time on the pc is more than 5 min off. 

OR 
The pc has just joined the domain and has not rebooted yet. 

OR 
Pc is resolving to the internet first. 
Which make it fail also. 

So, check the event logs for the last 3 solutions. 
Check the rights on /var/lib/samba/ntp_signd 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: woensdag 28 oktober 2015 11:45
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] net ads info: failed to get server's current
time
> 
> On 28/10/15 10:33, L.P.H. van Belle wrote:
> > Hai,
> >
> >
> > Copy the code and Set these variable
> > Run the script, restart samba and login again with an pc.
> > Should work now, your missing something and. Your not using good ntp
> servers.
> 
> They all reply to a ping and a quick google seems to prove they exist
> (they must be good time servers, they are Swiss :-D     )
> 
> I don't think that is the problem though, the OP is using a very
strange
> Bind setup>
> 
> Rowland
> >
> > #!/bin/bash
> > ########## NTP Settings needed for a correct funtioning samba AD DC
> server
> > ## Set to 1 installs the ntp server. (default is ok )
> > ## (default is ok )
> > NTPD_INSTALL="1"
> > # if you run the server on a XEN Server, set to 1.
> > NTPD_XEN_GUEST="0"
> > ## important look for a stratum 1 server in your area
> > ## for a server joining a domain put the ip of the AD server here.
> > ## see also
> http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
> > ## (default is not ok, change this one to a ntp in your country )
> > NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
> > ## if you dont have a second ntp server leave empty
> > NTPD_SERVER2_EXTERNAL=""
> > ## restrict ntpd bind to which interfaces.
> > ## choose, multple options are allowed.
> > ## the options are:  lo eth(0..9) wildcard ipv6
> > ## (default is ok, if you interface name is eth0 and you dont use
ipv6.
> )
> > NTPD_RESTRICT_INTERFACE="lo eth0"
> > NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
> > ## default for sernet samba and debian samba ( should normaly not be
> changed )
> > SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
> > ## debian default, leave it as is.
> > NTPD_GROUP="ntp"
> >
> >
> > ########### NTP
> > apt-get -y --no-install-recommends install ntp
> > cp /etc/ntp.conf /etc/ntp.conf.backup
> > echo " " >> /etc/ntp.conf
> > for x in 0 1 2 3 ; do     sed -i "s]server ${x}.debian]#server
> ${x}.debian]g" /etc/ntp.conf ;     done
> > for i in ${NTPD_RESTRICT_INTERFACE} ; do     echo " "
>> /etc/ntp.conf;
> echo "interface listen ${i}" >> /etc/ntp.conf;     done
> > for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do     echo
"interface
> ignore ${i2}" >> /etc/ntp.conf;     done
> > ## setup the ntp source server.
> > if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then     sed -i
"s]#server
> ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL} ]g"
> /etc/ntp.conf; fi
> > if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then     echo
"server
> ${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
> > sed -i "s]restrict -4 default kod notrap nomodify nopeer
> noquery]restrict -4 default kod notrap nomodify nopeer noquery
mssntp]g"
> /etc/ntp.conf
> > sed -i "s]restrict -6 default kod notrap nomodify nopeer
> noquery]restrict -6 default kod notrap nomodify nopeer noquery
mssntp]g"
> /etc/ntp.conf
> > cat << EOF >> /etc/ntp.conf
> >
> > ntpsigndsocket /var/lib/samba/ntp_signd
> >
> > EOF
> >
> > install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
> > service ntp start
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Guy-Laurent
> Subri
> >> Verzonden: woensdag 28 oktober 2015 11:09
> >> Aan: Rowland Penny
> >> CC: sambalist
> >> Onderwerp: Re: [Samba] net ads info: failed to get server's
current
> time
> >>
> >> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
> >>> On 22/10/15 22:33, Guy-Laurent Subri wrote:
> >>>> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny
wrote:
> >>>>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
> >>>>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland
Penny wrote:
> >>>>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
> >>>>>>>> Hi all,
> >>>>>>>> We're having issues with Samba at
work. I've searched a bit and
> the
> >>>>>>>> only
> >>>>>>>> thing that have caught my eye is this:
when I run the 'net ads
> >> info'
> >>>>>>>> command on our DC --we have a Debian on
which samba4 is installed
> >> and
> >>>>>>>> configured as a AD DC-- I have the message
"Failed to get
> server's
> >>>>>>>> current time!", and "Server
time: Thu, 01 Jan 1970 01:00:00 CET".
> >>>>>>> It works for me on a Debian 4.1.17 DC, so you
may have something
> >>>>>>> mis-configured, have you altered the smb.conf
in any way ?
> >>>>>> I don't think the modifications I did to
smb.conf are relevant
> >>>>>> enough to
> >>>>>> cause problem, but here's our smb.conf, just
in case:
> >>>>>>
> >>>>>> # Global parameters
> >>>>>> [global]
> >>>>>>     workgroup = TRS-CH
> >>>>>>     realm = TRS-CH.COM
> >>>>>>     netbios name = PDC
> >>>>>>     server role = active directory domain
controller
> >>>>>>     server services = +s3fs, +rpc, +nbt, +wrepl,
+ldap, +cldap,
> +kdc,
> >>>>>> +drepl,
> >>>>>>                         +winbind, +ntp_signd,
+kcc, +dnsupdate
> >>>>>> [netlogon]
> >>>>>>    path = /var/lib/samba/sysvol/trs-ch.com/scripts
> >>>>>>    read only = No
> >>>>>>
> >>>>>> [sysvol]
> >>>>>>    path = /var/lib/samba/sysvol
> >>>>>>    read only = No
> >>>>>>
> >>>>>>> do you have ntp installed and configured
correctly ?
> >>>>>> Yes, I have it installed and everything works
fine.
> >>>>>>
> >>>>>> I also already tested the DNS by running the
commands described
> here:
> >>>>>>
> >>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
> >> troller
> >>>>>>
> >>>>>> Everything is reachable.
> >>>>>>
> >>>>>> I tested kerberos by doing:
> >>>>>> 'kinit administrator at TRS-CH.COM'
> >>>>>> It showed up when I did 'klist'.
> >>>>>>
> >>>>>> Do you need more information ?
> >>>>>>
> >>>>>> Thanks !
> >>>>>> Cheers,
> >>>>>> Guy-Laurent Subri
> >>>>> Are you running with Bind9 ?
> >>>>>
> >>>>> I think you need to remove all the '+' signs
you have added to the
> >>>>> 'server services' line, you normally only use
the '+' sign to add a
> >>>>> service to the line, I think you may still be using
the un-shown
> 'dns'
> >>>>> option.
> >>>>> I would also recommend that you use the new separate
'winbindd'
> >> instead
> >>>>> of the 'winbind' that you are using. I think
that before long the
> old
> >>>>> 'winbind' built into the samba daemon is going
to disappear, so you
> >>>>> might as well get used to it now.
> >>>> Yes, I'm running Bind9.
> >>>> If I either remove the + sings or change
'windbind' to 'windbindd' I
> >>>> cannot contact the server again. (The result of the
command 'net ads
> >>>> info' is : no logon servers, didn't find the ldap
server).
> >>>>
> >>>> Cheers,
> >>>> Guy-Laurent Subri
> >>> OK, I have just joined a new DC to my domain and I am using
Bind9 and
> >>> this is what I have in smb.conf:
> >>>
> >>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
