I'm a little late to the game on this. Just upgraded a few of our Samba
servers to Ubuntu 24.04 and was pleased to see ntpsec... And today I see that
time is not syncing on the windows machines.
Before I saw the registry entry work around on this mailing list, I did some
testing. Found that I can sync older Linux machines with the newer ntpsec
servers without problems (tested with ntpdate), but Windows machines would not
sync. So, I went into GPO and changed the Windows NTP Client settings to use
type NTP instead of NT5DS. Once that was done and GPO had been updated on the
machines, time sync started working.... No service restarts or reboots required.
It's nice that NT5DS has some level of encryption, but to use that the NTP
server on the network has to use no encryption. Seems that no
encryption/verification on the LAN is better than no encryption/verification
over the Internet. So, I'm keeping ntpsec to sync time with the internet and
downgrading the windows machines to use plain ntp on the LAN.
Is my logic valid?
Bo Kersey
In theory there is no difference between theory and practice. In practice, there
is. - noted philosopher Yogi Berra
----- Original Message ----- > From: "Luis Peromarta via samba" <samba at lists.samba.org>
> To: "Samba List" <samba at lists.samba.org>
> Sent: Tuesday, March 11, 2025 5:46:38 AM
> Subject: Re: [Samba] Time sync issue
> This is my same experience, never needed the reg key nor I could reproduce
the
> problem if following my notes in samba.bigbird.es
>
> All the best.
> On 11 Mar 2025 at 10:30 +0100, Stefan G. Weichinger via samba
> <samba at lists.samba.org>, wrote:
>> Am 10.03.25 um 18:13 schrieb Peter Milesson via samba:
>>
>> > Hi Stefan,
>> >
>> > I can confirm that setting
>> >
>> >
HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient/
>> > SignatureAuthAllowed
>> >
>> > to 0 is working. You don't need any more complex GPOs than
that. I have
>> > tried it with Windows 7, Windows 10 and Windows 11.
>> >
>> > On the flip side, the clients will synchronize with the DCs, the
>> > drawback is naturally, without the security features. Any other
method
>> > previously described, where time data is supplied by external
servers,
>> > is a last resort option.
>>
>> thank you.
>>
>> So far the customer told me that all the tested PCs (Windows 11) have
>> the correct time today after setting up samba with chrony yesterday.
>>
>> bingo
>>
>> I don't have that registry key in place, I think. I'd have to
check on
>> site ... that might have been set years ago. But I assume: no.
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba