samba - Nov 2019 - I can't get Win10 clients to sync time with the DC

On 16.11.2019 23:37, Sonic wrote:
> On Sat, Nov 16, 2019 at 10:34 AM Viktor Trojanovic <viktor at
troja.ch> wrote:
>> I think you may be confusing privileged with unprivileged containers,
>> what you describe is perfectly possible with a privileged container but
>> would be a bit more complicated to set up with an unprivileged one
>> (since the user id's in the container would be different from the
ones
>> on the host).
> Oh yes, you're right. I am running privileged containers. LXC
> containers using Debian (both host and containers).
>
>> It seems like this would be worth a shot if no one else comes up with a
>> better solution. I never used chrony before, how do you tell it not to
>> try and change the system time? Can you share your whole conf file?
> I want it to keep (update/change if/when needed) the system time -
> it's running on the host OS, not in the container. I'm just placing
> the socket inside the container so that samba can also use the socket.
> I was using ntpd but switched to chrony for no specific reason. I'm
> guessing either would work.
> chrony.conf:
> ==========================> pool us.pool.ntp.org iburst
> keyfile /etc/chrony/chrony.keys
> driftfile /var/lib/chrony/chrony.drift
> logdir /var/log/chrony
> maxupdateskew 100.0
> directive.
> hwclockfile /etc/adjtime
> directive.
> rtcsync
> makestep 1 3
> local stratum 8
> manual
> allow 192.168.1.0/24
> bindcmdaddress 192.168.1.1
> ntpsigndsocket /mnt/containers/dc/rootfs/usr/local/samba/var/lib/ntp_signd
> ==========================>
> As can be seen the socket for chrony, which is running on the host, is
> inside the container (/mnt/containers/dc/rootfs/), both the host OS
> and the container OS have access to it.
>
> Chris

I'm not sure I understand your setup. It seems like you are running 
Chrony on the host only and you just share the socket with the 
container, no chrony running there. So, how can clients query the DC for 
time? I thought it's the time service (chrony/ntp) that sends the time 
to the clients, not Samba itself... or did I get that wrong?

Viktor

On Sun, Nov 17, 2019 at 5:37 AM Viktor Trojanovic <viktor at troja.ch>
wrote:
> I'm not sure I understand your setup. It seems like you are running
> Chrony on the host only and you just share the socket with the
> container, no chrony running there.
Yes, you have it correct. That's exactly what I'm doing.
> So, how can clients query the DC for
> time? I thought it's the time service (chrony/ntp) that sends the time
> to the clients, not Samba itself... or did I get that wrong?
If Samba is a time server it is sending the time to the clients. If
Samba isn't sending the time to the client, and it's chrony/ntp
instead why does it need to be a time server?
The dhcp server does list the host system as the ntp server (option
ntp-servers) and that's for the systems that actually accept and use
that option, mainly 'nix systems, switches, some printers, etc.
It's really only the DC members that ask for the time from the Samba server.

If I "run as administrator" a command prompt or power shell and type
"net time \\dc.example.com /set /y" with dc.example.com being the
hostname of the container running Samba the result is "Current time at
\\dc.example.com is 11/17/2019 9:47:43 AM" "The command completed
successfully."
And also as expected my member systems have the same time as the
container, which of course has the same time as the host.

My thinking is that Samba reads the time from the ntp_signd socket and
passes that on to the member clients. The host itself, not running
Samba, has no need for the ntp_signd option it only exists to feed the
time to Samba. Basically the results speak for themselves unless some
other weird magic is happening that I have no clue about.

Chris

On 17.11.2019 15:58, Sonic wrote:
> On Sun, Nov 17, 2019 at 5:37 AM Viktor Trojanovic <viktor at
troja.ch> wrote:
>> I'm not sure I understand your setup. It seems like you are running
>> Chrony on the host only and you just share the socket with the
>> container, no chrony running there.
> Yes, you have it correct. That's exactly what I'm doing.
>
>> So, how can clients query the DC for
>> time? I thought it's the time service (chrony/ntp) that sends the
time
>> to the clients, not Samba itself... or did I get that wrong?
> If Samba is a time server it is sending the time to the clients. If
> Samba isn't sending the time to the client, and it's chrony/ntp
> instead why does it need to be a time server?
> The dhcp server does list the host system as the ntp server (option
> ntp-servers) and that's for the systems that actually accept and use
> that option, mainly 'nix systems, switches, some printers, etc.
> It's really only the DC members that ask for the time from the Samba
server.
>
> If I "run as administrator" a command prompt or power shell and
type
> "net time \\dc.example.com /set /y" with dc.example.com being the
> hostname of the container running Samba the result is "Current time at
> \\dc.example.com is 11/17/2019 9:47:43 AM" "The command completed
> successfully."
> And also as expected my member systems have the same time as the
> container, which of course has the same time as the host.
>
> My thinking is that Samba reads the time from the ntp_signd socket and
> passes that on to the member clients. The host itself, not running
> Samba, has no need for the ntp_signd option it only exists to feed the
> time to Samba. Basically the results speak for themselves unless some
> other weird magic is happening that I have no clue about.
>
> Chris
See, that was not clear to me.. I thought it's the NTP server sending 
time to the AD clients, not Samba. Just to be sure that I haven't missed 
anything: Do you have any setting in smb.conf that specifies that Samba 
should act as time server or not? Or does it just do that automatically 
when it has the role of DC?

By the way, I just ran your command on one of my clients.

C:\WINDOWS\system32>net time \\dc1.samdom.example.com /set
Current time at \\dc1.samdom.example.com is ?17/?11/?2019 16:09:32

Local time (GMT) at \\dc1.samdom.example.com is ?17/?11/?2019 15:09:32

The current local clock is ?17/?11/?2019 16:09:32
Do you want to set the local computer's time to match the
time at \\dc1.samdom.example.com? (Y/N) [Y]: y
The command completed successfully.

If I interpret the result correctly, then everything seems set up right 
on the DC. And still, clients are not syncing time with it... I don't 
get it.

Viktor