> >>> winbindd, ntp_signd, kcc, dnsupdate
> >>>
> >>> Note the lack of '+' signs
> >>>
> >>> This is with Samba 4.3.1
> >> My version of Samba is 4.1.17. I don't think this changes
anything, but
> >> I can try to upgrade if needed.
> >>> I have also checked and 'net ads info' works as well,
so if yours
> isn't
> >>> working, then something else is wrong, can you post your
ntp.conf and
> >>> bind9 conf files, also your /etc/resolv.conf &
/etc/krb5.conf
> >>>
> >>> Rowland
> >> Here are the files:
> >>
> >> /etc/ntp.conf
> >> -------------
> >> driftfile /var/lib/ntp/ntp.drift
> >> ntpsigndsocket /var/lib/samba/ntp_signd
> >>
> >> statsdir /var/log/ntpstats/
> >>
> >> server 0.ch.pool.ntp.org
> >> server 1.ch.pool.ntp.org
> >> server 2.ch.pool.ntp.org
> >> server 3.ch.pool.ntp.org
> >>
> >> restrict -4 default kod notrap nomodify nopeer noquery mssntp
> >> restrict -6 default kod notrap nomodify nopeer noquery mssntp
> >>
> >> restrict 127.0.0.1
> >> restrict ::1
> >>
> >> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer
> noquery
> >>
> >> broadcast 192.168.123.255
> >>
> >> /etc/bind/named.conf
> >> --------------------
> >> include "/etc/bind/named.conf.options";
> >> include "/etc/bind/named.conf.local";
> >> include "/etc/bind/named.conf.default-zones";
> >> include "/var/lib/samba/private/named.conf";
> >>
> >> /etc/bind/named.conf.options
> >> ----------------------------
> >> options {
> >>      directory "/var/cache/bind";
> >>
> >>      forwarders {
> >>          192.168.1.185;
> >>      };
> >>
> >>      dnssec-validation auto;
> >>
> >>      auth-nxdomain no;
> >>      allow-query { localhost; any; };
> >>      listen-on port 53 { 127.0.0.1; 192.168.1.17; };
> >>      listen-on-v6 { any; };
> >> };
> >>
> >> /etc/bind/named.conf.local
> >> --------------------------
> >> is empty
> >>
> >> /etc/bind/named.conf.default-zones
> >> ----------------------------------
> >> zone "." {
> >>      type hint;
> >>      file "/etc/bind/db.root";
> >> };
> >>
> >> zone "localhost" {
> >>      type master;
> >>      file "/etc/bind/db.local";
> >> };
> >>
> >> zone "127.in-addr.arpa" {
> >>      type master;
> >>      file "/etc/bind/db.127";
> >> };
> >>
> >> zone "0.in-addr.arpa" {
> >>      type master;
> >>      file "/etc/bind/db.0";
> >> };
> >>
> >> zone "255.in-addr.arpa" {
> >>      type master;
> >>      file "/etc/bind/db.255";
> >> };
> >>
> >> /var/lib/samba/private/named.conf
> >> ---------------------------------
> >> zone "trs-ch.com." IN {
> >>      type master;
> >>      file "/var/lib/samba/private/dns/trs-ch.com.zone";
> >>      include "/var/lib/samba/private/named.conf.update";
> >>      check-names ignore;
> >> };
> >>
> >> resolv.conf
> >> -----------
> >> search trs-ch.com
> >> nameserver 192.168.1.17
> >> nameserver 192.168.1.7
> >>
> >> krb5.conf
> >> ---------
> >> [libdefaults]
> >> default_realm = TRS-CH.COM
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >> [realms]
> >> TRS-CH.COM = {
> >>      kdc = 192.168.1.17
> >>          admin_server = 192.168.1.17
> >>          default_domain = trs-ch.com
> >> }
> >> [TRS-CH.COM]
> >> .trs-ch.com = TRS-CH.COM
> >> trs.ch.com > >> TRS-CH.COM
> >>
> >> Thank you for your time!
> >>
> >> Cheers,
> >> Guy-Laurent
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 28/10/15 11:10, L.P.H. van Belle wrote:
> Hm, the bind setup looks ok ,to me, its a debian Jessie as far i can see.
> Its a default setup, almost the same im using and bind is configured to 9.9
>
> So i think one of these 4 problems.
>
> Incorrect rights on  /var/lib/samba/ntp_signd
> chown root:ntp /var/lib/samba/ntp_signd
> chmod 750 /var/lib/samba/ntp_signd
>
> OR
> The time on the pc is more than 5 min off.
>
> OR
> The pc has just joined the domain and has not rebooted yet.
>
> OR
> Pc is resolving to the internet first.
> Which make it fail also.
>
> So, check the event logs for the last 3 solutions.
> Check the rights on /var/lib/samba/ntp_signd
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
Penny
>> Verzonden: woensdag 28 oktober 2015 11:45
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] net ads info: failed to get server's current
time
>>
>> On 28/10/15 10:33, L.P.H. van Belle wrote:
>>> Hai,
>>>
>>>
>>> Copy the code and Set these variable
>>> Run the script, restart samba and login again with an pc.
>>> Should work now, your missing something and. Your not using good
ntp
>> servers.
>>
>> They all reply to a ping and a quick google seems to prove they exist
>> (they must be good time servers, they are Swiss :-D     )
>>
>> I don't think that is the problem though, the OP is using a very
strange
>> Bind setup>
>>
>> Rowland
>>> #!/bin/bash
>>> ########## NTP Settings needed for a correct funtioning samba AD DC
>> server
>>> ## Set to 1 installs the ntp server. (default is ok )
>>> ## (default is ok )
>>> NTPD_INSTALL="1"
>>> # if you run the server on a XEN Server, set to 1.
>>> NTPD_XEN_GUEST="0"
>>> ## important look for a stratum 1 server in your area
>>> ## for a server joining a domain put the ip of the AD server here.
>>> ## see also
>> http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
>>> ## (default is not ok, change this one to a ntp in your country )
>>> NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
>>> ## if you dont have a second ntp server leave empty
>>> NTPD_SERVER2_EXTERNAL=""
>>> ## restrict ntpd bind to which interfaces.
>>> ## choose, multple options are allowed.
>>> ## the options are:  lo eth(0..9) wildcard ipv6
>>> ## (default is ok, if you interface name is eth0 and you dont use
ipv6.
>> )
>>> NTPD_RESTRICT_INTERFACE="lo eth0"
>>> NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
>>> ## default for sernet samba and debian samba ( should normaly not
be
>> changed )
>>> SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
>>> ## debian default, leave it as is.
>>> NTPD_GROUP="ntp"
>>>
>>>
>>> ########### NTP
>>> apt-get -y --no-install-recommends install ntp
>>> cp /etc/ntp.conf /etc/ntp.conf.backup
>>> echo " " >> /etc/ntp.conf
>>> for x in 0 1 2 3 ; do     sed -i "s]server ${x}.debian]#server
>> ${x}.debian]g" /etc/ntp.conf ;     done
>>> for i in ${NTPD_RESTRICT_INTERFACE} ; do     echo " "
>> /etc/ntp.conf;
>> echo "interface listen ${i}" >> /etc/ntp.conf;     done
>>> for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do     echo
"interface
>> ignore ${i2}" >> /etc/ntp.conf;     done
>>> ## setup the ntp source server.
>>> if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then     sed -i
"s]#server
>> ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL} ]g"
>> /etc/ntp.conf; fi
>>> if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then     echo
"server
>> ${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
>>> sed -i "s]restrict -4 default kod notrap nomodify nopeer
>> noquery]restrict -4 default kod notrap nomodify nopeer noquery
mssntp]g"
>> /etc/ntp.conf
>>> sed -i "s]restrict -6 default kod notrap nomodify nopeer
>> noquery]restrict -6 default kod notrap nomodify nopeer noquery
mssntp]g"
>> /etc/ntp.conf
>>> cat << EOF >> /etc/ntp.conf
