Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message - From: Jason MacChesney jason.macches...@ecacs16.ab.ca To: Andrew Martin amar...@xes-inc.com Cc: Thomas Simmons twsn...@gmail.com, samba@lists.samba.org Sent: Wednesday, July 31, 2013 2:24:35 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Hi Andrew, I've been struggling silently with this for quite awhile. With pretty much an identical set-up (save for my W7 machines being handled by Virtual Box) I'm at my wit's end. A tcpdump initially revealed that the server with Samba4(.0.7) and NTP was being sent packets, but never returning them. Similarly, a Linux box was caught in stratum 16. Both of these problems were resolved after amending the ntp.conf file to allow IP's from a specified subnet. So in my case: restrict 192.168.1.128 mask 255.255.255.128 nomodify notrap nopeer Now I get this: C:\Users\administratorw32tm /monitor sambaf.sambafour. LOCAL *** PDC ***[ 192.168.1.131:123 ]: ICMP: 0ms delay NTP: +0.000s offset from sambaf.sambafour. LOCAL RefID: mx2.trentu.ca [192.75.12.11] Stratum: 3 Warning: Reverse name resolution is best effort. It may not be correct since RefID field in time packets differs across NTP implementations and may not be using IP addresses. BUT, I still get this: C:\Users\administratorw32tm /resync /rediscover Sending resync command to local computer The computer did not resync because no time data was available. C:\Users\administratorw32tm /config /syncfromflags:DOMHIER /update The command completed successfully. C:\Users\administratorw32tm /query /source Local CMOS Clock Tried it all. Disabled Windows firewalls, set iptables, net stop/start, register/unregister, included the signdsocket directory in both the smb and ntp configuration files. I'm really surprised to hear that you received mixed results based on how you launched the ntp service. I've had no such luck. So I'm pretty baffled. Time drift is potentially a massive issue where we deploy machines due to PEBKAC. I hate to piggyback on an issue, but any insight anyone might have would be appreciated. On Sat, Jul 27, 2013 at 10:43 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 7:07:59 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Hi Murray, - Original Message - From: Murray Fraser msfra...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Wednesday, July 31, 2013 11:36:54 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Hi Andrew Did you comile NTP with --enable-ntp-signd ? It is the default ntp package provided by Ubuntu/Debian, but yes I believe so. If you run 'ntpd -d' as root do you see: transmit ntp_signd packet: at 44 XX.XX.XX.XX-XX.XX.XX.XX mode 4 keyid 5004 len 68 Yes, I do. Are those packets only sent when a client requests an update? # ntpd -d | grep signd MS-SNTP signd operations currently block ntpd degrading service to all clients. 1 Aug 10:03:22 ntpd[9351]: MS-SNTP signd operations currently block ntpd degrading service to all clients. transmit ntp_signd packet: at 134 192.168.0.101-192.168.0.90 mode 4 keyid d405 len 68 transmit ntp_signd packet: at 318 192.168.0.101-192.168.0.88 mode 4 keyid dd05 len 68 Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Hi Andrew, I've been struggling silently with this for quite awhile. With pretty much an identical set-up (save for my W7 machines being handled by Virtual Box) I'm at my wit's end. A tcpdump initially revealed that the server with Samba4(.0.7) and NTP was being sent packets, but never returning them. Similarly, a Linux box was caught in stratum 16. Both of these problems were resolved after amending the ntp.conf file to allow IP's from a specified subnet. So in my case: restrict 192.168.1.128 mask 255.255.255.128 nomodify notrap nopeer Now I get this: C:\Users\administratorw32tm /monitor sambaf.sambafour. http://sambaf.sambafour.co.ecacs16.ab.ca/LOCAL *** PDC ***[192.168.1.131:123]: ICMP: 0ms delay NTP: +0.000s offset from sambaf.sambafour.http://sambaf.sambafour.co.ecacs16.ab.ca/ LOCAL RefID: mx2.trentu.ca [192.75.12.11] Stratum: 3 Warning: Reverse name resolution is best effort. It may not be correct since RefID field in time packets differs across NTP implementations and may not be using IP addresses. BUT, I still get this: C:\Users\administratorw32tm /resync /rediscover Sending resync command to local computer The computer did not resync because no time data was available. C:\Users\administratorw32tm /config /syncfromflags:DOMHIER /update The command completed successfully. C:\Users\administratorw32tm /query /source Local CMOS Clock Tried it all. Disabled Windows firewalls, set iptables, net stop/start, register/unregister, included the signdsocket directory in both the smb and ntp configuration