Configuring NTPd for a Samba 4 Domain
If you're using Samba 4 to run an Active Directory Domain, you should also configure NTPd on your domain controller hosts. Windows clients are automatically configured to sync their clocks with the DC, and if the clocks drift apart for more than five minutes, logins will simply stop working, which tends to make users unhappy.
However, Windows clients require NTP packets to be signed by the Domain Controller, otherwise they'll refuse to sync their clocks with the server. Here's how you can configure ntpd to sign its responses.
First, find out where your Samba 4 server puts its ntp_signd
socket:
root@dc:~# netstat -xpln | grep signd unix 2 [ ACC ] STREAM LISTENING 10095615 4897/samba /var/lib/samba/ntp_signd/socket
This is the default for Samba 4 installed on Debian Jessie, through Jessie's samba package. Now, chgrp
the directory
so that NTPd is able to access the socket:
chgrp ntp /var/lib/samba/ntp_signd
And configure NTPd using a coupl'a undocumented options in /etc/ntp.conf
:
ntpsigndsocket /var/lib/samba/ntp_signd # need the *directory* here, not the socket # vvvvv---- those are all defaults ----vvvvv v------this one is new restrict -4 default kod notrap nomodify nopeer noquery mssntp restrict -6 default kod notrap nomodify nopeer noquery mssntp
Don't forget to tell NTPd to actually listen for clients' requests:
listen on 192.168.0.1
Now, if you're running your DC on Debian and it gets its IP from a DHCP server, you need to copy the config, or else NTPd will never see your changes, run with the old config instead, and drive you completely insane in the process. So, if that is the case,
cp /etc/ntp.conf /var/lib/ntp/ntp.conf.dhcp
and you should be fine. Now, restart NTPd:
service ntp restart
And check that you see the following line in /var/log/syslog
, which confirms that the mssntp
stuff works:
Apr 9 20:15:24 dc ntpd[30129]: MS-SNTP signd operations currently block ntpd degrading service to all clients.
To try, open cmd
on a Windows client joined into the domain, and run:
C:\> w32tm /resync Sending resync command to local computer... The command completed successfully.
If the command does not complete successfully, your NTPd might not be listening (which you can check by running
tcpdump udp port 123
on the DC), or it might not be running with an up-to-date copy of the config. See
ps aux | grep ntpd
for what the actual commandline is. If that still doesn't help, try stopping it and running it as
root using ntpd -d
.