Installing and configuring NTP Chrony for Samba-AD on Redhat and derivatives

Hint

Active Directory is based on the Kerberos protocol which requires near perfect clock synchronization between the domain member workstations and the Samba-AD domain controller. NTP is used to ensure synchronization between the clocks of the different devices on the network.

  • Install the Chrony NTP packages and choose a time server on the Internet (on a standard Redhat installation, Chrony is already installed, it replaces the historical ntpd daemon):

    yum install chrony
    systemctl enable chrony
    systemctl stop chronyd
    chronyd -q 'server pool.ntp.org iburst'
    systemctl start chronyd
    

    Warning

    The ntpdate and sntp utilities, which are included in the ntp distribution, can be replaced with chronyd using the -q option or the -t option.

  • Add the following lines to /etc/chrony.conf to manage the signed NTP used by Windows workstations to automatically synchronize their clocks with the AD server:

    allow 0.0.0.0/0
    ntpsigndsocket  /var/lib/samba/ntp_signd
    
  • Change the owner of the directory containing the samba socket used to authenticate the NTP service (directory exists if Samba service has been started once):

    chown root:chrony /var/lib/samba/ntp_signd/
    chmod 750 /var/lib/samba/ntp_signd/
    
  • Restart Chrony:

    systemctl restart chronyd
    

Forcing a resynchronization on a windows workstation

Run the following command in a shell with admins rights which asks the local windows ntp client server to sync. If all goes well, the command returns The command ended correctly). Note: it is necessary to give an NTP server some time before asking it for its time, otherwise it declares itself as not being a reliable source.

w32tm /resync /nowait

In the event of a problem

The service is called w32time while the management tool is called w32tm. You may also need the net time command.

Reconfigure windows workstations to use AD for NTP.

  • On the Windows workstation, launch the following instructions:

    w32tm /config /syncfromflags:domhier
    w32tm /config /update
    w32tm /resync /nowait
    

Debugging the NTP client on windows

  • To debug the client, the following registry keys can be defined (http://support.microsoft.com/kb/816043/en-us):

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
    "FileLogSize"=dword:01000000
    "FileLogName"="c:\\w32time_debug.txt"
    "FileLogEntries"="0-300"
    

The two modes of operation of the windows NTP client

  • Operation in ADS client mode, Nt5DS mode. It is in this mode that one must be with a Samba-AD domain:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
    ...
    "Type"="Nt5DS"
    
  • Operation in named NTP mode. To switch to this mode, type net time /setsntp:srvads.mydomain.lan:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
    ...
    "Type"="NTP"
    "ntpserver"="srvads.tranquilit.lan"
    
  • Check that the NTP client is pointing to the correct server. In case the dhcp gives an ntp that is not the domain controller, this can also be a problem. To check this, you can use the following command:

    w32tm /monitor
    

The NTP service does not seem to take into account your ntp.conf configuration

  • Check that there is not a /var/lib/ntp/ntp.conf.dhcp file, and delete it if so. This file was created by dhclient before the server was switched to a fixed IP.

    rm -f /var/lib/ntp/ntp.conf.dhcp
    

Now we can install Samba in Active Directory mode. We’re progressing, that’s good!