files. I'm really surprised to hear that you received mixed results based on how you launched the ntp service. I've had no such luck. So I'm pretty baffled. Time drift is potentially a massive issue where we deploy machines due to PEBKAC. I hate to piggyback on an issue, but any insight anyone might have would be appreciated. On Sat, Jul 27, 2013 at 10:43 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 7:07:59 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Hi Andrew Did you comile NTP with --enable-ntp-signd ? If you run 'ntpd -d' as root do you see: transmit ntp_signd packet: at 44 XX.XX.XX.XX-XX.XX.XX.XX mode 4 keyid 5004 len 68 - Murray On Sun, Jul 28, 2013 at 2:43 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 7:07:59 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Your Windows client is not able to access the NTP server, which is why w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no response from server in 1000ms error when running w32tm /monitor. Why? I can't say. Can you setup a Linux box to use this server for NTP and run ntpdate as a test? I've seen this when there is a flaky network connection (traffic, wifi, or when the DC is a VMware VM under certain situations). Your DC is not a VM is it? On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Andrew Martin amar...@xes-inc.com To: Thomas Simmons twsn...@gmail.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 2:31:21 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 12:26:57 PM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time net start w32time should make the client query the directory for it's time server. You can verify the configuration with w32tm /query /configuration and look for the Type to be NT5DS. This means it's using AD. You can also run w32tm /monitor and the Windows time service will go through the processes of querying the directory to find a time server, then verify it's accessible. If that works, all is working. I found w32tm /monitor will fail if you have your domain functional level at 2008 or 2008_R2. I don't know if this is a bug in Samba as I haven't had time to test against a real 2008+ server. Just know it's to be expected. On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 11:03:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? The ls -l command you ran shows the ntp_signd directory is empty, so it looks like samba is not creating the socket (at least in that location). Do you have the ntp signd socket directory option in your smb.conf? If not, try manually it to smb.conf: ntp signd socket directory = /var/run/samba/ntp_signd Apart from that, my suggestion would be to stop apparmor and iptables for testing and run ntp and samba with verbose logging on and see what it says. Also, what does w32tm /query /source and w32tm /monitor show on the client? On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote: - Original Message - From: Thomas Simmons twsn...@gmail.com To: Andrew Martin amar...@xes-inc.com Cc: samba@lists.samba.org Sent: Saturday, July 27, 2013 10:33:49 AM Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6? On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote: Hello, I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu 12.04. I followed the instructions on the Samba wiki ( https://wiki.samba.org/index.php/Configure_NTP ) for how to configure ntp, however the domain clients are rejecting the DCs as being acceptable time sources. Below is my ntp.conf: server 127.127.1.0 fudge 127.127.1.0 stratum 10 server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/run/samba/ntp_signd restrict default kod nomodify notrap nopeer mssntp restrict 127.0.0.1 restrict 0.pool.ntp.org mask 255.255.255.255 nomodify
[Samba] Correct NTP Settings for Samba 4.0.6?
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu
12.04.
I followed the instructions on the Samba wiki
(https://wiki.samba.org/index.php/Configure_NTP)
for how to configure ntp, however the domain clients are rejecting the DCs as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
Using Ubuntu, I am not using SELinux. I do not believe there to be any problems
with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
What is the correct procedure for configuring NTP for a Samba4 AD DC?
Thanks,
Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message -
From: Robert Gurdon sandbox...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Sent: Saturday, July 27, 2013 7:02:51 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Yo,
Could you attach your ntp log when you start/restart it?
Robert
2013-07-27 08:26 keltezéssel, Andrew Martin írta:
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am running it on
Ubuntu 12.04.