>>>
>>> ntpsigndsocket /var/lib/samba/ntp_signd
>>>
>>> EOF
>>>
>>> install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
>>> service ntp start
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Guy-Laurent
>> Subri
>>>> Verzonden: woensdag 28 oktober 2015 11:09
>>>> Aan: Rowland Penny
>>>> CC: sambalist
>>>> Onderwerp: Re: [Samba] net ads info: failed to get server's
current
>> time
>>>> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
>>>>> On 22/10/15 22:33, Guy-Laurent Subri wrote:
>>>>>> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny
wrote:
>>>>>>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
>>>>>>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100,
Rowland Penny wrote:
>>>>>>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
>>>>>>>>>> Hi all,
>>>>>>>>>> We're having issues with Samba at
work. I've searched a bit and
>> the
>>>>>>>>>> only
>>>>>>>>>> thing that have caught my eye is this:
when I run the 'net ads
>>>> info'
>>>>>>>>>> command on our DC --we have a Debian on
which samba4 is installed
>>>> and
>>>>>>>>>> configured as a AD DC-- I have the
message "Failed to get
>> server's
>>>>>>>>>> current time!", and "Server
time: Thu, 01 Jan 1970 01:00:00 CET".
>>>>>>>>> It works for me on a Debian 4.1.17 DC, so
you may have something
>>>>>>>>> mis-configured, have you altered the
smb.conf in any way ?
>>>>>>>> I don't think the modifications I did to
smb.conf are relevant
>>>>>>>> enough to
>>>>>>>> cause problem, but here's our smb.conf,
just in case:
>>>>>>>>
>>>>>>>> # Global parameters
>>>>>>>> [global]
>>>>>>>>      workgroup = TRS-CH
>>>>>>>>      realm = TRS-CH.COM
>>>>>>>>      netbios name = PDC
>>>>>>>>      server role = active directory domain
controller
>>>>>>>>      server services = +s3fs, +rpc, +nbt,
+wrepl, +ldap, +cldap,
>> +kdc,
>>>>>>>> +drepl,
>>>>>>>>                          +winbind, +ntp_signd,
+kcc, +dnsupdate
>>>>>>>> [netlogon]
>>>>>>>>     path =
/var/lib/samba/sysvol/trs-ch.com/scripts
>>>>>>>>     read only = No
>>>>>>>>
>>>>>>>> [sysvol]
>>>>>>>>     path = /var/lib/samba/sysvol
>>>>>>>>     read only = No
>>>>>>>>
>>>>>>>>> do you have ntp installed and configured
correctly ?
>>>>>>>> Yes, I have it installed and everything works
fine.
>>>>>>>>
>>>>>>>> I also already tested the DNS by running the
commands described
>> here:
>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
>>>> troller
>>>>>>>> Everything is reachable.
>>>>>>>>
>>>>>>>> I tested kerberos by doing:
>>>>>>>> 'kinit administrator at TRS-CH.COM'
>>>>>>>> It showed up when I did 'klist'.
>>>>>>>>
>>>>>>>> Do you need more information ?
>>>>>>>>
>>>>>>>> Thanks !
>>>>>>>> Cheers,
>>>>>>>> Guy-Laurent Subri
>>>>>>> Are you running with Bind9 ?
>>>>>>>
>>>>>>> I think you need to remove all the '+'
signs you have added to the
>>>>>>> 'server services' line, you normally only
use the '+' sign to add a
>>>>>>> service to the line, I think you may still be using
the un-shown
>> 'dns'
>>>>>>> option.
>>>>>>> I would also recommend that you use the new
separate 'winbindd'
>>>> instead
>>>>>>> of the 'winbind' that you are using. I
think that before long the
>> old
>>>>>>> 'winbind' built into the samba daemon is
going to disappear, so you
>>>>>>> might as well get used to it now.
>>>>>> Yes, I'm running Bind9.
>>>>>> If I either remove the + sings or change
'windbind' to 'windbindd' I
>>>>>> cannot contact the server again. (The result of the
command 'net ads
>>>>>> info' is : no logon servers, didn't find the
ldap server).
>>>>>>
>>>>>> Cheers,
>>>>>> Guy-Laurent Subri
>>>>> OK, I have just joined a new DC to my domain and I am using
Bind9 and
>>>>> this is what I have in smb.conf:
>>>>>
>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
>>>>> winbindd, ntp_signd, kcc, dnsupdate
>>>>>
>>>>> Note the lack of '+' signs
>>>>>
>>>>> This is with Samba 4.3.1
>>>> My version of Samba is 4.1.17. I don't think this changes
anything, but
>>>> I can try to upgrade if needed.
>>>>> I have also checked and 'net ads info' works as
well, so if yours
>> isn't
>>>>> working, then something else is wrong, can you post your
ntp.conf and
>>>>> bind9 conf files, also your /etc/resolv.conf &
/etc/krb5.conf
>>>>>
>>>>> Rowland
>>>> Here are the files:
>>>>
>>>> /etc/ntp.conf
>>>> -------------
>>>> driftfile /var/lib/ntp/ntp.drift
>>>> ntpsigndsocket /var/lib/samba/ntp_signd
>>>>
>>>> statsdir /var/log/ntpstats/
>>>>
>>>> server 0.ch.pool.ntp.org
>>>> server 1.ch.pool.ntp.org
>>>> server 2.ch.pool.ntp.org
>>>> server 3.ch.pool.ntp.org
>>>>
>>>> restrict -4 default kod notrap nomodify nopeer noquery mssntp
>>>> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>>>>
>>>> restrict 127.0.0.1
>>>> restrict ::1
>>>>
>>>> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap
nopeer
>> noquery
>>>> broadcast 192.168.123.255
>>>>
>>>> /etc/bind/named.conf
>>>> --------------------
>>>> include "/etc/bind/named.conf.options";
>>>> include "/etc/bind/named.conf.local";
>>>> include "/etc/bind/named.conf.default-zones";
>>>> include "/var/lib/samba/private/named.conf";
>>>>
>>>> /etc/bind/named.conf.options
>>>> ----------------------------
>>>> options {
>>>>       directory "/var/cache/bind";
>>>>
>>>>       forwarders {
>>>>           192.168.1.185;
>>>>       };
>>>>
>>>>       dnssec-validation auto;
>>>>
>>>>       auth-nxdomain no;
>>>>       allow-query { localhost; any; };
>>>>       listen-on port 53 { 127.0.0.1; 192.168.1.17; };
>>>>       listen-on-v6 { any; };
>>>> };
>>>>
>>>> /etc/bind/named.conf.local
>>>> --------------------------
>>>> is empty
>>>>
>>>> /etc/bind/named.conf.default-zones
>>>> ----------------------------------
>>>> zone "." {
>>>>       type hint;
>>>>       file "/etc/bind/db.root";
>>>> };
>>>>
>>>> zone "localhost" {
>>>>       type master;
>>>>       file "/etc/bind/db.local";
>>>> };
>>>>
>>>> zone "127.in-addr.arpa" {
>>>>       type master;
>>>>       file "/etc/bind/db.127";
>>>> };
>>>>
>>>> zone "0.in-addr.arpa" {
>>>>       type master;
>>>>       file "/etc/bind/db.0";
>>>> };
>>>>
>>>> zone "255.in-addr.arpa" {
>>>>       type master;
>>>>       file "/etc/bind/db.255";
>>>> };
>>>>
>>>> /var/lib/samba/private/named.conf
>>>> ---------------------------------
>>>> zone "trs-ch.com." IN {
>>>>       type master;
>>>>       file
"/var/lib/samba/private/dns/trs-ch.com.zone";
>>>>       include
"/var/lib/samba/private/named.conf.update";
>>>>       check-names ignore;
>>>> };
>>>>
>>>> resolv.conf
>>>> -----------
>>>> search trs-ch.com
>>>> nameserver 192.168.1.17
>>>> nameserver 192.168.1.7
>>>>
>>>> krb5.conf
>>>> ---------
>>>> [libdefaults]
>>>> default_realm = TRS-CH.COM
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>> [realms]
>>>> TRS-CH.COM = {
>>>>       kdc = 192.168.1.17
>>>>           admin_server = 192.168.1.17
>>>>           default_domain = trs-ch.com
>>>> }
>>>> [TRS-CH.COM]
>>>> .trs-ch.com = TRS-CH.COM
>>>> trs.ch.com >>>> TRS-CH.COM
>>>>
>>>> Thank you for your time!
>>>>
>>>> Cheers,
>>>> Guy-Laurent
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
I think you missed this:

