samba - Jan 2025 - Time synchronization problem. Chrony, ntp

I noticed a problem with time synchronization on all Windows endpoints. 
I am using Samba 4.21.3 and Chrony 4.3-2.

When I run the following command in Windows:

w32tm /monitor
dc1.xxxx.pl *** PDC ***[192.168.45.10:123]:
ICMP: 1ms delay
NTP: +0.0000000s offset from dc1.xxxx.pl
RefID: time.cloudflare.com [162.159.200.123]
Stratum: 4
dc2.xxxx.pl[192.168.45.9:123]:
ICMP: 1ms delay
NTP: -0.0001207s offset from dc1.xxxx.pl
RefID: ntp1.orange.pl [80.50.102.114]
Stratum: 2

Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.

But when I run:

w32tm /resync
Sending resync command to local computer
The computer did not resync because no time data was available.

When I check on the DC servers with the |tcpdump| program, there is an 
incoming packet, but no outgoing packet.

I am sure this worked previously. It likely stopped working after 
upgrading to Samba version 4.21.1.

I configured Chrony based on the example:
https://samba.tranquil.it/doc/en/samba_config_server/debian/server_install_ntp_debian.html
<https://samba.tranquil.it/doc/en/samba_config_server/debian/server_install_ntp_debian.html>

This works. Hopefully it?ll help you.

http://samba.bigbird.es/doku.php?id=samba:install-chrony

On 18 Jan 2025 at 08:49 +0000, Programnet via samba <samba at
lists.samba.org>, wrote:
> I noticed a problem with time synchronization on all Windows endpoints.
> I am using Samba 4.21.3 and Chrony 4.3-2.
>
> When I run the following command in Windows:
>
> w32tm /monitor
> dc1.xxxx.pl *** PDC ***[192.168.45.10:123]:
> ICMP: 1ms delay
> NTP: +0.0000000s offset from dc1.xxxx.pl
> RefID: time.cloudflare.com [162.159.200.123]
> Stratum: 4
> dc2.xxxx.pl[192.168.45.9:123]:
> ICMP: 1ms delay
> NTP: -0.0001207s offset from dc1.xxxx.pl
> RefID: ntp1.orange.pl [80.50.102.114]
> Stratum: 2
>
> Warning:
> Reverse name resolution is best effort. It may not be
> correct since RefID field in time packets differs across
> NTP implementations and may not be using IP addresses.
>
> But when I run:
>
> w32tm /resync
> Sending resync command to local computer
> The computer did not resync because no time data was available.
>
> When I check on the DC servers with the |tcpdump| program, there is an
> incoming packet, but no outgoing packet.
>
> I am sure this worked previously. It likely stopped working after
> upgrading to Samba version 4.21.1.
>
> I configured Chrony based on the example:
>
https://samba.tranquil.it/doc/en/samba_config_server/debian/server_install_ntp_debian.html
>
<https://samba.tranquil.it/doc/en/samba_config_server/debian/server_install_ntp_debian.html>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

I solved the problem. In my case, it turned out that after updating to 
SAMBA 4.21.x from Debian Backport, the time server stopped responding to 
signed NTP queries. I changed the GPO from NT5DS to NTP. Now it's 
without signing, but at least it works.
I checked my other Samba deployments and observed the exact same effect 
everywhere.

https://wiki.samba.org/index.php/Time_Synchronisation#Setting_User_Defined_Time_Sources_and_Options

Thank you all for guiding me towards the solution.

W dniu 18.01.2025 o?09:48, Programnet via samba pisze:
> I noticed a problem with time synchronization on all Windows 
> endpoints. I am using Samba 4.21.3 and Chrony 4.3-2.
>
> When I run the following command in Windows:
>
> w32tm /monitor
> dc1.xxxx.pl *** PDC ***[192.168.45.10:123]:
> ICMP: 1ms delay
> NTP: +0.0000000s offset from dc1.xxxx.pl
> RefID: time.cloudflare.com [162.159.200.123]
> Stratum: 4
> dc2.xxxx.pl[192.168.45.9:123]:
> ICMP: 1ms delay
> NTP: -0.0001207s offset from dc1.xxxx.pl
> RefID: ntp1.orange.pl [80.50.102.114]
> Stratum: 2
>
> Warning:
> Reverse name resolution is best effort. It may not be
> correct since RefID field in time packets differs across
> NTP implementations and may not be using IP addresses.
>
> But when I run:
>
> w32tm /resync
> Sending resync command to local computer
> The computer did not resync because no time data was available.
>
> When I check on the DC servers with the |tcpdump| program, there is an 
> incoming packet, but no outgoing packet.
>
> I am sure this worked previously. It likely stopped working after 
> upgrading to Samba version 4.21.1.
>
> I configured Chrony based on the example:
>
https://samba.tranquil.it/doc/en/samba_config_server/debian/server_install_ntp_debian.html
>
<https://samba.tranquil.it/doc/en/samba_config_server/debian/server_install_ntp_debian.html>
>

On Sat, Jan 18, 2025 at 3:49?AM Programnet via samba
<samba at lists.samba.org> wrote:
>
> I noticed a problem with time synchronization on all Windows endpoints.
> I am using Samba 4.21.3 and Chrony 4.3-2.
>
> When I run the following command in Windows:
>
> w32tm /monitor
> dc1.xxxx.pl *** PDC ***[192.168.45.10:123]:
> ICMP: 1ms delay
> NTP: +0.0000000s offset from dc1.xxxx.pl
> RefID: time.cloudflare.com [162.159.200.123]
> Stratum: 4
> dc2.xxxx.pl[192.168.45.9:123]:
> ICMP: 1ms delay
> NTP: -0.0001207s offset from dc1.xxxx.pl
> RefID: ntp1.orange.pl [80.50.102.114]
> Stratum: 2
>
> Warning:
> Reverse name resolution is best effort. It may not be
> correct since RefID field in time packets differs across
> NTP implementations and may not be using IP addresses.
>
> But when I run:
>
> w32tm /resync
> Sending resync command to local computer
> The computer did not resync because no time data was available.
>
> When I check on the DC servers with the |tcpdump| program, there is an
> incoming packet, but no outgoing packet.
>
> I am sure this worked previously. It likely stopped working after
> upgrading to Samba version 4.21.1.
>
> I configured Chrony based on the example:
>
https://samba.tranquil.it/doc/en/samba_config_server/debian/server_install_ntp_debian.html
>
<https://samba.tranquil.it/doc/en/samba_config_server/debian/server_install_ntp_debian.html>
Based on my [old, dated] experience as a Windows System
Administrator... Windows clients have chronic problems keeping time in
an AD domain environment. I gave up trying to get Windows clients to
use domain controllers for time.

Instead, I installed a 3rd party NTP client on each Windows
workstation, and had the 3rd party NTP client handle time
synchronization. The NTP client ran as a system service and updated
time every 4 hours so drift was trivial. The NTP clients I used would
sync with NIST time servers, and not domain controllers.

I do not know if there are 3rd party NTP clients that can use Samba
domain controllers as a time source modulo the security requirements.
If there are, you might try one. If there are not, then you might try
a plain NTP client synching with NIST time servers. (Of course, use
whatever time service you like besides NIST).

Things may have changed since I was doing Windows SysAdmin work. But
based on this thread, it sounds like not much has changed.

Jeff