I followed the instructions on the Samba wiki
(https://wiki.samba.org/index.php/Configure_NTP)
for how to configure ntp, however the domain clients are rejecting
the DCs as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
Using Ubuntu, I am not using SELinux. I do not believe there to be
any problems
with apparmor, as it contains these lines in
/etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
What is the correct procedure for configuring NTP for a Samba4 AD
DC?
Thanks,
Andrew
--
Kind regards:
Robert
Robert,
Sure, thanks for the help. Here are log messages when I restart ntpd:
Jul 27 09:14:02 dc1 ntpd[30565]: ntpd exiting on signal 15
Jul 27 09:14:04 dc1 ntpd[5957]: ntpd 4.2.6p3@1.2290-o Tue Jun 5 20:12:08 UTC
2012 (1)
Jul 27 09:14:04 dc1 ntpd[5958]: proto: precision = 0.345 usec
Jul 27 09:14:04 dc1 ntpd[5958]: ntp_io: estimated max descriptors: 1024,
initial socket boundary: 16
Jul 27 09:14:04 dc1 ntpd[5958]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Jul 27 09:14:04 dc1 ntpd[5958]: Listen and drop on 1 v6wildcard :: UDP 123
Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 2 lo 127.0.0.1 UDP 123
Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 3 eth0 192.168.0.102 UDP 123
Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 4 eth0 192.168.0.221 UDP 123
Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 5 eth0
fe80::5054:ff:fece:1e3b UDP 123
Jul 27 09:14:04 dc1 ntpd[5958]: Listen normally on 6 lo ::1 UDP 123
Jul 27 09:14:04 dc1 ntpd[5958]: peers refreshed
Jul 27 09:14:04 dc1 ntpd[5958]: Listening on routing socket on fd #23 for
interface updates
Jul 27 09:14:04 dc1 ntpd[5958]: MS-SNTP signd operations currently block ntpd
degrading service to all clients.
The ntp_signd directory is empty:
root@dc1:/# ls -l /var/run/samba/ntp_signd
total 0
root@dc1:/# ls -l /var/run/samba/ | grep ntp
drwxr-x--- 2 ntp ntp 40 Jul 8 16:40 ntp_signd
Thanks,
Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com wrote:
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am running it on Ubuntu
12.04.
I followed the instructions on the Samba wiki (
https://wiki.samba.org/index.php/Configure_NTP)
for how to configure ntp, however the domain clients are rejecting the DCs
as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
Using Ubuntu, I am not using SELinux. I do not believe there to be any
problems
with apparmor, as it contains these lines in /etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
What is the correct procedure for configuring NTP for a Samba4 AD DC?
Thanks,
Andrew
When you compiled Samba, did you not use the standard install path
(/usr/local/samba) or did you add an entry in smb.conf to use
/var/run/samba/ntp_signd for the socket?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 10:33:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com
wrote:
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am running it on
Ubuntu 12.04.
I followed the instructions on the Samba wiki (
https://wiki.samba.org/index.php/Configure_NTP )
for how to configure ntp, however the domain clients are rejecting
the DCs as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
Using Ubuntu, I am not using SELinux. I do not believe there to be
any problems
with apparmor, as it contains these lines in
/etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
What is the correct procedure for configuring NTP for a Samba4 AD DC?
Thanks,
Andrew
When you compiled Samba, did you not use the standard install path
(/usr/local/samba) or did you add an entry in smb.conf to use
/var/run/samba/ntp_signd for the socket?