/var/lib/samba/private/named.conf
---------------------------------
zone "trs-ch.com." IN {
    type master;
    file "/var/lib/samba/private/dns/trs-ch.com.zone";
    include "/var/lib/samba/private/named.conf.update";
    check-names ignore;
};

On my wheezy DC:

# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/private/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
     # For BIND 9.8.0
     #database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

     # For BIND 9.9.0
     database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};

Rowland

Thanks for the script. I ran it. So all my config regarding NTP should
be ok, if I understood correctly ?

Cheers,
Guy-Laurent
On Wed, Oct 28, 2015 at 11:33:14AM +0100, L.P.H. van Belle
wrote:
>Hai,
>
>
>Copy the code and Set these variable
>Run the script, restart samba and login again with an pc.
>Should work now, your missing something and. Your not using good ntp
servers.
>
>#!/bin/bash
>########## NTP Settings needed for a correct funtioning samba AD DC server
>## Set to 1 installs the ntp server. (default is ok )
>## (default is ok )
>NTPD_INSTALL="1"
># if you run the server on a XEN Server, set to 1.
>NTPD_XEN_GUEST="0"
>## important look for a stratum 1 server in your area
>## for a server joining a domain put the ip of the AD server here.
>## see also http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
>## (default is not ok, change this one to a ntp in your country )
>NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
>## if you dont have a second ntp server leave empty
>NTPD_SERVER2_EXTERNAL=""
>## restrict ntpd bind to which interfaces.
>## choose, multple options are allowed.
>## the options are:  lo eth(0..9) wildcard ipv6
>## (default is ok, if you interface name is eth0 and you dont use ipv6. )
>NTPD_RESTRICT_INTERFACE="lo eth0"
>NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
>## default for sernet samba and debian samba ( should normaly not be changed
)
>SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
>## debian default, leave it as is.
>NTPD_GROUP="ntp"
>
>
>########### NTP
>apt-get -y --no-install-recommends install ntp
>cp /etc/ntp.conf /etc/ntp.conf.backup
>echo " " >> /etc/ntp.conf
>for x in 0 1 2 3 ; do     sed -i "s]server ${x}.debian]#server
${x}.debian]g" /etc/ntp.conf ;     done
>for i in ${NTPD_RESTRICT_INTERFACE} ; do     echo " " >>
/etc/ntp.conf;     echo "interface listen ${i}" >>
/etc/ntp.conf;     done
>for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do     echo "interface
ignore ${i2}" >> /etc/ntp.conf;     done
>## setup the ntp source server.
>if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then     sed -i
"s]#server ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL}
]g" /etc/ntp.conf; fi
>if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then     echo "server
${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
>sed -i "s]restrict -4 default kod notrap nomodify nopeer
noquery]restrict -4 default kod notrap nomodify nopeer noquery mssntp]g"
/etc/ntp.conf
>sed -i "s]restrict -6 default kod notrap nomodify nopeer
noquery]restrict -6 default kod notrap nomodify nopeer noquery mssntp]g"
/etc/ntp.conf
>cat << EOF >> /etc/ntp.conf
>
>ntpsigndsocket /var/lib/samba/ntp_signd
>
>EOF
>
>install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
>service ntp start
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent
Subri
>> Verzonden: woensdag 28 oktober 2015 11:09
>> Aan: Rowland Penny
>> CC: sambalist
>> Onderwerp: Re: [Samba] net ads info: failed to get server's current
time
>>
>> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
>> >On 22/10/15 22:33, Guy-Laurent Subri wrote:
>> >> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny wrote:
>> >>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
>> >>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland
Penny wrote:
>> >>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
>> >>>>>> Hi all,
>> >>>>>> We're having issues with Samba at work.
I've searched a bit and the
>> >>>>>> only
>> >>>>>> thing that have caught my eye is this: when I
run the 'net ads
>> info'
>> >>>>>> command on our DC --we have a Debian on which
samba4 is installed
>> and
>> >>>>>> configured as a AD DC-- I have the message
"Failed to get server's
>> >>>>>> current time!", and "Server time:
Thu, 01 Jan 1970 01:00:00 CET".
>> >>>>>
>> >>>>> It works for me on a Debian 4.1.17 DC, so you may
have something
>> >>>>> mis-configured, have you altered the smb.conf in
any way ?
>> >>>>
>> >>>> I don't think the modifications I did to smb.conf
are relevant
>> >>>> enough to
>> >>>> cause problem, but here's our smb.conf, just in
case:
>> >>>>
>> >>>> # Global parameters
>> >>>> [global]
>> >>>>    workgroup = TRS-CH
>> >>>>    realm = TRS-CH.COM
>> >>>>    netbios name = PDC
>> >>>>    server role = active directory domain controller
>> >>>>    server services = +s3fs, +rpc, +nbt, +wrepl, +ldap,
+cldap, +kdc,
>> >>>> +drepl,
>> >>>>                        +winbind, +ntp_signd, +kcc,
+dnsupdate
>> >>>> [netlogon]
>> >>>>   path = /var/lib/samba/sysvol/trs-ch.com/scripts
>> >>>>   read only = No
>> >>>>
>> >>>> [sysvol]
>> >>>>   path = /var/lib/samba/sysvol
>> >>>>   read only = No
>> >>>>
>> >>>>> do you have ntp installed and configured correctly
?
>> >>>> Yes, I have it installed and everything works fine.
>> >>>>
>> >>>> I also already tested the DNS by running the commands
described here:
>> >>>>
>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
>> troller
>> >>>>
>> >>>>
>> >>>> Everything is reachable.
>> >>>>
>> >>>> I tested kerberos by doing:
>> >>>> 'kinit administrator at TRS-CH.COM'
>> >>>> It showed up when I did 'klist'.
>> >>>>
>> >>>> Do you need more information ?
>> >>>>
>> >>>> Thanks !
>> >>>> Cheers,
>> >>>> Guy-Laurent Subri
>> >>>
>> >>> Are you running with Bind9 ?
>> >>>
>> >>> I think you need to remove all the '+' signs you
have added to the
>> >>> 'server services' line, you normally only use the
'+' sign to add a
>> >>> service to the line, I think you may still be using the
un-shown 'dns'
>> >>> option.
>> >>> I would also recommend that you use the new separate
'winbindd'
>> instead
>> >>> of the 'winbind' that you are using. I think that
before long the old
>> >>> 'winbind' built into the samba daemon is going to
disappear, so you
>> >>> might as well get used to it now.
>> >> Yes, I'm running Bind9.
>> >> If I either remove the + sings or change 'windbind' to
'windbindd' I
>> >> cannot contact the server again. (The result of the command
'net ads
>> >> info' is : no logon servers, didn't find the ldap
server).
>> >>
>> >> Cheers,
>> >> Guy-Laurent Subri
>> >
>> >OK, I have just joined a new DC to my domain and I am using Bind9
and
>> >this is what I have in smb.conf:
>> >
>> >server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> >winbindd, ntp_signd, kcc, dnsupdate
>> >
>> >Note the lack of '+' signs
>> >
>> >This is with Samba 4.3.1
>> My version of Samba is 4.1.17. I don't think this changes anything,
but
>> I can try to upgrade if needed.
>> >I have also checked and 'net ads info' works as well, so if
yours isn't
>> >working, then something else is wrong, can you post your ntp.conf
and
>> >bind9 conf files, also your /etc/resolv.conf & /etc/krb5.conf
>> >
>> >Rowland
>>
>> Here are the files:
>>
>> /etc/ntp.conf
>> -------------
>> driftfile /var/lib/ntp/ntp.drift
>> ntpsigndsocket /var/lib/samba/ntp_signd
>>
>> statsdir /var/log/ntpstats/
>>
>> server 0.ch.pool.ntp.org
>> server 1.ch.pool.ntp.org
>> server 2.ch.pool.ntp.org
>> server 3.ch.pool.ntp.org
>>
>> restrict -4 default kod notrap nomodify nopeer noquery mssntp
>> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>>
>> restrict 127.0.0.1
>> restrict ::1
>>
>> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer
noquery
>>
>> broadcast 192.168.123.255
>>
>> /etc/bind/named.conf
>> --------------------
>> include "/etc/bind/named.conf.options";
>> include "/etc/bind/named.conf.local";
>> include "/etc/bind/named.conf.default-zones";
>> include "/var/lib/samba/private/named.conf";
>>
>> /etc/bind/named.conf.options
>> ----------------------------
>> options {
>>     directory "/var/cache/bind";
>>
>>     forwarders {
>>         192.168.1.185;
>>     };
>>
>>     dnssec-validation auto;
>>
>>     auth-nxdomain no;
>>     allow-query { localhost; any; };
>>     listen-on port 53 { 127.0.0.1; 192.168.1.17; };
>>     listen-on-v6 { any; };
>> };
>>
>> /etc/bind/named.conf.local
>> --------------------------
>> is empty
>>
>> /etc/bind/named.conf.default-zones
>> ----------------------------------
>> zone "." {
>>     type hint;
>>     file "/etc/bind/db.root";
>> };
>>
>> zone "localhost" {
>>     type master;
>>     file "/etc/bind/db.local";
>> };
>>
>> zone "127.in-addr.arpa" {
>>     type master;
>>     file "/etc/bind/db.127";
>> };
>>
>> zone "0.in-addr.arpa" {
>>     type master;
>>     file "/etc/bind/db.0";
>> };
>>
>> zone "255.in-addr.arpa" {
>>     type master;
>>     file "/etc/bind/db.255";
>> };
>>
>> /var/lib/samba/private/named.conf
>> ---------------------------------
>> zone "trs-ch.com." IN {
>>     type master;
>>     file "/var/lib/samba/private/dns/trs-ch.com.zone";
>>     include "/var/lib/samba/private/named.conf.update";
>>     check-names ignore;
>> };
>>
>> resolv.conf
>> -----------
>> search trs-ch.com
>> nameserver 192.168.1.17
>> nameserver 192.168.1.7
>>
>> krb5.conf
>> ---------
>> [libdefaults]
>> default_realm = TRS-CH.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> [realms]
>> TRS-CH.COM = {
>>     kdc = 192.168.1.17
>>         admin_server = 192.168.1.17
>>         default_domain = trs-ch.com
>> }
>> [TRS-CH.COM]
>> .trs-ch.com = TRS-CH.COM
>> trs.ch.com >> TRS-CH.COM
>>
>> Thank you for your time!
>>
>> Cheers,
>> Guy-Laurent
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

