samba - Oct 2023 - DC Time Problems

> On 10/25/2023 11:16 AM PDT Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
>  
> On Wed, 25 Oct 2023 11:53:07 -0500
> Ham via samba <samba at lists.samba.org> wrote:
> 
> > It appears that none of our windows clients are syncing their time
> > with the samba DC.??? From what I can tell they are not able to get a 
> > response from the DC.? For example, where the DC is named athena:
> > 
> >      >w32tm /monitor /computers:athena
> > 
> >     athena[10.10.1.10:123]
> > 
> >      ? ICMP: 0ms delay
> > 
> >      ? NTP: error ERROR_TIMEOUT - no response from server in 1000ms
> > 
> >  From a Linux machine there is also no response:
> > 
> >     ntpdate -q athena
> >     24 Oct 16:47:41 ntpdate[33581]: no server suitable for
> >     synchronization found
> > 
> > 
> > Here is the DC /etc/ntpsec/ntp.conf:
> > 
> > # Where to retrieve the time from
> > server 0.pool.ntp.org???? iburst prefer
> > server 1.pool.ntp.org???? iburst prefer
> > server 2.pool.ntp.org???? iburst prefer
> > 
> > driftfile?????? /var/lib/ntpsec/ntp.drift
> > logfile???????? /var/log/ntp.log
> > #logconfig =all
> > ntpsigndsocket? /var/lib/samba/ntp_signd/
> > 
> > # Access control
> > # Default restriction: Allow clients only to query the time
> > #restrict default kod nomodify notrap nopeer limited mssntp
> > restrict -4 default kod limited nomodify notrap nopeer noquery mssntp
> > # No restrictions for "localhost"
> > restrict 127.0.0.1
> > # Enable the time sources to only provide time to this host
> > restrict 0.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> > nopeer noquery
> > restrict 1.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> > nopeer noquery
> > restrict 2.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> > nopeer noquery
> > 
> > 
> > My DC is using Debian 11 and the Samba package from Debian.
> > 
> > Any ideas on what the problem is?
> > 
> 
> Yes, ntpsec has replaced ntp and they (ntpsec) seem to have broken
> ntp_signd. They also do not seem to be able to fix it. I also found out
> that when the code was written to connect ntp and Samba, a Linux client
> was never written.
> 
> Just use Chrony.
The code to separate mssntp packets from everything else is back in,
there are actually error logging messages now which no-one else seems
to think are important. No, let's all crap on NTPsec because it's
easier.

On Wed, 25 Oct 2023 11:25:14 -0700 (PDT)
James Browning via samba <samba at lists.samba.org> wrote:
> > On 10/25/2023 11:16 AM PDT Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > 
> >  
> > On Wed, 25 Oct 2023 11:53:07 -0500
> > Ham via samba <samba at lists.samba.org> wrote:
> > 
> > > It appears that none of our windows clients are syncing their
time
> > > with the samba DC.??? From what I can tell they are not able to
> > > get a response from the DC.? For example, where the DC is named
> > > athena:
> > > 
> > >      >w32tm /monitor /computers:athena
> > > 
> > >     athena[10.10.1.10:123]
> > > 
> > >      ? ICMP: 0ms delay
> > > 
> > >      ? NTP: error ERROR_TIMEOUT - no response from server in
> > > 1000ms
> > > 
> > >  From a Linux machine there is also no response:
> > > 
> > >     ntpdate -q athena
> > >     24 Oct 16:47:41 ntpdate[33581]: no server suitable for
> > >     synchronization found
> > > 
> > > 
> > > Here is the DC /etc/ntpsec/ntp.conf:
> > > 
> > > # Where to retrieve the time from
> > > server 0.pool.ntp.org???? iburst prefer
> > > server 1.pool.ntp.org???? iburst prefer
> > > server 2.pool.ntp.org???? iburst prefer
> > > 
> > > driftfile?????? /var/lib/ntpsec/ntp.drift
> > > logfile???????? /var/log/ntp.log
> > > #logconfig =all
> > > ntpsigndsocket? /var/lib/samba/ntp_signd/
> > > 
> > > # Access control
> > > # Default restriction: Allow clients only to query the time
> > > #restrict default kod nomodify notrap nopeer limited mssntp
> > > restrict -4 default kod limited nomodify notrap nopeer noquery
> > > mssntp # No restrictions for "localhost"
> > > restrict 127.0.0.1
> > > # Enable the time sources to only provide time to this host
> > > restrict 0.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> > > nopeer noquery
> > > restrict 1.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> > > nopeer noquery
> > > restrict 2.pool.ntp.org?? mask 255.255.255.255??? nomodify notrap
> > > nopeer noquery
> > > 
> > > 
> > > My DC is using Debian 11 and the Samba package from Debian.
> > > 
> > > Any ideas on what the problem is?
> > > 
> > 
> > Yes, ntpsec has replaced ntp and they (ntpsec) seem to have broken
> > ntp_signd. They also do not seem to be able to fix it. I also found
> > out that when the code was written to connect ntp and Samba, a
> > Linux client was never written.
> > 
> > Just use Chrony.
> 
> The code to separate mssntp packets from everything else is back in,
> there are actually error logging messages now which no-one else seems
> to think are important. No, let's all crap on NTPsec because it's
> easier.
> 
If, ntpsec is now working again with Samba AD, then great, but it
doesn't seem to have percolated down to Debian.

Rowland