samba - Nov 2019 - I can't get Win10 clients to sync time with the DC

I'm running a Samba AD DC v4.9.9 with Windows 10 clients connected to it
and just noticed that the clients are not synchronizing time with the
server. I'm not sure why not.

My setup is a bit special in that the DC is running inside a (privileged)
linux container. For that reason, it's not possible or necessary for the
container to correct the system clock, this is done on the container host
using ntp. But the DC should provide time to clients connected to the
domain just as in a regular setup.

Naturally, I followed the guide in the wiki with the exception that I
didn't set external servers to get time from. My ntp.conf looks like this
(it really is called ntp.conf on Ubuntu, not ntpd.conf):

server 127.127.1.0
fudge 127.127.1.0 stratum 1
driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd
restrict -4 default kod notrap nomodify nopeer noquery limited mssntp
restrict -6 default kod notrap nomodify nopeer noquery limited mssntp
restrict 127.0.0.1
restrict ::1
tinker panic 0

I've checked and rechecked this configuration, I can't see an issue with
it. And ntpd does seem to start properly:

Nov 14 16:58:45 DC1 ntpd[32172]: ntpd 4.2.8p10 at 1.3728-o (1): Starting
Nov 14 16:58:45 DC1 ntpd[32172]: Command line: /usr/sbin/ntpd -p
/var/run/ntpd.pid -g -u 111:118
Nov 14 16:58:45 DC1 systemd[1]: Started Network Time Service.
Nov 14 16:58:45 DC1 ntpd[32175]: proto: precision = 0.073 usec (-24)
Nov 14 16:58:45 DC1 ntpd[32175]: MS-SNTP signd operations currently block
ntpd degrading service to all clients.
Nov 14 16:58:45 DC1 ntpd[32175]: Listen and drop on 0 v6wildcard [::]:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 2 lo 127.0.0.1:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 3 eth0 192.168.1.2:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 4 lo [::1]:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 5 eth0
[fe80::216:3eff:feb4:414e%10]:123
Nov 14 16:58:45 DC1 ntpd[32175]: Listening on routing socket on fd #22 for
interface updates

The command ntpq shows that the local clock is accepted to be
authoritative:

root at DC1:~# ntpq -pn
     remote           refid      st t when poll reach   delay   offset
 jitter
=============================================================================*127.127.1.0
.LOCL.           1 l   30   64  377    0.000    0.000
0.000

On the Windows client, I can query the server alright:

C:\WINDOWS\system32>w32tm /monitor
DC1.samdom.example.com *** PDC ***[192.168.1.2:123]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from DC1.samdom.example.com
        RefID: (unknown) [0x00017F7F]
        Stratum: 2

C:\WINDOWS\system32>w32tm /stripchart /computer:dc1 /dataonly /samples:5
Tracking dc1 [192.168.1.2:123].
Collecting 5 samples.
The current time is 14.11.2019 19:39:49.
19:39:49, -02.9196934s
19:39:51, -02.9197052s
19:39:53, -02.9197256s
19:39:55, -02.9197882s
19:39:57, -02.9197818s

However, when I run w32tm /resync /rediscover, it complains that "The
computer did not resync because no time data was available."

I tried so many things on the PC. Restarting the time service,
unregistering the service and registering it again, checking that the time
service is not configured by group or local policy (it is not), running
w32tm /config /syncfromflags:domhier /update, and last but not least,
rebooting to no end.

This is not on a laptop, this is happening on computers constantly
connected to the host and therefore the DC via ethernet.

Oh, and before I forget, here is my smb.conf, though the AD is otherwise
functioning without issues:

[global]
        dns forwarder = 192.168.1.1
        netbios name = DC1
        realm = SAMDOM.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
[netlogon]
        path = /var/lib/samba/sysvol/samdom.example.com/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

I'd really appreciate a nudge in the right direction.

Viktor

Mandi! Viktor Trojanovic via samba
  In chel di` si favelave...
> I'd really appreciate a nudge in the right direction.
I run DCs on containers (LXC) too.

You are sure that ntpd is running? My experience is that, if not
properly configured, ntpd die after some minutes if does not have
access to hardware clock.