Hai Guy, 

Yes, it make a backup of your previous version so you can revert if needed. 

And review your config after your run it, you micht see a these line : 
restrict
> -4 default kod notrap nomodify nopeer noquery mssntp mssntp 
( check if you dont see mssntp 2 x, if so, remove 1 of them ) 
This is because normaly this is run against a "default" ntp.conf 

And change the variables in the script where needed before running it. 


Below is my ntp.conf after running the script on a DC !
Member server ntp.conf is bit different 
And from a default/clean/unmodded ntp.conf. ! 

Review it or run the script. 
( more about these scripts https://secure.bazuin.nl/scripts/  ) 

If reviewed manualy, dont forget the rights on 
/var/lib/samba/ntp_signd 
drwxr-x---   2 root ntp                       4096 Oct 16 16:58 ntp_signd



# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
server ntp1.nl.net

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page
<http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a
configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

# Xen guest adjustments
#dispersion 1.000: Ignore high jitters and offsets as local clock dirfts wildly
on xen
#panic 0: set time even if time shift is more than 1000 seconds
tinker panic 0 dispersion 1.000

interface listen lo

interface listen eth0
interface ignore wildcard
interface ignore ipv6

######  Needed for Samba 4  
#######  in the restrict -4 or -6 added mssntp at the end
# Location of the samba ntp_signed directory
ntpsigndsocket /var/lib/samba/ntp_signd