Thomas,
When compiling Samba, I specified custom paths to be in line with Debian's
conventions for file locations:
conf_args = \
--prefix=/usr \
--enable-fhs \
--sysconfdir=/etc \
--localstatedir=/var \
--with-privatedir=/var/lib/samba/private \
--with-smbpasswd-file=/etc/samba/smbpasswd \
--with-piddir=/var/run/samba \
--with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
--with-pam \
--with-syslog \
--with-utmp \
--with-pam_smbpass \
--with-winbind \
--with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
\
--with-automount \
--with-ldap \
--with-ads \
--with-dnsupdate \
--libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
--with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
--datadir=/usr/share \
--with-lockdir=/var/run/samba \
--with-statedir=/var/lib/samba \
--with-cachedir=/var/cache/samba \
--disable-avahi \
--with-ctdb=/usr \
--disable-rpath \
--disable-ntdb \
--disable-rpath-install \
--bundled-libraries=NONE,pytevent,iniparser \
--builtin-libraries=replace,ccan \
--minimum-library-version=$(shell ./debian/autodeps.py
--minimum-library-version) \
--without-getpass-replacement \
--enable-debug
Thanks,
Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
The ls -l command you ran shows the ntp_signd directory is empty, so it
looks like samba is not creating the socket (at least in that location). Do
you have the ntp signd socket directory option in your smb.conf? If not,
try manually it to smb.conf:
ntp signd socket directory = /var/run/samba/ntp_signd
Apart from that, my suggestion would be to stop apparmor and iptables for
testing and run ntp and samba with verbose logging on and see what it says.
Also, what does w32tm /query /source and w32tm /monitor show on the
client?
On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 10:33:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin amar...@xes-inc.com
wrote:
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am running it on
Ubuntu 12.04.
I followed the instructions on the Samba wiki (
https://wiki.samba.org/index.php/Configure_NTP )
for how to configure ntp, however the domain clients are rejecting
the DCs as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
Using Ubuntu, I am not using SELinux. I do not believe there to be
any problems
with apparmor, as it contains these lines in
/etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
What is the correct procedure for configuring NTP for a Samba4 AD DC?
Thanks,
Andrew
When you compiled Samba, did you not use the standard install path
(/usr/local/samba) or did you add an entry in smb.conf to use
/var/run/samba/ntp_signd for the socket?
Thomas,
When compiling Samba, I specified custom paths to be in line with Debian's
conventions for file locations:
conf_args = \
--prefix=/usr \
--enable-fhs \
--sysconfdir=/etc \
--localstatedir=/var \
--with-privatedir=/var/lib/samba/private \
--with-smbpasswd-file=/etc/samba/smbpasswd \
--with-piddir=/var/run/samba \
--with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
--with-pam \
--with-syslog \
--with-utmp \
--with-pam_smbpass \
--with-winbind \
--with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
\
--with-automount \
--with-ldap \
--with-ads \
--with-dnsupdate \
--libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
--with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
--datadir=/usr/share \
--with-lockdir=/var/run/samba \
--with-statedir=/var/lib/samba \
--with-cachedir=/var/cache/samba \
--disable-avahi \
--with-ctdb=/usr \
--disable-rpath \
--disable-ntdb \
--disable-rpath-install \
--bundled-libraries=NONE,pytevent,iniparser \
--builtin-libraries=replace,ccan \
--minimum-library-version=$(shell ./debian/autodeps.py
--minimum-library-version) \
--without-getpass-replacement \
--enable-debug
Thanks,
Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 11:03:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
The ls -l command you ran shows the ntp_signd directory is empty, so
it looks like samba is not creating the socket (at least in that
location). Do you have the ntp signd socket directory option in
your smb.conf? If not, try manually it to smb.conf:
ntp signd socket directory = /var/run/samba/ntp_signd
Apart from that, my suggestion would be to stop apparmor and iptables
for testing and run ntp and samba with verbose logging on and see
what it says. Also, what does w32tm /query /source and w32tm
/monitor show on the client?
On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com
wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 10:33:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin
amar...@xes-inc.com
wrote:
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am running it on
Ubuntu 12.04.
I followed the instructions on the Samba wiki (
https://wiki.samba.org/index.php/Configure_NTP )
for how to configure ntp, however the domain clients are rejecting
the DCs as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
Using Ubuntu, I am not using SELinux. I do not believe there to be
any problems
with apparmor, as it contains these lines in
/etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
What is the correct procedure for configuring NTP for a Samba4 AD
DC?
Thanks,
Andrew
When you compiled Samba, did you not use the standard install path
(/usr/local/samba) or did you add an entry in smb.conf to use
/var/run/samba/ntp_signd for the socket?