You can add the 'sys_time' CAP to the container, or probably better
prevent ntpd to reclaim hardware clock, adding in ntp.conf:

	# don't update the system's clock
	disable kernel

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Thu, 2019-11-14 at 19:54 +0100, Viktor Trojanovic via samba
wrote:
> I'm running a Samba AD DC v4.9.9 with Windows 10 clients connected to
> it
> and just noticed that the clients are not synchronizing time with the
> server. I'm not sure why not.
> 
> My setup is a bit special in that the DC is running inside a
> (privileged)
> linux container. For that reason, it's not possible or necessary for
> the
> container to correct the system clock, this is done on the container
> host
> using ntp. But the DC should provide time to clients connected to the
> domain just as in a regular setup.
> 
> Naturally, I followed the guide in the wiki with the exception that I
> didn't set external servers to get time from. My ntp.conf looks like
> this
> (it really is called ntp.conf on Ubuntu, not ntpd.conf):
> 
> server 127.127.1.0
> fudge 127.127.1.0 stratum 1
> driftfile /var/lib/ntp/ntp.drift
> ntpsigndsocket /var/lib/samba/ntp_signd
> restrict -4 default kod notrap nomodify nopeer noquery limited mssntp
> restrict -6 default kod notrap nomodify nopeer noquery limited mssntp
> restrict 127.0.0.1
> restrict ::1
> tinker panic 0
> 
> I've checked and rechecked this configuration, I can't see an issue
> with
> it. And ntpd does seem to start properly:
> 
> Nov 14 16:58:45 DC1 ntpd[32172]: ntpd 4.2.8p10 at 1.3728-o (1): Starting
> Nov 14 16:58:45 DC1 ntpd[32172]: Command line: /usr/sbin/ntpd -p
> /var/run/ntpd.pid -g -u 111:118
> Nov 14 16:58:45 DC1 systemd[1]: Started Network Time Service.
> Nov 14 16:58:45 DC1 ntpd[32175]: proto: precision = 0.073 usec (-24)
> Nov 14 16:58:45 DC1 ntpd[32175]: MS-SNTP signd operations currently
> block
> ntpd degrading service to all clients.
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen and drop on 0 v6wildcard
> [::]:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen and drop on 1 v4wildcard
> 0.0.0.0:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 2 lo
> 127.0.0.1:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 3 eth0
> 192.168.1.2:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 4 lo [::1]:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listen normally on 5 eth0
> [fe80::216:3eff:feb4:414e%10]:123
> Nov 14 16:58:45 DC1 ntpd[32175]: Listening on routing socket on fd
> #22 for
> interface updates
> 
> The command ntpq shows that the local clock is accepted to be
> authoritative:
> 
> root at DC1:~# ntpq -pn
>      remote           refid      st t when poll
> reach   delay   offset
>  jitter
> ====================================================================>
========> *127.127.1.0     .LOCL.           1
> l   30   64  377    0.000    0.000
> 0.000
> 
> On the Windows client, I can query the server alright:
> 
> C:\WINDOWS\system32>w32tm /monitor
> DC1.samdom.example.com *** PDC ***[192.168.1.2:123]:
>     ICMP: 0ms delay
>     NTP: +0.0000000s offset from DC1.samdom.example.com
>         RefID: (unknown) [0x00017F7F]
>         Stratum: 2
> 
> C:\WINDOWS\system32>w32tm /stripchart /computer:dc1 /dataonly
> /samples:5
> Tracking dc1 [192.168.1.2:123].
> Collecting 5 samples.
> The current time is 14.11.2019 19:39:49.
> 19:39:49, -02.9196934s
> 19:39:51, -02.9197052s
> 19:39:53, -02.9197256s
> 19:39:55, -02.9197882s
> 19:39:57, -02.9197818s
> 
> However, when I run w32tm /resync /rediscover, it complains that "The
> computer did not resync because no time data was available."
I got the same error when tried to switch from ntpd to chrony , I'd
like understand the root cause of this error  

Chrony is the default ntp on RedHat systems since 2011 [1] 