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent
Subri
> Verzonden: woensdag 28 oktober 2015 14:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] net ads info: failed to get server's current
time
> 
> Thanks for the script. I ran it. So all my config regarding NTP should
> be ok, if I understood correctly ?
> 
> Cheers,
> Guy-Laurent
> On Wed, Oct 28, 2015 at 11:33:14AM +0100, L.P.H. van Belle wrote:
> >Hai,
> >
> >
> >Copy the code and Set these variable
> >Run the script, restart samba and login again with an pc.
> >Should work now, your missing something and. Your not using good ntp
> servers.
> >
> >#!/bin/bash
> >########## NTP Settings needed for a correct funtioning samba AD DC
> server
> >## Set to 1 installs the ntp server. (default is ok )
> >## (default is ok )
> >NTPD_INSTALL="1"
> ># if you run the server on a XEN Server, set to 1.
> >NTPD_XEN_GUEST="0"
> >## important look for a stratum 1 server in your area
> >## for a server joining a domain put the ip of the AD server here.
> >## see also
http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
> >## (default is not ok, change this one to a ntp in your country )
> >NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
> >## if you dont have a second ntp server leave empty
> >NTPD_SERVER2_EXTERNAL=""
> >## restrict ntpd bind to which interfaces.
> >## choose, multple options are allowed.
> >## the options are:  lo eth(0..9) wildcard ipv6
> >## (default is ok, if you interface name is eth0 and you dont use ipv6.
)
> >NTPD_RESTRICT_INTERFACE="lo eth0"
> >NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
> >## default for sernet samba and debian samba ( should normaly not be
> changed )
> >SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
> >## debian default, leave it as is.
> >NTPD_GROUP="ntp"
> >
> >
> >########### NTP
> >apt-get -y --no-install-recommends install ntp
> >cp /etc/ntp.conf /etc/ntp.conf.backup
> >echo " " >> /etc/ntp.conf
> >for x in 0 1 2 3 ; do     sed -i "s]server ${x}.debian]#server
> ${x}.debian]g" /etc/ntp.conf ;     done
> >for i in ${NTPD_RESTRICT_INTERFACE} ; do     echo " "
>> /etc/ntp.conf;
> echo "interface listen ${i}" >> /etc/ntp.conf;     done
> >for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do     echo
"interface
> ignore ${i2}" >> /etc/ntp.conf;     done
> >## setup the ntp source server.
> >if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then     sed -i
"s]#server
> ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL} ]g"
> /etc/ntp.conf; fi
> >if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then     echo
"server
> ${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
> >sed -i "s]restrict -4 default kod notrap nomodify nopeer
noquery]restrict
> -4 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
> >sed -i "s]restrict -6 default kod notrap nomodify nopeer
noquery]restrict
> -6 default kod notrap nomodify nopeer noquery mssntp]g" /etc/ntp.conf
> >cat << EOF >> /etc/ntp.conf
> >
> >ntpsigndsocket /var/lib/samba/ntp_signd
> >
> >EOF
> >
> >install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
> >service ntp start
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Guy-Laurent
> Subri
> >> Verzonden: woensdag 28 oktober 2015 11:09
> >> Aan: Rowland Penny
> >> CC: sambalist
> >> Onderwerp: Re: [Samba] net ads info: failed to get server's
current
> time
> >>
> >> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
> >> >On 22/10/15 22:33, Guy-Laurent Subri wrote:
> >> >> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland Penny
wrote:
> >> >>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
> >> >>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100, Rowland
Penny wrote:
> >> >>>>> On 21/10/15 18:35, Guy-Laurent Subri wrote:
> >> >>>>>> Hi all,
> >> >>>>>> We're having issues with Samba at
work. I've searched a bit and
> the
> >> >>>>>> only
> >> >>>>>> thing that have caught my eye is this:
when I run the 'net ads
> >> info'
> >> >>>>>> command on our DC --we have a Debian on
which samba4 is
> installed
> >> and
> >> >>>>>> configured as a AD DC-- I have the
message "Failed to get
> server's
> >> >>>>>> current time!", and "Server
time: Thu, 01 Jan 1970 01:00:00
> CET".
> >> >>>>>
> >> >>>>> It works for me on a Debian 4.1.17 DC, so you
may have something
> >> >>>>> mis-configured, have you altered the smb.conf
in any way ?
> >> >>>>
> >> >>>> I don't think the modifications I did to
smb.conf are relevant
> >> >>>> enough to
> >> >>>> cause problem, but here's our smb.conf, just
in case:
> >> >>>>
> >> >>>> # Global parameters
> >> >>>> [global]
> >> >>>>    workgroup = TRS-CH
> >> >>>>    realm = TRS-CH.COM
> >> >>>>    netbios name = PDC
> >> >>>>    server role = active directory domain
controller
> >> >>>>    server services = +s3fs, +rpc, +nbt, +wrepl,
+ldap, +cldap,
> +kdc,
> >> >>>> +drepl,
> >> >>>>                        +winbind, +ntp_signd,
+kcc, +dnsupdate
> >> >>>> [netlogon]
> >> >>>>   path = /var/lib/samba/sysvol/trs-ch.com/scripts
> >> >>>>   read only = No
> >> >>>>
> >> >>>> [sysvol]
> >> >>>>   path = /var/lib/samba/sysvol
> >> >>>>   read only = No
> >> >>>>
> >> >>>>> do you have ntp installed and configured
correctly ?
> >> >>>> Yes, I have it installed and everything works
fine.
> >> >>>>
> >> >>>> I also already tested the DNS by running the
commands described
> here:
> >> >>>>
> >>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
> >> troller
> >> >>>>
> >> >>>>
> >> >>>> Everything is reachable.
> >> >>>>
> >> >>>> I tested kerberos by doing:
> >> >>>> 'kinit administrator at TRS-CH.COM'
> >> >>>> It showed up when I did 'klist'.
> >> >>>>
> >> >>>> Do you need more information ?
> >> >>>>
> >> >>>> Thanks !
> >> >>>> Cheers,
> >> >>>> Guy-Laurent Subri
> >> >>>
> >> >>> Are you running with Bind9 ?
> >> >>>
> >> >>> I think you need to remove all the '+' signs
you have added to the
> >> >>> 'server services' line, you normally only use
the '+' sign to add a
> >> >>> service to the line, I think you may still be using
the un-shown
> 'dns'
> >> >>> option.
> >> >>> I would also recommend that you use the new separate
'winbindd'
> >> instead
> >> >>> of the 'winbind' that you are using. I think
that before long the
> old
> >> >>> 'winbind' built into the samba daemon is
going to disappear, so you
> >> >>> might as well get used to it now.
> >> >> Yes, I'm running Bind9.
> >> >> If I either remove the + sings or change
'windbind' to 'windbindd' I
> >> >> cannot contact the server again. (The result of the
command 'net ads
> >> >> info' is : no logon servers, didn't find the ldap
server).
> >> >>
> >> >> Cheers,
> >> >> Guy-Laurent Subri
> >> >
> >> >OK, I have just joined a new DC to my domain and I am using
Bind9 and
> >> >this is what I have in smb.conf:
> >> >
> >> >server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
> >> >winbindd, ntp_signd, kcc, dnsupdate
> >> >
> >> >Note the lack of '+' signs
> >> >
> >> >This is with Samba 4.3.1
> >> My version of Samba is 4.1.17. I don't think this changes
anything, but
> >> I can try to upgrade if needed.
> >> >I have also checked and 'net ads info' works as well,
so if yours
> isn't
> >> >working, then something else is wrong, can you post your
ntp.conf and
> >> >bind9 conf files, also your /etc/resolv.conf &
/etc/krb5.conf
> >> >
> >> >Rowland
> >>
> >> Here are the files:
> >>
> >> /etc/ntp.conf
> >> -------------
> >> driftfile /var/lib/ntp/ntp.drift
> >> ntpsigndsocket /var/lib/samba/ntp_signd
> >>
> >> statsdir /var/log/ntpstats/
> >>
> >> server 0.ch.pool.ntp.org
> >> server 1.ch.pool.ntp.org
> >> server 2.ch.pool.ntp.org
> >> server 3.ch.pool.ntp.org
> >>
> >> restrict -4 default kod notrap nomodify nopeer noquery mssntp
> >> restrict -6 default kod notrap nomodify nopeer noquery mssntp
> >>
> >> restrict 127.0.0.1
> >> restrict ::1
> >>
> >> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap nopeer
> noquery
> >>
> >> broadcast 192.168.123.255
> >>
> >> /etc/bind/named.conf
> >> --------------------
> >> include "/etc/bind/named.conf.options";
> >> include "/etc/bind/named.conf.local";
> >> include "/etc/bind/named.conf.default-zones";
> >> include "/var/lib/samba/private/named.conf";
> >>
> >> /etc/bind/named.conf.options
> >> ----------------------------
> >> options {
> >>     directory "/var/cache/bind";
> >>
> >>     forwarders {
> >>         192.168.1.185;
> >>     };
> >>
> >>     dnssec-validation auto;
> >>
> >>     auth-nxdomain no;
> >>     allow-query { localhost; any; };
> >>     listen-on port 53 { 127.0.0.1; 192.168.1.17; };
> >>     listen-on-v6 { any; };
> >> };
> >>
> >> /etc/bind/named.conf.local
> >> --------------------------
> >> is empty
> >>
> >> /etc/bind/named.conf.default-zones
> >> ----------------------------------
> >> zone "." {
> >>     type hint;
> >>     file "/etc/bind/db.root";
> >> };
> >>
> >> zone "localhost" {
> >>     type master;
> >>     file "/etc/bind/db.local";
> >> };
> >>
> >> zone "127.in-addr.arpa" {
> >>     type master;
> >>     file "/etc/bind/db.127";
> >> };
> >>
> >> zone "0.in-addr.arpa" {
> >>     type master;
> >>     file "/etc/bind/db.0";
> >> };
> >>
> >> zone "255.in-addr.arpa" {
> >>     type master;
> >>     file "/etc/bind/db.255";
> >> };
> >>
> >> /var/lib/samba/private/named.conf
> >> ---------------------------------
> >> zone "trs-ch.com." IN {
> >>     type master;
> >>     file "/var/lib/samba/private/dns/trs-ch.com.zone";
> >>     include "/var/lib/samba/private/named.conf.update";
> >>     check-names ignore;
> >> };
> >>
> >> resolv.conf
> >> -----------
> >> search trs-ch.com
> >> nameserver 192.168.1.17
> >> nameserver 192.168.1.7
> >>
> >> krb5.conf
> >> ---------
> >> [libdefaults]
> >> default_realm = TRS-CH.COM
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >> [realms]
> >> TRS-CH.COM = {
> >>     kdc = 192.168.1.17
> >>         admin_server = 192.168.1.17
> >>         default_domain = trs-ch.com
> >> }
> >> [TRS-CH.COM]
> >> .trs-ch.com = TRS-CH.COM
> >> trs.ch.com > >> TRS-CH.COM
> >>
> >> Thank you for your time!
> >>
> >> Cheers,
> >> Guy-Laurent
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Reviewing the file, I didn't see any differences between before and
after the script. I guess this means my NTP config was already fine?

