samba - Oct 2023 - DC Time Problems

On Wed, 25 Oct 2023 11:53:07 -0500
Ham via samba <samba at lists.samba.org> wrote:
> It appears that none of our windows clients are syncing their time
> with the samba DC.??? From what I can tell they are not able to get a 
> response from the DC.? For example, where the DC is named athena:
> 
>      >w32tm /monitor /computers:athena
> 
>     athena[10.10.1.10:123]
> 
>      ? ICMP: 0ms delay
> 
>      ? NTP: error ERROR_TIMEOUT - no response from server in 1000ms
> 
>  From a Linux machine there is also no response:
> 
>     ntpdate -q athena
>     24 Oct 16:47:41 ntpdate[33581]: no server suitable for
>     synchronization found
> 
> 
> Here is the DC /etc/ntpsec/ntp.conf:
> 
> # Where to retrieve the time from
> server 0.pool.ntp.org???? iburst prefer
> server 1.pool.ntp.org???? iburst prefer
> server 2.pool.ntp.org???? iburst prefer
> 
> driftfile?????? /var/lib/ntpsec/ntp.drift
> logfile???????? /var/log/ntp.log
> #logconfig =all
> ntpsigndsocket? /var/lib/samba/ntp_signd/
> 
> # Access control
> # Default restriction: Allow clients only to query the time
> #restrict default kod nomodify notrap nopeer limited mssntp
> restrict -4 default kod limited nomodify notrap nopeer noquery mssntp
> # No restrictions for "localhost"
> restrict 127.0.0.1
> # Enable the time sources to only provide time to this host
> restrict 0.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> nopeer noquery
> restrict 1.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> nopeer noquery
> restrict 2.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> nopeer noquery
> 
> 
> My DC is using Debian 11 and the Samba package from Debian.
> 
> Any ideas on what the problem is?
> 
Yes, ntpsec has replaced ntp and they (ntpsec) seem to have broken
ntp_signd. They also do not seem to be able to fix it. I also found out
that when the code was written to connect ntp and Samba, a Linux client
was never written.

Just use Chrony.

Rowland

> On 10/25/2023 11:16 AM PDT Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
>  
> On Wed, 25 Oct 2023 11:53:07 -0500
> Ham via samba <samba at lists.samba.org> wrote:
> 
> > It appears that none of our windows clients are syncing their time
> > with the samba DC.??? From what I can tell they are not able to get a 
> > response from the DC.? For example, where the DC is named athena:
> > 
> >      >w32tm /monitor /computers:athena
> > 
> >     athena[10.10.1.10:123]
> > 
> >      ? ICMP: 0ms delay
> > 
> >      ? NTP: error ERROR_TIMEOUT - no response from server in 1000ms
> > 
> >  From a Linux machine there is also no response:
> > 
> >     ntpdate -q athena
> >     24 Oct 16:47:41 ntpdate[33581]: no server suitable for
> >     synchronization found
> > 
> > 
> > Here is the DC /etc/ntpsec/ntp.conf:
> > 
> > # Where to retrieve the time from
> > server 0.pool.ntp.org???? iburst prefer
> > server 1.pool.ntp.org???? iburst prefer
> > server 2.pool.ntp.org???? iburst prefer
> > 
> > driftfile?????? /var/lib/ntpsec/ntp.drift
> > logfile???????? /var/log/ntp.log
> > #logconfig =all
> > ntpsigndsocket? /var/lib/samba/ntp_signd/
> > 
> > # Access control
> > # Default restriction: Allow clients only to query the time
> > #restrict default kod nomodify notrap nopeer limited mssntp
> > restrict -4 default kod limited nomodify notrap nopeer noquery mssntp
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> > # Enable the time sources to only provide time to this host
> > restrict 0.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> > nopeer noquery
> > restrict 1.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> > nopeer noquery
> > restrict 2.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> > nopeer noquery
> > 
> > 
> > My DC is using Debian 11 and the Samba package from Debian.
> > 
> > Any ideas on what the problem is?
> > 
> 
> Yes, ntpsec has replaced ntp and they (ntpsec) seem to have broken
> ntp_signd. They also do not seem to be able to fix it. I also found out
> that when the code was written to connect ntp and Samba, a Linux client
> was never written.
> 
> Just use Chrony.
The code to separate mssntp packets from everything else is back in,
there are actually error logging messages now which no-one else seems
to think are important. No, let's all crap on NTPsec because it's
easier.