Thomas,
When compiling Samba, I specified custom paths to be in line with
Debian's
conventions for file locations:
conf_args = \
--prefix=/usr \
--enable-fhs \
--sysconfdir=/etc \
--localstatedir=/var \
--with-privatedir=/var/lib/samba/private \
--with-smbpasswd-file=/etc/samba/smbpasswd \
--with-piddir=/var/run/samba \
--with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
--with-pam \
--with-syslog \
--with-utmp \
--with-pam_smbpass \
--with-winbind \
--with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
\
--with-automount \
--with-ldap \
--with-ads \
--with-dnsupdate \
--libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
--with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
--datadir=/usr/share \
--with-lockdir=/var/run/samba \
--with-statedir=/var/lib/samba \
--with-cachedir=/var/cache/samba \
--disable-avahi \
--with-ctdb=/usr \
--disable-rpath \
--disable-ntdb \
--disable-rpath-install \
--bundled-libraries=NONE,pytevent,iniparser \
--builtin-libraries=replace,ccan \
--minimum-library-version=$(shell ./debian/autodeps.py
--minimum-library-version) \
--without-getpass-replacement \
--enable-debug
Thanks,
Andrew
Thomas,
Adding that parameter to the smb.conf file, as well as removing the ntp_signd
directory
so that samba itself could create it appears to have worked:
root@dc0:/# ls -l /var/run/samba/ntp_signd/
total 0
srwxrwxrwx 1 root root 0 Jul 27 11:41 socket
I also needed a few extra lines in ntp.conf, otherwise the Windows client would
fail
with the error The computer did not resync beacuse no time data was available:
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
Do the Windows clients prefer ntp information from the DHCP lease, or from the
DC that
they are connected to? My DHCP configuration currently is using an old NTP
server until
I get Samba4's NTP up and running. Thus, when I run w32tm /query /source
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Running w32tm /config /update /syncfromflags:DOMHIER net stop w32time
net start w32time should make the client query the directory for it's
time server. You can verify the configuration with w32tm /query
/configuration and look for the Type to be NT5DS. This means it's using
AD. You can also run w32tm /monitor and the Windows time service will go
through the processes of querying the directory to find a time server, then
verify it's accessible. If that works, all is working. I found w32tm
/monitor will fail if you have your domain functional level at 2008 or
2008_R2. I don't know if this is a bug in Samba as I haven't had time to
test against a real 2008+ server. Just know it's to be expected.
On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 11:03:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
The ls -l command you ran shows the ntp_signd directory is empty, so
it looks like samba is not creating the socket (at least in that
location). Do you have the ntp signd socket directory option in
your smb.conf? If not, try manually it to smb.conf:
ntp signd socket directory = /var/run/samba/ntp_signd
Apart from that, my suggestion would be to stop apparmor and iptables
for testing and run ntp and samba with verbose logging on and see
what it says. Also, what does w32tm /query /source and w32tm
/monitor show on the client?
On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin amar...@xes-inc.com
wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 10:33:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin
amar...@xes-inc.com
wrote:
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am running it on
Ubuntu 12.04.
I followed the instructions on the Samba wiki (
https://wiki.samba.org/index.php/Configure_NTP )
for how to configure ntp, however the domain clients are rejecting
the DCs as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
noquery
Using Ubuntu, I am not using SELinux. I do not believe there to be
any problems
with apparmor, as it contains these lines in
/etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
What is the correct procedure for configuring NTP for a Samba4 AD
DC?
Thanks,
Andrew
When you compiled Samba, did you not use the standard install path
(/usr/local/samba) or did you add an entry in smb.conf to use
/var/run/samba/ntp_signd for the socket?
