Configuring NTPd for a Samba 4 Domain

If you're using Samba 4 to run an Active Directory Domain, you should also configure NTPd on your domain controller hosts. Windows clients are automatically configured to sync their clocks with the DC, and if the clocks drift apart for more than five minutes, logins will simply stop working, which tends to make users unhappy.

However, Windows clients require NTP packets to be signed by the Domain Controller, otherwise they'll refuse to sync their clocks with the server. Here's how you can configure ntpd to sign its responses.

First, find out where your Samba 4 server puts its ntp_signd socket:

root@dc:~# netstat -xpln | grep signd
unix  2      [ ACC ]     STREAM     LISTENING     10095615 4897/samba          /var/lib/samba/ntp_signd/socket

This is the default for Samba 4 installed on Debian Jessie, through Jessie's samba package. Now, chgrp the directory so that NTPd is able to access the socket:

chgrp ntp /var/lib/samba/ntp_signd

And configure NTPd using a coupl'a undocumented options in /etc/ntp.conf:

ntpsigndsocket /var/lib/samba/ntp_signd # need the *directory* here, not the socket

#           vvvvv---- those are all defaults ----vvvvv   v------this one is new
restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp

Don't forget to tell NTPd to actually listen for clients' requests:

listen on 192.168.0.1

Now, if you're running your DC on Debian and it gets its IP from a DHCP server, you need to copy the config, or else NTPd will never see your changes, run with the old config instead, and drive you completely insane in the process. So, if that is the case,

cp /etc/ntp.conf /var/lib/ntp/ntp.conf.dhcp

and you should be fine. Now, restart NTPd:

service ntp restart

And check that you see the following line in /var/log/syslog, which confirms that the mssntp stuff works:

Apr  9 20:15:24 dc ntpd[30129]: MS-SNTP signd operations currently block ntpd degrading service to all clients.

To try, open cmd on a Windows client joined into the domain, and run:

C:\> w32tm /resync
Sending resync command to local computer...
The command completed successfully.

If the command does not complete successfully, your NTPd might not be listening (which you can check by running tcpdump udp port 123 on the DC), or it might not be running with an up-to-date copy of the config. See ps aux | grep ntpd for what the actual commandline is. If that still doesn't help, try stopping it and running it as root using ntpd -d.