[1] 
https://fedoraproject.org/wiki/Features/ChronyDefaultNTP
> I tried so many things on the PC. Restarting the time service,
> unregistering the service and registering it again, checking that the
> time
> service is not configured by group or local policy (it is not),
> running
> w32tm /config /syncfromflags:domhier /update, and last but not least,
> rebooting to no end.
> 
> This is not on a laptop, this is happening on computers constantly
> connected to the host and therefore the DC via ethernet.
> 
> Oh, and before I forget, here is my smb.conf, though the AD is
> otherwise
> functioning without issues:
> 
> [global]
>         dns forwarder = 192.168.1.1
>         netbios name = DC1
>         realm = SAMDOM.EXAMPLE.COM
>         server role = active directory domain controller
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
> [netlogon]
>         path = /var/lib/samba/sysvol/samdom.example.com/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> I'd really appreciate a nudge in the right direction.
> 
> Viktor
-- 
S?rgio M. B.

On 15.11.2019 16:43, Marco Gaiarin via samba wrote:
> Mandi! Viktor Trojanovic via samba
>    In chel di` si favelave...
>
>> I'd really appreciate a nudge in the right direction.
> I run DCs on containers (LXC) too.
>
> You are sure that ntpd is running? My experience is that, if not
> properly configured, ntpd die after some minutes if does not have
> access to hardware clock.
>
> You can add the 'sys_time' CAP to the container, or probably better
> prevent ntpd to reclaim hardware clock, adding in ntp.conf:
>
> 	# don't update the system's clock
> 	disable kernel

Hi Marco,

I already tried both the directives "disable kernel" and "disable
ntp",
to no avail.

As for your question if ntpd is really running, yes it is, it's not dying.

Viktor

On Thu, Nov 14, 2019 at 1:56 PM Viktor Trojanovic via samba
<samba at lists.samba.org> wrote:
> I'm running a Samba AD DC v4.9.9 with Windows 10 clients connected to
it
> and just noticed that the clients are not synchronizing time with the
> server. I'm not sure why not.
>
> My setup is a bit special in that the DC is running inside a (privileged)
> linux container.
This may or may not lead to a solution as I'm not running the DC in a
privileged container. I run chrony on the host with the socket inside
the container.
chrony.conf on the host contains:
=================ntpsigndsocket
/mnt/containers/dc/rootfs/usr/local/samba/var/lib/ntp_signd
=================
And the DC looks for the socket at (the default location, no statement
in smb.conf):
=================ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd
=================
In your case, due to the privileged container, the host may not have
access to the file system in the container (really don't know, haven't
worked with one).
But this is working for me, only one chrony running on the host, which
also serves up tine directly but allows samba in the container to use
the socket as well.

Chris

On 16.11.2019 15:17, Sonic wrote:
> On Thu, Nov 14, 2019 at 1:56 PM Viktor Trojanovic via samba
> <samba at lists.samba.org> wrote:
>> I'm running a Samba AD DC v4.9.9 with Windows 10 clients connected
to it
>> and just noticed that the clients are not synchronizing time with the
>> server. I'm not sure why not.
>>
>> My setup is a bit special in that the DC is running inside a
(privileged)
>> linux container.
> This may or may not lead to a solution as I'm not running the DC in a
> privileged container. I run chrony on the host with the socket inside
> the container.
> chrony.conf on the host contains:
> =================> ntpsigndsocket
/mnt/containers/dc/rootfs/usr/local/samba/var/lib/ntp_signd
> =================>
> And the DC looks for the socket at (the default location, no statement
> in smb.conf):
> =================> ntp signd socket directory =
/usr/local/samba/var/lib/ntp_signd
> =================>
> In your case, due to the privileged container, the host may not have
> access to the file system in the container (really don't know,
haven't
> worked with one).
> But this is working for me, only one chrony running on the host, which
> also serves up tine directly but allows samba in the container to use
> the socket as well.
>
> Chris
I think you may be confusing privileged with unprivileged containers, 
what you describe is perfectly possible with a privileged container but 
would be a bit more complicated to set up with an unprivileged one 
(since the user id's in the container would be different from the ones 
on the host).

It seems like this would be worth a shot if no one else comes up with a 
better solution. I never used chrony before, how do you tell it not to 
try and change the system time? Can you share your whole conf file?

Viktor