Thomas,
When compiling Samba, I specified custom paths to be in line with
Debian's
conventions for file locations:
conf_args = \
--prefix=/usr \
--enable-fhs \
--sysconfdir=/etc \
--localstatedir=/var \
--with-privatedir=/var/lib/samba/private \
--with-smbpasswd-file=/etc/samba/smbpasswd \
--with-piddir=/var/run/samba \
--with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
--with-pam \
--with-syslog \
--with-utmp \
--with-pam_smbpass \
--with-winbind \
--with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
\
--with-automount \
--with-ldap \
--with-ads \
--with-dnsupdate \
--libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
--with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
--datadir=/usr/share \
--with-lockdir=/var/run/samba \
--with-statedir=/var/lib/samba \
--with-cachedir=/var/cache/samba \
--disable-avahi \
--with-ctdb=/usr \
--disable-rpath \
--disable-ntdb \
--disable-rpath-install \
--bundled-libraries=NONE,pytevent,iniparser \
--builtin-libraries=replace,ccan \
--minimum-library-version=$(shell ./debian/autodeps.py
--minimum-library-version) \
--without-getpass-replacement \
--enable-debug
Thanks,
Andrew
Thomas,
Adding that parameter to the smb.conf file, as well as removing the
ntp_signd directory
so that samba itself could create it appears to have worked:
root@dc0:/# ls -l /var/run/samba/ntp_signd/
total 0
srwxrwxrwx 1 root root 0 Jul 27 11:41 socket
I also needed a few extra lines in ntp.conf, otherwise the Windows client
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 12:26:57 PM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Running w32tm /config /update /syncfromflags:DOMHIER net stop
w32time
net start w32time should make the client query the directory for
it's
time server. You can verify the configuration with w32tm /query
/configuration and look for the Type to be NT5DS. This means it's
using
AD. You can also run w32tm /monitor and the Windows time service will
go
through the processes of querying the directory to find a time
server, then
verify it's accessible. If that works, all is working. I found w32tm
/monitor will fail if you have your domain functional level at 2008
or
2008_R2. I don't know if this is a bug in Samba as I haven't had time
to
test against a real 2008+ server. Just know it's to be expected.
On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin amar...@xes-inc.com
wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 11:03:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
The ls -l command you ran shows the ntp_signd directory is empty,
so
it looks like samba is not creating the socket (at least in that
location). Do you have the ntp signd socket directory option in
your smb.conf? If not, try manually it to smb.conf:
ntp signd socket directory = /var/run/samba/ntp_signd
Apart from that, my suggestion would be to stop apparmor and
iptables
for testing and run ntp and samba with verbose logging on and see
what it says. Also, what does w32tm /query /source and w32tm
/monitor show on the client?
On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin
amar...@xes-inc.com
wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 10:33:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin
amar...@xes-inc.com
wrote:
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am running it
on
Ubuntu 12.04.
I followed the instructions on the Samba wiki (
https://wiki.samba.org/index.php/Configure_NTP )
for how to configure ntp, however the domain clients are
rejecting
the DCs as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap
nopeer
noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap
nopeer
noquery
Using Ubuntu, I am not using SELinux. I do not believe there to
be
any problems
with apparmor, as it contains these lines in
/etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
What is the correct procedure for configuring NTP for a Samba4
AD
DC?
Thanks,
Andrew
When you compiled Samba, did you not use the standard install
path
(/usr/local/samba) or did you add an entry in smb.conf to use
/var/run/samba/ntp_signd for the socket?
Thomas,
When compiling Samba, I specified custom paths to be in line with
Debian's
conventions for file locations:
conf_args = \
--prefix=/usr \
--enable-fhs \
--sysconfdir=/etc \
--localstatedir=/var \
--with-privatedir=/var/lib/samba/private \
--with-smbpasswd-file=/etc/samba/smbpasswd \
--with-piddir=/var/run/samba \
--with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
--with-pam \
--with-syslog \
--with-utmp \
--with-pam_smbpass \
--with-winbind \
--with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
\
--with-automount \
--with-ldap \
--with-ads \
--with-dnsupdate \
--libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
--with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
--datadir=/usr/share \
--with-lockdir=/var/run/samba \
--with-statedir=/var/lib/samba \
--with-cachedir=/var/cache/samba \
--disable-avahi \
--with-ctdb=/usr \
--disable-rpath \
--disable-ntdb \
--disable-rpath-install \
--bundled-libraries=NONE,pytevent,iniparser \
--builtin-libraries=replace,ccan \
--minimum-library-version=$(shell ./debian/autodeps.py
--minimum-library
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message -
From: Andrew Martin amar...@xes-inc.com
To: Thomas Simmons twsn...@gmail.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 2:31:21 PM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 12:26:57 PM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Running w32tm /config /update /syncfromflags:DOMHIER net stop
w32time
net start w32time should make the client query the directory
for
it's
time server. You can verify the configuration with w32tm /query
/configuration and look for the Type to be NT5DS. This means
it's
using
AD. You can also run w32tm /monitor and the Windows time service
will
go
through the processes of querying the directory to find a time
server, then
verify it's accessible. If that works, all is working. I found
w32tm
/monitor will fail if you have your domain functional level at 2008
or
2008_R2. I don't know if this is a bug in Samba as I haven't had
time
to
test against a real 2008+ server. Just know it's to be expected.
