Installing and configuring NTP Chrony for Samba-AD on Redhat and derivatives
Hint
Active Directory is based on the Kerberos protocol which requires near perfect clock synchronization between the domain member workstations and the Samba-AD domain controller. NTP is used to ensure synchronization between the clocks of the different devices on the network.
Install the Chrony NTP packages and choose a time server on the Internet (on a standard Redhat installation, Chrony is already installed, it replaces the historical ntpd daemon):
yum install chrony systemctl enable chrony systemctl stop chronyd chronyd -q 'server pool.ntp.org iburst' systemctl start chronyd
Warning
The ntpdate and sntp utilities, which are included in the ntp distribution, can be replaced with chronyd using the -q option or the -t option.
Add the following lines to
/etc/chrony.conf
to manage the signed NTP used by Windows workstations to automatically synchronize their clocks with the AD server:allow 0.0.0.0/0 ntpsigndsocket /var/lib/samba/ntp_signd
Change the owner of the directory containing the samba socket used to authenticate the NTP service (directory exists if Samba service has been started once):
chown root:chrony /var/lib/samba/ntp_signd/ chmod 750 /var/lib/samba/ntp_signd/
Restart Chrony:
systemctl restart chronyd
Forcing a resynchronization on a windows workstation
Run the following command in a shell with admins rights which asks the local windows ntp client server to sync. If all goes well, the command returns The command ended correctly). Note: it is necessary to give an NTP server some time before asking it for its time, otherwise it declares itself as not being a reliable source.
w32tm /resync /nowait
In the event of a problem
The service is called w32time while the management tool is called w32tm. You may also need the net time command.
Reconfigure windows workstations to use AD for NTP.
On the Windows workstation, launch the following instructions:
w32tm /config /syncfromflags:domhier w32tm /config /update w32tm /resync /nowait
Debugging the NTP client on windows
To debug the client, the following registry keys can be defined (http://support.microsoft.com/kb/816043/en-us):
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config] "FileLogSize"=dword:01000000 "FileLogName"="c:\\w32time_debug.txt" "FileLogEntries"="0-300"
The two modes of operation of the windows NTP client
Operation in ADS client mode, Nt5DS mode. It is in this mode that one must be with a Samba-AD domain:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters] ... "Type"="Nt5DS"
Operation in named NTP mode. To switch to this mode, type net time /setsntp:srvads.mydomain.lan:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters] ... "Type"="NTP" "ntpserver"="srvads.tranquilit.lan"
Check that the NTP client is pointing to the correct server. In case the dhcp gives an ntp that is not the domain controller, this can also be a problem. To check this, you can use the following command:
w32tm /monitor
The NTP service does not seem to take into account your ntp.conf configuration
Check that there is not a
/var/lib/ntp/ntp.conf.dhcp
file, and delete it if so. This file was created by dhclient before the server was switched to a fixed IP.rm -f /var/lib/ntp/ntp.conf.dhcp
Now we can install Samba in Active Directory mode. We’re progressing, that’s good!