Cheers,
Guy-Laurent
On Wed, Oct 28, 2015 at 02:45:21PM +0100, L.P.H. van Belle wrote:
Hai Guy-Laurent,                .... ;)
>
>Yes, it make a backup of your previous version so you can revert if needed.
>
>And review your config after your run it, you micht see a these line :
>restrict
>> -4 default kod notrap nomodify nopeer noquery mssntp mssntp
>( check if you dont see mssntp 2 x, if so, remove 1 of them )
>This is because normaly this is run against a "default" ntp.conf
>
>And change the variables in the script where needed before running it.
>
>
>Below is my ntp.conf after running the script on a DC !
>Member server ntp.conf is bit different
>And from a default/clean/unmodded ntp.conf. !
>
>Review it or run the script.
>( more about these scripts https://secure.bazuin.nl/scripts/  )
>
>If reviewed manualy, dont forget the rights on
>/var/lib/samba/ntp_signd
>drwxr-x---   2 root ntp                       4096 Oct 16 16:58 ntp_signd
I have the right permissions on this directory.
># /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
>
>driftfile /var/lib/ntp/ntp.drift
>
>
># Enable this if you want statistics to be logged.
>#statsdir /var/log/ntpstats/
>
>statistics loopstats peerstats clockstats
>filegen loopstats file loopstats type day enable
>filegen peerstats file peerstats type day enable
>filegen clockstats file clockstats type day enable
>
>
># You do need to talk to an NTP server or two (or three).
>server ntp1.nl.net
>
># pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
># pick a different set every time it starts up.  Please consider joining the
># pool: <http://www.pool.ntp.org/join.html>
>#server 0.debian.pool.ntp.org iburst
>#server 1.debian.pool.ntp.org iburst
>#server 2.debian.pool.ntp.org iburst
>#server 3.debian.pool.ntp.org iburst
>
>
># Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html
for
># details.  The web page
<http://support.ntp.org/bin/view/Support/AccessRestrictions>
># might also be helpful.
>#
># Note that "restrict" applies to both servers and clients, so a
configuration
># that might be intended to block requests from certain clients could also
end
># up blocking replies from your own upstream servers.
>
># By default, exchange time with everybody, but don't allow
configuration.
>restrict -4 default kod notrap nomodify nopeer noquery mssntp
>restrict -6 default kod notrap nomodify nopeer noquery mssntp
>
># Local users may interrogate the ntp server more closely.
>restrict 127.0.0.1
>restrict ::1
>
># Clients from this (example!) subnet have unlimited access, but only if
># cryptographically authenticated.
>#restrict 192.168.123.0 mask 255.255.255.0 notrust
>
>
># If you want to provide time to your local subnet, change the next line.
># (Again, the address is an example only.)
>#broadcast 192.168.123.255
>
># If you want to listen to time broadcasts on your local subnet, de-comment
the
># next lines.  Please do this only if you trust everybody on the network!
>#disable auth
>#broadcastclient
>
># Xen guest adjustments
>#dispersion 1.000: Ignore high jitters and offsets as local clock dirfts
wildly on xen
>#panic 0: set time even if time shift is more than 1000 seconds
>tinker panic 0 dispersion 1.000
>
>interface listen lo
>
>interface listen eth0
>interface ignore wildcard
>interface ignore ipv6
>
>######  Needed for Samba 4
>#######  in the restrict -4 or -6 added mssntp at the end
># Location of the samba ntp_signed directory
>ntpsigndsocket /var/lib/samba/ntp_signd
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Guy-Laurent
Subri
>> Verzonden: woensdag 28 oktober 2015 14:21
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] net ads info: failed to get server's current
time
>>
>> Thanks for the script. I ran it. So all my config regarding NTP should
>> be ok, if I understood correctly ?
>>
>> Cheers,
>> Guy-Laurent
>> On Wed, Oct 28, 2015 at 11:33:14AM +0100, L.P.H. van Belle wrote:
>> >Hai,
>> >
>> >
>> >Copy the code and Set these variable
>> >Run the script, restart samba and login again with an pc.
>> >Should work now, your missing something and. Your not using good
ntp
>> servers.
>> >
>> >#!/bin/bash
>> >########## NTP Settings needed for a correct funtioning samba AD DC
>> server
>> >## Set to 1 installs the ntp server. (default is ok )
>> >## (default is ok )
>> >NTPD_INSTALL="1"
>> ># if you run the server on a XEN Server, set to 1.
>> >NTPD_XEN_GUEST="0"
>> >## important look for a stratum 1 server in your area
>> >## for a server joining a domain put the ip of the AD server here.
>> >## see also
http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
>> >## (default is not ok, change this one to a ntp in your country )
>> >NTPD_SERVER1_EXTERNAL="ntp1.nl.net"
>> >## if you dont have a second ntp server leave empty
>> >NTPD_SERVER2_EXTERNAL=""
>> >## restrict ntpd bind to which interfaces.
>> >## choose, multple options are allowed.
>> >## the options are:  lo eth(0..9) wildcard ipv6
>> >## (default is ok, if you interface name is eth0 and you dont use
ipv6. )
>> >NTPD_RESTRICT_INTERFACE="lo eth0"
>> >NTPD_RESTRICT_INTERFACE_IGNORE="wildcard ipv6"
>> >## default for sernet samba and debian samba ( should normaly not
be
>> changed )
>> >SAMBA_NTP_SIGNPATH="/var/lib/samba/ntp_signd"
>> >## debian default, leave it as is.
>> >NTPD_GROUP="ntp"
>> >
>> >
>> >########### NTP
>> >apt-get -y --no-install-recommends install ntp
>> >cp /etc/ntp.conf /etc/ntp.conf.backup
>> >echo " " >> /etc/ntp.conf
>> >for x in 0 1 2 3 ; do     sed -i "s]server ${x}.debian]#server
>> ${x}.debian]g" /etc/ntp.conf ;     done
>> >for i in ${NTPD_RESTRICT_INTERFACE} ; do     echo " "
>> /etc/ntp.conf;
>> echo "interface listen ${i}" >> /etc/ntp.conf;     done
>> >for i2 in ${NTPD_RESTRICT_INTERFACE_IGNORE} ; do     echo
"interface
>> ignore ${i2}" >> /etc/ntp.conf;     done
>> >## setup the ntp source server.
>> >if [ ! -z "${NTPD_SERVER1_EXTERNAL}" ]; then     sed -i
"s]#server
>> ntp.your-provider.example]server ${NTPD_SERVER1_EXTERNAL} ]g"
>> /etc/ntp.conf; fi
>> >if [ ! -z "${NTPD_SERVER2_EXTERNAL}" ]; then     echo
"server
>> ${NTPD_SERVER2_EXTERNAL}" /etc/ntp.conf; fi
>> >sed -i "s]restrict -4 default kod notrap nomodify nopeer
noquery]restrict
>> -4 default kod notrap nomodify nopeer noquery mssntp]g"
/etc/ntp.conf
>> >sed -i "s]restrict -6 default kod notrap nomodify nopeer
noquery]restrict
>> -6 default kod notrap nomodify nopeer noquery mssntp]g"
/etc/ntp.conf
>> >cat << EOF >> /etc/ntp.conf
>> >
>> >ntpsigndsocket /var/lib/samba/ntp_signd
>> >
>> >EOF
>> >
>> >install -o root -g $NTPD_GROUP -m 0750 -d /var/lib/samba/ntp_signd
>> >service ntp start
>> >
>> >
>> >
>> >> -----Oorspronkelijk bericht-----
>> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Guy-Laurent
>> Subri
>> >> Verzonden: woensdag 28 oktober 2015 11:09
>> >> Aan: Rowland Penny
>> >> CC: sambalist
>> >> Onderwerp: Re: [Samba] net ads info: failed to get
server's current
>> time
>> >>
>> >> On Thu, Oct 22, 2015 at 10:53:30PM +0100, Rowland Penny wrote:
>> >> >On 22/10/15 22:33, Guy-Laurent Subri wrote:
>> >> >> On Thu, Oct 22, 2015 at 10:13:01PM +0100, Rowland