On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin
amar...@xes-inc.com
wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 11:03:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
The ls -l command you ran shows the ntp_signd directory is
empty,
so
it looks like samba is not creating the socket (at least in
that
location). Do you have the ntp signd socket directory option
in
your smb.conf? If not, try manually it to smb.conf:
ntp signd socket directory = /var/run/samba/ntp_signd
Apart from that, my suggestion would be to stop apparmor and
iptables
for testing and run ntp and samba with verbose logging on and
see
what it says. Also, what does w32tm /query /source and w32tm
/monitor show on the client?
On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin
amar...@xes-inc.com
wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 10:33:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin
amar...@xes-inc.com
wrote:
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am running
it
on
Ubuntu 12.04.
I followed the instructions on the Samba wiki (
https://wiki.samba.org/index.php/Configure_NTP )
for how to configure ntp, however the domain clients are
rejecting
the DCs as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap
nopeer
noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap
nopeer
noquery
Using Ubuntu, I am not using SELinux. I do not believe there
to
be
any problems
with apparmor, as it contains these lines in
/etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
What is the correct procedure for configuring NTP for a
Samba4
AD
DC?
Thanks,
Andrew
When you compiled Samba, did you not use the standard install
path
(/usr/local/samba) or did you add an entry in smb.conf to use
/var/run/samba/ntp_signd for the socket?
Thomas,
When compiling Samba, I specified custom paths to be in line
with
Debian's
conventions for file locations:
conf_args = \
--prefix=/usr \
--enable-fhs \
--sysconfdir=/etc \
--localstatedir=/var \
--with-privatedir=/var/lib/samba/private \
--with-smbpasswd-file=/etc/samba/smbpasswd \
--with-piddir=/var/run/samba \
--with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
--with-pam \
--with-syslog \
--with-utmp \
--with-pam_smbpass \
--with-winbind \
--with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2
\
--with-automount \
--with-ldap \
--with-ads \
--with-dnsupdate \
--libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
--with-modulesdir=/usr/lib
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Your Windows client is not able to access the NTP server, which is why
w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no
response from server in 1000ms error when running w32tm /monitor. Why? I
can't say. Can you setup a Linux box to use this server for NTP and run
ntpdate as a test? I've seen this when there is a flaky network connection
(traffic, wifi, or when the DC is a VMware VM under certain situations).
Your DC is not a VM is it?
On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com wrote:
- Original Message -
From: Andrew Martin amar...@xes-inc.com
To: Thomas Simmons twsn...@gmail.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 2:31:21 PM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 12:26:57 PM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Running w32tm /config /update /syncfromflags:DOMHIER net stop
w32time
net start w32time should make the client query the directory
for
it's
time server. You can verify the configuration with w32tm /query
/configuration and look for the Type to be NT5DS. This means
it's
using
AD. You can also run w32tm /monitor and the Windows time service
will
go
through the processes of querying the directory to find a time
server, then
verify it's accessible. If that works, all is working. I found
w32tm
/monitor will fail if you have your domain functional level at 2008
or
2008_R2. I don't know if this is a bug in Samba as I haven't had
time
to
test against a real 2008+ server. Just know it's to be expected.
On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin
amar...@xes-inc.com
wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 11:03:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
The ls -l command you ran shows the ntp_signd directory is
empty,
so
it looks like samba is not creating the socket (at least in
that
location). Do you have the ntp signd socket directory option
in
your smb.conf? If not, try manually it to smb.conf:
ntp signd socket directory = /var/run/samba/ntp_signd
Apart from that, my suggestion would be to stop apparmor and
iptables
for testing and run ntp and samba with verbose logging on and
see
what it says. Also, what does w32tm /query /source and w32tm
/monitor show on the client?
