samba - Feb 2024 - Joining Windows 10 Domain Member to Samba AD/DC

Are your clients talking to the DCs re. Time at all ?

This is an example in one of my DCs: Run tcpdump on your DC:

root at dwing:~# tcpdump??port 123 -v
tcpdump: listening on enp1s0, link-type EN10MB (Ethernet), snapshot length
262144 bytes
10:20:41.655081 IP (tos 0x0, ttl 128, id 32113, offset 0, flags [none], proto
UDP (17), length 96)
?? ?192.168.3.52.ntp > dwing.mad.mater.int.ntp: NTPv3, Client, length 68
	Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 17
(131072s), precision -23
	Root Delay: 0.017257, Root dispersion: 16.000000, Reference-ID: (unspec)
	??Reference Timestamp:??3916459101.490509499 (2024-02-09T09:18:21Z)
	??Originator Timestamp: 0.000000000
	??Receive Timestamp:?? ?0.000000000
	??Transmit Timestamp:? ?3916459255.755510199 (2024-02-09T09:20:55Z)
	?? ?Originator - Receive Timestamp:??0.000000000
	?? ?Originator - Transmit Timestamp: 3916459255.755510199
(2024-02-09T09:20:55Z)
	Key id: 4010278912
	Authentication: 00000000000000000000000000000000
10:20:41.656262 IP (tos 0x0, ttl 64, id 43189, offset 0, flags [DF], proto UDP
(17), length 96)
?? ?dwing.mad.mater.int.ntp > 192.168.3.52.ntp: NTPv3, Server, length 68
	Leap indicator:??(0), Stratum 3 (secondary reference), poll 17 (131072s),
precision -25
	Root Delay: 0.032394, Root dispersion: 0.002304, Reference-ID: 0x5e8f8bdb
	??Reference Timestamp:??3916458550.943342981 (2024-02-09T09:09:10Z)
	??Originator Timestamp: 3916459255.755510199 (2024-02-09T09:20:55Z)
	??Receive Timestamp:?? ?3916459241.655292751 (2024-02-09T09:20:41Z)
	??Transmit Timestamp:? ?3916459241.655478940 (2024-02-09T09:20:41Z)
	?? ?Originator - Receive Timestamp:??-14.100217447
	?? ?Originator - Transmit Timestamp: -14.100031259
	Key id: 4010278912
	Authentication: 7a1ea93ca4a938744e51383001283caa

Might be work examining that traffic for clues.

Regards, LP
On Feb 9, 2024 at 05:31 +0100, Mark Foley via samba <samba at
lists.samba.org>, wrote:
> On Thu Jan 4 19:46:02 2024 Mark Foley via samba <samba at
lists.samba.org> wrote:
> >
> > I've added a Windows 10 domain member to my Domain. I'm now
following the
> > procedure in
https://wiki.samba.org/index.php/Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Windows_Domain_Member.
> >
> > [deleted]
>
> The above references the first in a long thread I started having to do with
> getting a Windows domain member to time-sync with a new DC, Samba 4.18.9.
>
> None of my Windows domain members sync with the new domain controller.
>
> None of these same Windows workstation had any problem syncing with the
previous
> Samba 4.8.2 DC which ran for the past 10-ish years.
>
> On th DC I've tried both chrony and ntp-4.2.8. In the ntp case I used
the same
> 4.8.2 version on the old DC; in both cases built with --enable-ntp-signd.
>
> One possible issue was that these Windows domain members were unjoined from
the
> 4.8.2 domain, rejoined to the new 4.18.9, and had Profwiz.exe run on each
member
> to migrate the domain user's profile. None of that was done when they
were
> first joined to the old 4.8.2 domain. One participant in this thread
suggested
> I try joining a "virgin" Windows computer. I did that today with
a scratch
> install of Windows 10.
>
> After joining the domain I got:
>
> w32tm /query /source
> Local CMOS Clock
>
> I hoping for the FQDN of the DC: 'mail.hprs.local', like I used to
get with
> Samba 4.8.2.
>
> This is the same thing I have been getting from the beginning with the new
> 4.18.9 DC. Several thread participants said I shouldn't need to do any
group
> policies or anything special. Apparently in my case this is not true.
>
> Everything configured is strictly "vanilla". The DC was
provisioned as:
>
> samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCAL --domain=HPRS
\
> --server-role=dc --dns-backend=SAMBA_INTERNAL \
> --option=interfaces="lo eth0" --option="bind interfaces
only=yes"
>
> Nothing else was done on the DC. The "test" Windows 10 computer
was clean
> installed today, nothing left over from any previous domain joins or old
domain
> user profiles.
>
> I've tried with and without a "Time Sources" GPO. At the
moment, I have a GPO
> configured.
>
> There are only two differences I can identify between when this worked and
when
> it did not:
>
> 1. It worked with Samba 4.8.2 and does not work with Samba 4.18.9.
>
> 2. Samba 4.8.2 was provisioned with --dns-backend=BIND9_FLATFILE and Samba
> 4.18.9 was provisioned with --dns-backend=SAMBA_INTERNAL.
>
> Those, I believe, are the only differences. Something must not be working
> correctly with Samba 4.18.9.
>
> As time-sync among domain members is supposed to be critical, I am about to
get
> Microsoft involved.
>
> Before I do that (and before I retry a bunch of the w32tm commands),
I'd like to
> see if any of the experts on this list have any additional suggestion.
>
> Thanks --Mark
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

On Fri Feb  9 04:23:29 2024 Luis Peromarta via samba <samba at
lists.samba.org> wrote:
>
> Are your clients talking to the DCs re. Time at all ?
>
> This is an example in one of my DCs: Run tcpdump on your DC:
>
> root at dwing:~# tcpdump??port 123 -v
> [snip]
>
> Might be work examining that traffic for clues.
>
> Regards, LP
Luis, excellent suggestion! Below is my result:

--------------------------
# tcpdump -v -i eth0 port 123
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144
bytes
10:23:07.468629 IP (tos 0x0, ttl 128, id 22607, offset 0, flags [none], proto
UDP (17), length 96)
    192.168.0.53.ntp > mail.hprs.local.ntp: NTPv3, Client, length 68
        Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified),
poll 7 (128s), precision -23
        Root Delay: 0.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
          Reference Timestamp:  3916127270.315146199 (2024-02-05T13:07:50Z)
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3916480949.611151499 (2024-02-09T15:22:29Z)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3916480949.611151499
(2024-02-09T15:22:29Z)
        Key id: 1711538176
        Authentication: 00000000000000000000000000000000
10:23:07.468836 IP (tos 0xb8, ttl 64, id 2268, offset 0, flags [DF], proto UDP
(17), length 80)
    mail.hprs.local.ntp > 192.168.0.53.ntp: NTPv3, Server, length 52
        Leap indicator:  (0), Stratum 3 (secondary reference), poll 7 (128s),
precision -19
        Root Delay: 0.035171, Root dispersion: 0.085723, Reference-ID:
0x179da0a8
          Reference Timestamp:  3916479890.214796580 (2024-02-09T15:04:50Z)
          Originator Timestamp: 3916480949.611151499 (2024-02-09T15:22:29Z)
          Receive Timestamp:    3916480987.468629691 (2024-02-09T15:23:07Z)
          Transmit Timestamp:   3916480987.468801127 (2024-02-09T15:23:07Z)
            Originator - Receive Timestamp:  +37.857478191
            Originator - Transmit Timestamp: +37.857649627
        Key id: 0
^C
4 packets captured
5 packets received by filter
0 packets dropped by kernel
-----------------------------------

Host 192.168.0.53 is a Windows 10 domain member. On that computer, I get:

C:\Users\Administrator.HPRS>w32tm /query /source
Free-running System Clock

C:\Users\Administrator.HPRS>w32tm /query /status
Leap Indicator: 3(not synchronized)
Stratum: 0 (unspecified)
Precision: -23 (119.209ns per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0000000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: unspecified
Source: Free-running System Clock
Poll Interval: 10 (1024s)

Some Windows computers come back with "Free-running System Clock",
most with
"Local CMOS Clock", not sure what the difference is.

However, the interesting bit is that the DC is getting time-sync requests from
this Windows computer, and apparently responding. So why doesn't the /query
show
that?

I am also able to show connection from Windows to the DC by running

w32tm /stripchart /computer:mail.hprs.local /dataonly /samples:5

I'm going to let the tcpdump run for a while to see if the other Windows
computers show up.

Thanks --Mark
> On Feb 9, 2024 at 05:31 +0100, Mark Foley via samba <samba at
lists.samba.org>, wrote:
> > On Thu Jan 4 19:46:02 2024 Mark Foley via samba <samba at
lists.samba.org> wrote:
> > >
> > > I've added a Windows 10 domain member to my Domain. I'm
now following the
> > > procedure in
https://wiki.samba.org/index.php/Time_Synchronisation#Configuring_Time_Synchronisation_on_a_Windows_Domain_Member.
> > >
> > > [deleted]
> >
> > The above references the first in a long thread I started having to do
with
> > getting a Windows domain member to time-sync with a new DC, Samba
4.18.9.
> >
> > None of my Windows domain members sync with the new domain controller.
> >
> > None of these same Windows workstation had any problem syncing with
the previous
> > Samba 4.8.2 DC which ran for the past 10-ish years.
> >
> > On th DC I've tried both chrony and ntp-4.2.8. In the ntp case I
used the same
> > 4.8.2 version on the old DC; in both cases built with
--enable-ntp-signd.
> >
> > One possible issue was that these Windows domain members were unjoined
from the
> > 4.8.2 domain, rejoined to the new 4.18.9, and had Profwiz.exe run on
each member
> > to migrate the domain user's profile. None of that was done when
they were
> > first joined to the old 4.8.2 domain. One participant in this thread
suggested
> > I try joining a "virgin" Windows computer. I did that today
with a scratch
> > install of Windows 10.
> >
> > After joining the domain I got:
> >
> > w32tm /query /source
> > Local CMOS Clock
> >
> > I hoping for the FQDN of the DC: 'mail.hprs.local', like I
used to get with
> > Samba 4.8.2.
> >
> > This is the same thing I have been getting from the beginning with the
new
> > 4.18.9 DC. Several thread participants said I shouldn't need to do
any group
> > policies or anything special. Apparently in my case this is not true.
> >
> > Everything configured is strictly "vanilla". The DC was
provisioned as:
> >
> > samba-tool domain provision --use-rfc2307 --realm=HPRS.LOCAL
--domain=HPRS \
> > --server-role=dc --dns-backend=SAMBA_INTERNAL \
> > --option=interfaces="lo eth0" --option="bind interfaces
only=yes"
> >
> > Nothing else was done on the DC. The "test" Windows 10
computer was clean
> > installed today, nothing left over from any previous domain joins or
old domain
> > user profiles.
> >
> > I've tried with and without a "Time Sources" GPO. At the
moment, I have a GPO
> > configured.
> >
> > There are only two differences I can identify between when this worked
and when
> > it did not:
> >
> > 1. It worked with Samba 4.8.2 and does not work with Samba 4.18.9.
> >
> > 2. Samba 4.8.2 was provisioned with --dns-backend=BIND9_FLATFILE and
Samba
> > 4.18.9 was provisioned with --dns-backend=SAMBA_INTERNAL.
> >
> > Those, I believe, are the only differences. Something must not be
working
> > correctly with Samba 4.18.9.
> >
> > As time-sync among domain members is supposed to be critical, I am
about to get
> > Microsoft involved.
> >
> > Before I do that (and before I retry a bunch of the w32tm commands),
I'd like to
> > see if any of the experts on this list have any additional suggestion.
> >
> > Thanks --Mark
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>