samba - Oct 2023 - DC Time Problems

It appears that none of our windows clients are syncing their time with 
the samba DC.??? From what I can tell they are not able to get a 
response from the DC.? For example, where the DC is named athena:

     >w32tm /monitor /computers:athena

    athena[10.10.1.10:123]

     ? ICMP: 0ms delay

     ? NTP: error ERROR_TIMEOUT - no response from server in 1000ms

 From a Linux machine there is also no response:

    ntpdate -q athena
    24 Oct 16:47:41 ntpdate[33581]: no server suitable for
    synchronization found


Here is the DC /etc/ntpsec/ntp.conf:

# Where to retrieve the time from
server 0.pool.ntp.org???? iburst prefer
server 1.pool.ntp.org???? iburst prefer
server 2.pool.ntp.org???? iburst prefer

driftfile?????? /var/lib/ntpsec/ntp.drift
logfile???????? /var/log/ntp.log
#logconfig =all
ntpsigndsocket? /var/lib/samba/ntp_signd/

# Access control
# Default restriction: Allow clients only to query the time
#restrict default kod nomodify notrap nopeer limited mssntp
restrict -4 default kod limited nomodify notrap nopeer noquery mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap nopeer 
noquery
restrict 1.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap nopeer 
noquery
restrict 2.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap nopeer 
noquery


My DC is using Debian 11 and the Samba package from Debian.

Any ideas on what the problem is?

-- 
Ham

Hi there,

In my experience NTP has been trouble lately with the NTPsec implementation.

A few months back I decided to remove NTPsec and go with Chrony.

These are my notes:

http://samba.bigbird.es/doku.php?id=samba:install-chrony

Hope it helps.
On Oct 25, 2023 at 19:04 +0200, Ham <ham at kc0dxf.net>,
wrote:
>
> Any ideas on what the problem is?

> On 10/25/2023 9:53 AM PDT Ham via samba <samba at lists.samba.org>
wrote:
> 
>  
> It appears that none of our windows clients are syncing their time with 
> the samba DC.??? From what I can tell they are not able to get a 
> response from the DC.? For example, where the DC is named athena:
> 
>      >w32tm /monitor /computers:athena
> 
>     athena[10.10.1.10:123]
> 
>      ? ICMP: 0ms delay
> 
>      ? NTP: error ERROR_TIMEOUT - no response from server in 1000ms
> 
>  From a Linux machine there is also no response:
> 
>     ntpdate -q athena
>     24 Oct 16:47:41 ntpdate[33581]: no server suitable for
>     synchronization found
> 
> 
> Here is the DC /etc/ntpsec/ntp.conf:
> 
> # Where to retrieve the time from
> server 0.pool.ntp.org???? iburst prefer
> server 1.pool.ntp.org???? iburst prefer
> server 2.pool.ntp.org???? iburst prefer
> 
> driftfile?????? /var/lib/ntpsec/ntp.drift
> logfile???????? /var/log/ntp.log
> #logconfig =all
> ntpsigndsocket? /var/lib/samba/ntp_signd/
> 
> # Access control
> # Default restriction: Allow clients only to query the time
> #restrict default kod nomodify notrap nopeer limited mssntp
> restrict -4 default kod limited nomodify notrap nopeer noquery mssntp
> # No restrictions for "localhost"
> restrict 127.0.0.1
> # Enable the time sources to only provide time to this host
> restrict 0.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap nopeer 
> noquery
> restrict 1.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap nopeer 
> noquery
> restrict 2.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap nopeer 
> noquery
> 
> 
> My DC is using Debian 11 and the Samba package from Debian.
> 
> Any ideas on what the problem is?
The version of NTPsec that ships with Debian Bookworm has broken MS-SNTP
support; no one here wants to help. I would suggest turning off the mssntp
restrict in default before listening to the vitrololic shitstorm a couple of
people here will unleash.

Or you can follow the bleating; using chrony and crapping on NTPsec.

On Wed, 25 Oct 2023 11:53:07 -0500
Ham via samba <samba at lists.samba.org> wrote:
> It appears that none of our windows clients are syncing their time
> with the samba DC.??? From what I can tell they are not able to get a 
> response from the DC.? For example, where the DC is named athena:
> 
>      >w32tm /monitor /computers:athena
> 
>     athena[10.10.1.10:123]
> 
>      ? ICMP: 0ms delay
> 
>      ? NTP: error ERROR_TIMEOUT - no response from server in 1000ms
> 
>  From a Linux machine there is also no response:
> 
>     ntpdate -q athena
>     24 Oct 16:47:41 ntpdate[33581]: no server suitable for
>     synchronization found
> 
> 
> Here is the DC /etc/ntpsec/ntp.conf:
> 
> # Where to retrieve the time from
> server 0.pool.ntp.org???? iburst prefer
> server 1.pool.ntp.org???? iburst prefer
> server 2.pool.ntp.org???? iburst prefer
> 
> driftfile?????? /var/lib/ntpsec/ntp.drift
> logfile???????? /var/log/ntp.log
> #logconfig =all
> ntpsigndsocket? /var/lib/samba/ntp_signd/
> 
> # Access control
> # Default restriction: Allow clients only to query the time
> #restrict default kod nomodify notrap nopeer limited mssntp
> restrict -4 default kod limited nomodify notrap nopeer noquery mssntp
> # No restrictions for "localhost"
> restrict 127.0.0.1
> # Enable the time sources to only provide time to this host
> restrict 0.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> nopeer noquery
> restrict 1.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> nopeer noquery
> restrict 2.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> nopeer noquery
> 
> 
> My DC is using Debian 11 and the Samba package from Debian.
> 
> Any ideas on what the problem is?
> 
Yes, ntpsec has replaced ntp and they (ntpsec) seem to have broken
ntp_signd. They also do not seem to be able to fix it. I also found out
that when the code was written to connect ntp and Samba, a Linux client
was never written.

Just use Chrony.

Rowland