Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Jason MacChesney jason.macches...@ecacs16.ab.ca To: Andrew Martin amar...@xes-inc.com Cc: Thomas Simmons twsn...@gmail.com, samba@lists.samba.org Sent: Wednesday, July 31, 2013 2:24:35 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Hi Andrew, I've been struggling silently with this for quite awhile. With pretty much an identical set-up (save for my W7 machines being handled by Virtual Box) I'm at my wit's end. A tcpdump initially revealed that the server with Samba4(.0.7) and NTP was being sent packets, but never returning them. Similarly, a Linux box was caught in stratum 16. Both of these problems were resolved after amending the ntp.conf file to allow IP's from a specified subnet. So in my case: restrict 192.168.1.128 mask 255.255.255.128 nomodify notrap nopeer Now I get this: C:\Users\administratorw32tm /monitor sambaf.sambafour. LOCAL *** PDC ***[ 192.168.1.131:123 ]: ICMP: 0ms delay NTP: +0.000s offset from sambaf.sambafour. LOCAL RefID: mx2.trentu.ca [192.75.12.11] Stratum: 3 Warning: Reverse name resolution is best effort. It may not be correct since RefID field in time packets differs across NTP implementations and may not be using IP addresses. BUT, I still get this: C:\Users\administratorw32tm /resync /rediscover Sending resync command to local computer The computer did not resync because no time data was available. C:\Users\administratorw32tm /config /syncfromflags:DOMHIER /update The command completed successfully. C:\Users\administratorw32tm /query /source Local CMOS Clock Tried it all. Disabled Windows firewalls, set iptables, net stop/start, register/unregister, included the signdsocket directory in both the smb and ntp configuration files. I'm really surprised to hear that you received mixed results based on how you launched the ntp service. I've had no such luck. So I'm pretty baffled. Time drift is potentially a massive issue where we deploy machines due to PEBKAC. I hate to piggyback on an issue, but any insight anyone might have would be appreciated. On Sat, Jul 27, 2013 at 10:43 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 7:07:59 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Hi Murray, - Original Message - From: Murray Fraser msfra...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Wednesday, July 31, 2013 11:36:54 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Hi Andrew Did you comile NTP with --enable-ntp-signd ? It is the default ntp package provided by Ubuntu/Debian, but yes I believe so. If you run 'ntpd -d' as root do you see: transmit ntp_signd packet: at 44 XX.XX.XX.XX-XX.XX.XX.XX mode 4 keyid 5004 len 68 Yes, I do. Are those packets only sent when a client requests an update? # ntpd -d | grep signd MS-SNTP signd operations currently block ntpd degrading service to all clients. 1 Aug 10:03:22 ntpd[9351]: MS-SNTP signd operations currently block ntpd degrading service to all clients. transmit ntp_signd packet: at 134 192.168.0.101-192.168.0.90 mode 4 keyid d405 len 68 transmit ntp_signd packet: at 318 192.168.0.101-192.168.0.88 mode 4 keyid dd05 len 68 Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Hi Andrew, I've been struggling silently with this for quite awhile. With pretty much an identical set-up (save for my W7 machines being handled by Virtual Box) I'm at my wit's end. A tcpdump initially revealed that the server with Samba4(.0.7) and NTP was being sent packets, but never returning them. Similarly, a Linux box was caught in stratum 16. Both of these problems were resolved after amending the ntp.conf file to allow IP's from a specified subnet. So in my case: restrict 192.168.1.128 mask 255.255.255.128 nomodify notrap nopeer Now I get this: C:\Users\administratorw32tm /monitor sambaf.sambafour. http://sambaf.sambafour.co.ecacs16.ab.ca/LOCAL *** PDC ***[192.168.1.131:123]: ICMP: 0ms delay NTP: +0.000s offset from sambaf.sambafour.http://sambaf.sambafour.co.ecacs16.ab.ca/ LOCAL RefID: mx2.trentu.ca [192.75.12.11] Stratum: 3 Warning: Reverse name resolution is best effort. It may not be correct since RefID field in time packets differs across NTP implementations and may not be using IP addresses. BUT, I still get this: C:\Users\administratorw32tm /resync /rediscover Sending resync command to local computer The computer did not resync because no time data was available. C:\Users\administratorw32tm /config /syncfromflags:DOMHIER /update The command completed successfully. C:\Users\administratorw32tm /query /source Local CMOS Clock Tried it all. Disabled Windows firewalls, set iptables, net stop/start, register/unregister, included the signdsocket directory in both the smb and ntp configuration files. I'm really surprised to hear that you received mixed results based on how you launched the ntp service. I've had no such luck. So I'm pretty baffled. Time drift is potentially a massive issue where we deploy machines due to PEBKAC. I hate to piggyback on an issue, but any insight anyone might have would be appreciated. On Sat, Jul 27, 2013 at 10:43 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 7:07:59 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Hi Andrew Did you comile NTP with --enable-ntp-signd ? If you run 'ntpd -d' as root do you see: transmit ntp_signd packet: at 44 XX.XX.XX.XX-XX.XX.XX.XX mode 4 keyid 5004 len 68 - Murray On Sun, Jul 28, 2013 at 2:43 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 7:07:59 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify
[Samba] Correct NTP Settings for Samba 4.0.6?
Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki (https://wiki.samba.org/index.php/Configure_NTP) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Robert Gurdon sandbox...@gmail.com To: Andrew Martin amar...@xes-inc.com Sent: Saturday, July 27, 2013 7:02:51 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Yo, Could you attach your ntp log when you start/restart it? Robert 2013-07-27 08:26 keltezéssel, Andrew Martin írta: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki (https://wiki.samba.org/index.php/Configure_NTP) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew -- Kind regards: Robert Robert, Sure, thanks for the help. Here are log messages when I restart ntpd: Jul 27 09:14:02 dc1 ntpd[30565]: ntpd exiting on signal 15 Jul 27 09:14:04 dc1 ntpd[5957]: ntpd 4.2.6p3@1.2290-o Tue Jun 5 20:12:08 UTC 2012 (1) Jul 27 09:14:04 dc1 ntpd[5958]: proto: precision = 0.345 usec Jul 27 09:14:04 dc1 ntpd[5958]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16 Jul 27 09:14:04 dc1 ntpd[5958]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen and drop on 1 v6wildcard :: UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 3 eth0 192.168.0.102 UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 4 eth0 192.168.0.221 UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 5 eth0 fe80::5054:ff:fece:1e3b UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 6 lo ::1 UDP 123 Jul 27 09:14:04 dc1 ntpd[5958]: peers refreshed Jul 27 09:14:04 dc1 ntpd[5958]: Listening on routing socket on fd #23 for interface updates Jul 27 09:14:04 dc1 ntpd[5958]: MS-SNTP signd operations currently block ntpd degrading service to all clients. The ntp_signd directory is empty: root@dc1:/# ls -l /var/run/samba/ntp_signd total 0 root@dc1:/# ls -l /var/run/samba/ | grep ntp drwxr-x--- 2 ntp ntp 40 Jul 8 16:40 ntp_signd Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ --datadir=/usr/share \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --disable-avahi \ --with-ctdb=/usr \ --disable-rpath \ --disable-ntdb \ --disable-rpath-install \ --bundled-libraries=NONE,pytevent,iniparser \ --builtin-libraries=replace,ccan \ --minimum-library-version=$(shell ./debian/autodeps.py --minimum-library-version) \ --without-getpass-replacement \ --enable-debug Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ --datadir=/usr/share \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --disable-avahi \ --with-ctdb=/usr \ --disable-rpath \ --disable-ntdb \ --disable-rpath-install \ --bundled-libraries=NONE,pytevent,iniparser \ --builtin-libraries=replace,ccan \ --minimum-library-version=$(shell ./debian/autodeps.py --minimum-library-version) \ --without-getpass-replacement \ --enable-debug Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ --datadir=/usr/share \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --disable-avahi \ --with-ctdb=/usr \ --disable-rpath \ --disable-ntdb \ --disable-rpath-install \ --bundled-libraries=NONE,pytevent,iniparser \ --builtin-libraries=replace,ccan \ --minimum-library-version=$(shell ./debian/autodeps.py --minimum-library-version) \ --without-getpass-replacement \ --enable-debug Thanks, Andrew Thomas, Adding that parameter to the smb.conf file, as well as removing the ntp_signd directory so that samba itself could create it appears to have worked: root@dc0:/# ls -l /var/run/samba/ntp_signd/ total 0 srwxrwxrwx 1 root root 0 Jul 27 11:41 socket I also needed a few extra lines in ntp.conf, otherwise the Windows client would fail with the error The computer did not resync beacuse no time data was available: server 0.us.pool.ntp.org server 1.us.pool.ntp.org server 2.us.pool.ntp.org server 3.us.pool.ntp.org server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Do the Windows clients prefer ntp information from the DHCP lease, or from the DC that they are connected to? My DHCP configuration currently is using an old NTP server until I get Samba4's NTP up and running. Thus, when I run w32tm /query /source
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ --datadir=/usr/share \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --disable-avahi \ --with-ctdb=/usr \ --disable-rpath \ --disable-ntdb \ --disable-rpath-install \ --bundled-libraries=NONE,pytevent,iniparser \ --builtin-libraries=replace,ccan \ --minimum-library-version=$(shell ./debian/autodeps.py --minimum-library-version) \ --without-getpass-replacement \ --enable-debug Thanks, Andrew Thomas, Adding that parameter to the smb.conf file, as well as removing the ntp_signd directory so that samba itself could create it appears to have worked: root@dc0:/# ls -l /var/run/samba/ntp_signd/ total 0 srwxrwxrwx 1 root root 0 Jul 27 11:41 socket I also needed a few extra lines in ntp.conf, otherwise the Windows client
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \ --datadir=/usr/share \ --with-lockdir=/var/run/samba \ --with-statedir=/var/lib/samba \ --with-cachedir=/var/cache/samba \ --disable-avahi \ --with-ctdb=/usr \ --disable-rpath \ --disable-ntdb \ --disable-rpath-install \ --bundled-libraries=NONE,pytevent,iniparser \ --builtin-libraries=replace,ccan \ --minimum-library-version=$(shell ./debian/autodeps.py --minimum-library
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's conventions for file locations: conf_args = \ --prefix=/usr \ --enable-fhs \ --sysconfdir=/etc \ --localstatedir=/var \ --with-privatedir=/var/lib/samba/private \ --with-smbpasswd-file=/etc/samba/smbpasswd \ --with-piddir=/var/run/samba \ --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \ --with-pam \ --with-syslog \ --with-utmp \ --with-pam_smbpass \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2 \ --with-automount \ --with-ldap \ --with-ads \ --with-dnsupdate \ --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-modulesdir=/usr/lib
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket rw, What is the correct procedure for configuring NTP for a Samba4 AD DC? Thanks, Andrew When you compiled Samba, did you not use the standard install path (/usr/local/samba) or did you add an entry in smb.conf to use /var/run/samba/ntp_signd for the socket? Thomas, When compiling Samba, I specified custom paths to be in line with Debian's
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 7:07:59 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery Using Ubuntu, I am not using SELinux. I do not believe there to be any problems with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd: # samba4 ntp signing socket /{,var/}run/samba/ntp_signd/socket