Penny wrote:
>> >> >>> On 22/10/15 21:51, Guy-Laurent Subri wrote:
>> >> >>>> On Wed, Oct 21, 2015 at 07:06:33PM +0100,
Rowland Penny wrote:
>> >> >>>>> On 21/10/15 18:35, Guy-Laurent Subri
wrote:
>> >> >>>>>> Hi all,
>> >> >>>>>> We're having issues with Samba at
work. I've searched a bit and
>> the
>> >> >>>>>> only
>> >> >>>>>> thing that have caught my eye is
this: when I run the 'net ads
>> >> info'
>> >> >>>>>> command on our DC --we have a Debian
on which samba4 is
>> installed
>> >> and
>> >> >>>>>> configured as a AD DC-- I have the
message "Failed to get
>> server's
>> >> >>>>>> current time!", and "Server
time: Thu, 01 Jan 1970 01:00:00
>> CET".
>> >> >>>>>
>> >> >>>>> It works for me on a Debian 4.1.17 DC, so
you may have something
>> >> >>>>> mis-configured, have you altered the
smb.conf in any way ?
>> >> >>>>
>> >> >>>> I don't think the modifications I did to
smb.conf are relevant
>> >> >>>> enough to
>> >> >>>> cause problem, but here's our smb.conf,
just in case:
>> >> >>>>
>> >> >>>> # Global parameters
>> >> >>>> [global]
>> >> >>>>    workgroup = TRS-CH
>> >> >>>>    realm = TRS-CH.COM
>> >> >>>>    netbios name = PDC
>> >> >>>>    server role = active directory domain
controller
>> >> >>>>    server services = +s3fs, +rpc, +nbt,
+wrepl, +ldap, +cldap,
>> +kdc,
>> >> >>>> +drepl,
>> >> >>>>                        +winbind, +ntp_signd,
+kcc, +dnsupdate
>> >> >>>> [netlogon]
>> >> >>>>   path =
/var/lib/samba/sysvol/trs-ch.com/scripts
>> >> >>>>   read only = No
>> >> >>>>
>> >> >>>> [sysvol]
>> >> >>>>   path = /var/lib/samba/sysvol
>> >> >>>>   read only = No
>> >> >>>>
>> >> >>>>> do you have ntp installed and configured
correctly ?
>> >> >>>> Yes, I have it installed and everything works
fine.
>> >> >>>>
>> >> >>>> I also already tested the DNS by running the
commands described
>> here:
>> >> >>>>
>> >>
>>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con
>> >> troller
>> >> >>>>
>> >> >>>>
>> >> >>>> Everything is reachable.
>> >> >>>>
>> >> >>>> I tested kerberos by doing:
>> >> >>>> 'kinit administrator at TRS-CH.COM'
>> >> >>>> It showed up when I did 'klist'.
>> >> >>>>
>> >> >>>> Do you need more information ?
>> >> >>>>
>> >> >>>> Thanks !
>> >> >>>> Cheers,
>> >> >>>> Guy-Laurent Subri
>> >> >>>
>> >> >>> Are you running with Bind9 ?
>> >> >>>
>> >> >>> I think you need to remove all the '+'
signs you have added to the
>> >> >>> 'server services' line, you normally only
use the '+' sign to add a
>> >> >>> service to the line, I think you may still be
using the un-shown
>> 'dns'
>> >> >>> option.
>> >> >>> I would also recommend that you use the new
separate 'winbindd'
>> >> instead
>> >> >>> of the 'winbind' that you are using. I
think that before long the
>> old
>> >> >>> 'winbind' built into the samba daemon is
going to disappear, so you
>> >> >>> might as well get used to it now.
>> >> >> Yes, I'm running Bind9.
>> >> >> If I either remove the + sings or change
'windbind' to 'windbindd' I
>> >> >> cannot contact the server again. (The result of the
command 'net ads
>> >> >> info' is : no logon servers, didn't find the
ldap server).
>> >> >>
>> >> >> Cheers,
>> >> >> Guy-Laurent Subri
>> >> >
>> >> >OK, I have just joined a new DC to my domain and I am
using Bind9 and
>> >> >this is what I have in smb.conf:
>> >> >
>> >> >server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
>> >> >winbindd, ntp_signd, kcc, dnsupdate
>> >> >
>> >> >Note the lack of '+' signs
>> >> >
>> >> >This is with Samba 4.3.1
>> >> My version of Samba is 4.1.17. I don't think this changes
anything, but
>> >> I can try to upgrade if needed.
>> >> >I have also checked and 'net ads info' works as
well, so if yours
>> isn't
>> >> >working, then something else is wrong, can you post your
ntp.conf and
>> >> >bind9 conf files, also your /etc/resolv.conf &
/etc/krb5.conf
>> >> >
>> >> >Rowland
>> >>
>> >> Here are the files:
>> >>
>> >> /etc/ntp.conf
>> >> -------------
>> >> driftfile /var/lib/ntp/ntp.drift
>> >> ntpsigndsocket /var/lib/samba/ntp_signd
>> >>
>> >> statsdir /var/log/ntpstats/
>> >>
>> >> server 0.ch.pool.ntp.org
>> >> server 1.ch.pool.ntp.org
>> >> server 2.ch.pool.ntp.org
>> >> server 3.ch.pool.ntp.org
>> >>
>> >> restrict -4 default kod notrap nomodify nopeer noquery mssntp
>> >> restrict -6 default kod notrap nomodify nopeer noquery mssntp
>> >>
>> >> restrict 127.0.0.1
>> >> restrict ::1
>> >>
>> >> restrict 0.ch.pool.ntp.org mask 255.255.255 nomodify notrap
nopeer
>> noquery
>> >>
>> >> broadcast 192.168.123.255
>> >>
>> >> /etc/bind/named.conf
>> >> --------------------
>> >> include "/etc/bind/named.conf.options";
>> >> include "/etc/bind/named.conf.local";
>> >> include "/etc/bind/named.conf.default-zones";
>> >> include "/var/lib/samba/private/named.conf";
>> >>
>> >> /etc/bind/named.conf.options
>> >> ----------------------------
>> >> options {
>> >>     directory "/var/cache/bind";
>> >>
>> >>     forwarders {
>> >>         192.168.1.185;
>> >>     };
>> >>
>> >>     dnssec-validation auto;
>> >>
>> >>     auth-nxdomain no;
>> >>     allow-query { localhost; any; };
>> >>     listen-on port 53 { 127.0.0.1; 192.168.1.17; };
>> >>     listen-on-v6 { any; };
>> >> };
>> >>
>> >> /etc/bind/named.conf.local
>> >> --------------------------
>> >> is empty
>> >>
>> >> /etc/bind/named.conf.default-zones
>> >> ----------------------------------
>> >> zone "." {
>> >>     type hint;
>> >>     file "/etc/bind/db.root";
>> >> };
>> >>
>> >> zone "localhost" {
>> >>     type master;
>> >>     file "/etc/bind/db.local";
>> >> };
>> >>
>> >> zone "127.in-addr.arpa" {
>> >>     type master;
>> >>     file "/etc/bind/db.127";
>> >> };
>> >>
>> >> zone "0.in-addr.arpa" {
>> >>     type master;
>> >>     file "/etc/bind/db.0";
>> >> };
>> >>
>> >> zone "255.in-addr.arpa" {
>> >>     type master;
>> >>     file "/etc/bind/db.255";
>> >> };
>> >>
>> >> /var/lib/samba/private/named.conf
>> >> ---------------------------------
>> >> zone "trs-ch.com." IN {
>> >>     type master;
>> >>     file
"/var/lib/samba/private/dns/trs-ch.com.zone";
>> >>     include
"/var/lib/samba/private/named.conf.update";
>> >>     check-names ignore;
>> >> };
>> >>
>> >> resolv.conf
>> >> -----------
>> >> search trs-ch.com
>> >> nameserver 192.168.1.17
>> >> nameserver 192.168.1.7
>> >>
>> >> krb5.conf
>> >> ---------
>> >> [libdefaults]
>> >> default_realm = TRS-CH.COM
>> >> dns_lookup_realm = false
>> >> dns_lookup_kdc = true
>> >> [realms]
>> >> TRS-CH.COM = {
>> >>     kdc = 192.168.1.17
>> >>         admin_server = 192.168.1.17
>> >>         default_domain = trs-ch.com
>> >> }
>> >> [TRS-CH.COM]
>> >> .trs-ch.com = TRS-CH.COM
>> >> trs.ch.com >> >> TRS-CH.COM
>> >>
>> >> Thank you for your time!
>> >>
>> >> Cheers,
>> >> Guy-Laurent
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read
the
>> >> instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> >
>> >
>> >--
>> >To unsubscribe from this list go to the following URL and read the
>> >instructions:  https://lists.samba.org/mailman/options/samba
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba