It's the thread I mentioned earlier, after re-reading the thread, I gather that NT5DS? just doesn't work with chrony with samba 4.21 onwards (now I'm running 4.22.3) and clients need to switch to NTP, or is there a different solution that makes nt5ds, default windows domain joined pc's setting, that I somehow miss in this thread? Although there were mentions in the same thread, that it works for some people. I noticed, that when comparing to information about samba/chrony here http://samba.bigbird.es/doku.php?id=samba:install-chrony that requests, that my client send (in nt5ds mode) don't have "key id" and "authentication" in packets captured by tcpdump. Also definately my setup was working before. I would be very glad If someone confirmed that has working time service with similar config (samba 4 on debian bookworm with chrony 4.22.3+ and windows clients using nt5ds, default for domain joined clients). Regards, Kacper Wirski W dniu 06.11.2025 o?13:45, miguel medalha pisze:> A solution is in this Samba mailing list thread: > > https://lists.samba.org/archive/samba/2025-January/250758.html > >-- Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie antywirusowe Avast. www.avast.com
Hi, I have a samba 4.21.4 dc on debian bookworm with chrony, and my domain joined Windows 10 and 11 workstations seem to be using NT5DS. I really didn't do anything fancy, just installed bookworm + samba from backports, joined the domain as a dc, transfered FSMO roles from a very old dc that I was decomissionning, removed the old dc, and completely forgot about time :-) A few weeks later, problems started to appear (no kidding... ), I installed and configured chrony, and worstations started to sync. It just works. Thanks, -- R?mi Kacper Wirski via samba <samba at lists.samba.org> writes:> It's the thread I mentioned earlier, after re-reading the thread, I > gather that NT5DS? just doesn't work with chrony with samba 4.21 > onwards (now I'm running 4.22.3) and clients need to switch to NTP, or > is there a different solution that makes nt5ds, default windows domain > joined pc's setting, that I somehow miss in this thread? > > Although there were mentions in the same thread, that it works for > some people. > > I noticed, that when comparing to information about samba/chrony here > > http://samba.bigbird.es/doku.php?id=samba:install-chrony > > that requests, that my client send (in nt5ds mode) don't have "key id" > and "authentication" in packets captured by tcpdump. > > > Also definately my setup was working before. > > I would be very glad If someone confirmed that has working time > service with similar config (samba 4 on debian bookworm with chrony > 4.22.3+ and windows clients using nt5ds, default for domain joined > clients).
On 2025-11-06 5:24 a.m., Kacper Wirski via samba wrote:> > I would be very glad If someone confirmed that has working time service > with similar config (samba 4 on debian bookworm with chrony 4.22.3+ and > windows clients using nt5ds, default for domain joined clients). >For what it's worth, my recent experience with NT5DS (i.e. MS-SNTP) on Debian-based Samba AD DCs using chrony has been as follows: On Debian Bookworm, with Samba 4.17.x (with domain function level 2008_R2), MS-SNTP works correctly. Domain-joined Windows clients configured for NT5DS/DOMHIER (or also ALLSYNC) obtain authenticated time from the Samba DCs via MS-SNTP without issue. On Debian Trixie, with Samba 4.22.x (with domain function level also at 2008_R2), MS-SNTP-authenticated time sync also works fine. However, the moment the domain function level is upgraded (to 2016), MS-SNTP time sync from chrony stops working. Unauthenticated NTP is then the only option that does work, which means using GPO (or local w32tm.exe commands) to give Windows clients a "manualpeerlist" of the DCs to get (unauthenticated) time from. Interestingly, recent version of ntpsec (as in Debian Trixie) does also appear to serve MS-SNTP correctly to NT5DS/DOMHIER/ALLSYNC-configured Windows clients, provided that the domain function level is 2008_R2. (Again, upgrading the domain function level from 2008_R2 immediately breaks MS-SNTP service from ntpsec.) In summary, both chrony and ntpsec can provide MS-SNTP service to Windows domain clients of Samba AD, provided that the domain function level is 2008_R2. Newer domain function levels seem to prevent MS-SNTP working. Perhaps this is by design? Or a bug? I don't know. -S.M.