samba - Nov 2019 - I can't get Win10 clients to sync time with the DC

On 17.11.2019 15:58, Sonic wrote:
> On Sun, Nov 17, 2019 at 5:37 AM Viktor Trojanovic <viktor at
troja.ch> wrote:
>> I'm not sure I understand your setup. It seems like you are running
>> Chrony on the host only and you just share the socket with the
>> container, no chrony running there.
> Yes, you have it correct. That's exactly what I'm doing.
>
>> So, how can clients query the DC for
>> time? I thought it's the time service (chrony/ntp) that sends the
time
>> to the clients, not Samba itself... or did I get that wrong?
> If Samba is a time server it is sending the time to the clients. If
> Samba isn't sending the time to the client, and it's chrony/ntp
> instead why does it need to be a time server?
> The dhcp server does list the host system as the ntp server (option
> ntp-servers) and that's for the systems that actually accept and use
> that option, mainly 'nix systems, switches, some printers, etc.
> It's really only the DC members that ask for the time from the Samba
server.
>
> If I "run as administrator" a command prompt or power shell and
type
> "net time \\dc.example.com /set /y" with dc.example.com being the
> hostname of the container running Samba the result is "Current time at
> \\dc.example.com is 11/17/2019 9:47:43 AM" "The command completed
> successfully."
> And also as expected my member systems have the same time as the
> container, which of course has the same time as the host.
>
> My thinking is that Samba reads the time from the ntp_signd socket and
> passes that on to the member clients. The host itself, not running
> Samba, has no need for the ntp_signd option it only exists to feed the
> time to Samba. Basically the results speak for themselves unless some
> other weird magic is happening that I have no clue about.
>
> Chris
See, that was not clear to me.. I thought it's the NTP server sending 
time to the AD clients, not Samba. Just to be sure that I haven't missed 
anything: Do you have any setting in smb.conf that specifies that Samba 
should act as time server or not? Or does it just do that automatically 
when it has the role of DC?

By the way, I just ran your command on one of my clients.

C:\WINDOWS\system32>net time \\dc1.samdom.example.com /set
Current time at \\dc1.samdom.example.com is ?17/?11/?2019 16:09:32

Local time (GMT) at \\dc1.samdom.example.com is ?17/?11/?2019 15:09:32

The current local clock is ?17/?11/?2019 16:09:32
Do you want to set the local computer's time to match the
time at \\dc1.samdom.example.com? (Y/N) [Y]: y
The command completed successfully.

If I interpret the result correctly, then everything seems set up right 
on the DC. And still, clients are not syncing time with it... I don't 
get it.

Viktor

I'm going to blame this on my "some other weird magic" phrase. My
clients do indeed have the proper time but I'm not sure why.
Even though the net time argument runs correctly the following it
seems does not:
=========================PS C:\Windows\system32> w32tm /monitor
dc.example.com *** PDC ***[192.168.1.5:123]:
    ICMP: 0ms delay
    NTP: error ERROR_TIMEOUT - no response from server in 1000ms
=========================Clearly the windows time service is expecting to find
port 123 (ntp)
open on the DC, which is not the case here.
So it appears Samba only signs the time but does not provide it.
I'll have to look into why it's working so well for me. Didn't mean
to
lead you down a rabbit hole.

It does appear that you could install and start chronyd with the -x
switch and that should work:
==============-x
This option disables the control of the system clock. chronyd will not
make any adjustments of the clock, but it will still track its offset
and frequency relative to the estimated true time, and be able to
operate as an NTP server. This allows chronyd to run without the
capability to adjust or set the system clock (e.g. in some
containers).
==============It appears this became available in version 3.2, which is not
available to my older distro so I can't test it right away.

Chris

On 17.11.2019 18:10, Sonic wrote:
> I'm going to blame this on my "some other weird magic"
phrase. My
> clients do indeed have the proper time but I'm not sure why.
> Even though the net time argument runs correctly the following it
> seems does not:
> =========================> PS C:\Windows\system32> w32tm /monitor
> dc.example.com *** PDC ***[192.168.1.5:123]:
>      ICMP: 0ms delay
>      NTP: error ERROR_TIMEOUT - no response from server in 1000ms
> =========================> Clearly the windows time service is expecting
to find port 123 (ntp)
> open on the DC, which is not the case here.
> So it appears Samba only signs the time but does not provide it.
> I'll have to look into why it's working so well for me. Didn't
mean to
> lead you down a rabbit hole.
Which begs the question, are you sure that your clients are getting 
their time from the DC? When you open your system time settings (right 
click on the time, press "adjust date/time") , does it confirm that
the
time source is indeed your DC? What is the output of w32tm /query 
/configuration and w32tm /query /status, respectively, on your system?

At any rate, it does seem as if everything is properly configured on my 
end, all these commands yield the expected result. And yet, my clients 
don't sync their time with the DC. If anyone else can chime in here, I'd
appreciate it.

Viktor

On Sun, 2019-11-17 at 12:10 -0500, Sonic via samba
wrote:
> PS C:\Windows\system32> w32tm /monitor
> dc.example.com *** PDC ***[192.168.1.5:123]:
>     ICMP: 0ms delay
>     NTP: error ERROR_TIMEOUT - no response from server in 1000ms
pretty cool command 
I still haven't an ideia why we get "no response from server" (in
my
case just with chrony)

Thanks
-- 
S?rgio M. B.