On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin
amar...@xes-inc.com
wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 10:33:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin
amar...@xes-inc.com
wrote:
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am running
it
on
Ubuntu 12.04.
I followed the instructions on the Samba wiki (
https://wiki.samba.org/index.php/Configure_NTP )
for how to configure ntp, however the domain clients are
rejecting
the DCs as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap
nopeer
noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap
nopeer
noquery
Using Ubuntu, I am not using SELinux. I do not believe there
to
be
any problems
with apparmor, as it contains these lines in
/etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
What is the correct procedure for configuring NTP for a
Samba4
AD
DC?
Thanks,
Andrew
When you compiled Samba, did you not use the standard install
path
(/usr/local/samba) or did you add an entry in smb.conf to use
/var/run/samba/ntp_signd for the socket?
Thomas,
When compiling Samba, I specified custom paths to be in line
with
Debian's
Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 7:07:59 PM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Your Windows client is not able to access the NTP server, which is
why
w32tm /resync fails and the reason for the NTP: ERROR_TIMEOUT - no
response from server in 1000ms error when running w32tm /monitor.
Why? I
can't say. Can you setup a Linux box to use this server for NTP and
run
ntpdate as a test? I've seen this when there is a flaky network
connection
(traffic, wifi, or when the DC is a VMware VM under certain
situations).
Your DC is not a VM is it?
On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin amar...@xes-inc.com
wrote:
- Original Message -
From: Andrew Martin amar...@xes-inc.com
To: Thomas Simmons twsn...@gmail.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 2:31:21 PM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 12:26:57 PM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
Running w32tm /config /update /syncfromflags:DOMHIER net
stop
w32time
net start w32time should make the client query the
directory
for
it's
time server. You can verify the configuration with w32tm
/query
/configuration and look for the Type to be NT5DS. This means
it's
using
AD. You can also run w32tm /monitor and the Windows time
service
will
go
through the processes of querying the directory to find a time
server, then
verify it's accessible. If that works, all is working. I found
w32tm
/monitor will fail if you have your domain functional level at
2008
or
2008_R2. I don't know if this is a bug in Samba as I haven't
had
time
to
test against a real 2008+ server. Just know it's to be
expected.
On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin
amar...@xes-inc.com
wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 11:03:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
The ls -l command you ran shows the ntp_signd directory is
empty,
so
it looks like samba is not creating the socket (at least in
that
location). Do you have the ntp signd socket directory
option
in
your smb.conf? If not, try manually it to smb.conf:
ntp signd socket directory = /var/run/samba/ntp_signd
Apart from that, my suggestion would be to stop apparmor
and
iptables
for testing and run ntp and samba with verbose logging on
and
see
what it says. Also, what does w32tm /query /source and
w32tm
/monitor show on the client?
On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin
amar...@xes-inc.com
wrote:
- Original Message -
From: Thomas Simmons twsn...@gmail.com
To: Andrew Martin amar...@xes-inc.com
Cc: samba@lists.samba.org
Sent: Saturday, July 27, 2013 10:33:49 AM
Subject: Re: [Samba] Correct NTP Settings for Samba
4.0.6?
On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin
amar...@xes-inc.com
wrote:
Hello,
I recently compiled Samba 4.0.6 (as an AD DC) and am
running
it
on
Ubuntu 12.04.
I followed the instructions on the Samba wiki (
https://wiki.samba.org/index.php/Configure_NTP )
for how to configure ntp, however the domain clients are
rejecting
the DCs as
being acceptable time sources. Below is my ntp.conf:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/run/samba/ntp_signd
restrict default kod nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify
notrap
nopeer
noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify
notrap
nopeer
noquery
Using Ubuntu, I am not using SELinux. I do not believe
there
to
be
any problems
with apparmor, as it contains these lines in
/etc/apparmor.d/usr.sbin.ntpd:
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket
