On 10.03.2025 17:51, Stefan G. Weichinger via samba wrote:> Am 10.03.25 um 17:43 schrieb Rowland Penny via samba: > >> The only NTP servers that were thought to work with Samba AD were ntp & >> chrony, now I not so sure, but I believe that the ntp replacement, >> ntpsec, has now been fixed, not sure if chrony works or not. >> >> I cannot recommend continuing to use openntpd, purely and simply >> because, as far as I am aware, it doesn't have the code to 'speak' to >> Samba AD. > > In the meantime I already rolled out chrony, yes. > > Using my debops/ansible setup that was done in minutes ... now I wait > for the happy feedback ;-) > > Thanks! > >Hi Stefan, I can confirm that setting HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient/SignatureAuthAllowed to 0 is working. You don't need any more complex GPOs than that. I have tried it with Windows 7, Windows 10 and Windows 11. On the flip side, the clients will synchronize with the DCs, the drawback is naturally, without the security features. Any other method previously described, where time data is supplied by external servers, is a last resort option. Best regards, Peter
On 10.03.2025 18:13, Peter Milesson via samba wrote:> > > On 10.03.2025 17:51, Stefan G. Weichinger via samba wrote: >> Am 10.03.25 um 17:43 schrieb Rowland Penny via samba: >> >>> The only NTP servers that were thought to work with Samba AD were ntp & >>> chrony, now I not so sure, but I believe that the ntp replacement, >>> ntpsec, has now been fixed, not sure if chrony works or not. >>> >>> I cannot recommend continuing to use openntpd, purely and simply >>> because, as far as I am aware, it doesn't have the code to 'speak' to >>> Samba AD. >> >> In the meantime I already rolled out chrony, yes. >> >> Using my debops/ansible setup that was done in minutes ... now I wait >> for the happy feedback ;-) >> >> Thanks! >> >> > Hi Stefan, > > I can confirm that setting > > HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient/SignatureAuthAllowed > > > to 0 is working. You don't need any more complex GPOs than that. I > have tried it with Windows 7, Windows 10 and Windows 11. > > On the flip side, the clients will synchronize with the DCs, the > drawback is naturally, without the security features. Any other method > previously described, where time data is supplied by external servers, > is a last resort option. > > Best regards, > > Peter > >Hi folks, Just a note: If you set this registry entry, you must restart the service w32time. After that, it will take a some time before the first sync, probably not more than half a minute. If you set the registry entry by GPO, a reboot of the Windows PC will be necessary. Best regards, Peter
Am 10.03.25 um 18:13 schrieb Peter Milesson via samba:> Hi Stefan, > > I can confirm that setting > > HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient/ > SignatureAuthAllowed > > to 0 is working. You don't need any more complex GPOs than that. I have > tried it with Windows 7, Windows 10 and Windows 11. > > On the flip side, the clients will synchronize with the DCs, the > drawback is naturally, without the security features. Any other method > previously described, where time data is supplied by external servers, > is a last resort option.thank you. So far the customer told me that all the tested PCs (Windows 11) have the correct time today after setting up samba with chrony yesterday. bingo I don't have that registry key in place, I think. I'd have to check on site ... that might have been set years ago. But I assume: no.