Difference between revisions of "Samba4 NTP"
From Stadm
Jump to navigationJump to search| Line 6: | Line 6: | ||
*This guide is to show a working setup of using ntp on a domain controller to keep the domain joined machines in sync with the domain controllers. | *This guide is to show a working setup of using ntp on a domain controller to keep the domain joined machines in sync with the domain controllers. | ||
*By default windows machines joined to the domain will try to sync there time with the domain controller | *By default windows machines joined to the domain will try to sync there time with the domain controller | ||
| + | ===Install=== | ||
*We are using samba as our DC so ntp is installed to sync time | *We are using samba as our DC so ntp is installed to sync time | ||
| + | *Install ntp | ||
| + | yum install ntp | ||
| + | *our version supports ntp_signd(4.2.6), if yours does not you will have to download ntp and compile with --enable-ntp-signd from http://www.ntp.org/ | ||
| + | ===Permissions== | ||
| + | *set appropriate permissions on the socket | ||
| + | chown root:ntp /usr/local/samba/var/lib/ntp_signd/ | ||
| + | chmod 750 /usr/local/samba/var/lib/ntp_signd/ | ||
| + | ===Edit ntp.conf=== | ||
| + | *open ntp.conf | ||
| + | vim /etc/ntp.conf | ||
| + | *add ntpsigndsocket and mssntp | ||
| + | restrict default mssntp kod nomodify notrap nopeer noquery | ||
| + | ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ | ||
| + | |||
| + | ===Check from Windows=== | ||
| + | *From a Windows computer joined to the domain you can use the w32tm command to force a sync with the DC | ||
| + | C:\w32tm /resync | ||
| + | *This should output | ||
| + | PS C:\Windows\system32> w32tm /resync | ||
| + | Sending resync command to local computer | ||
| + | The command completed successfully. | ||
| + | ===Debugging=== | ||
| + | *If you are having errors with either w32tm /resync or with Time-Service(Event ID 24) warnings in Event Viewer you can enable a log to help see where the time sync is going wrong | ||
| + | *From a windows computer you can enable a log for w32tm by running | ||
| + | PS C:\Windows\system32> w32tm /debug /enable /file:C:\time.log /entries:0-300 /size:10000000 | ||
| + | *When you're done logging you can disable logging by running | ||
| + | w32tm /debug /disable | ||
| + | *NTP can be debugged by adding in a logfile into /etc/ntp.conf | ||
| + | vim /etc/ntp.conf | ||
| + | *add this line | ||
| + | logfile /var/log/ntp | ||
| + | *You can check there and in /var/log/messages for errors | ||
| + | tail -n 1000 /var/log/messages | grep ntp | ||
| + | *however if the log doesn't contain that usefule of information stop ntp and run it in debug mode | ||
| + | service ntpd stop | ||
| + | *or | ||
| + | systemctl stop ntpd | ||
| + | *and start with | ||
| + | ntpd -d | ||
| + | *Now from a domain joined windows machine run w32tm /resync and see what is going on | ||
| + | *Hitting Ctrl+c will stop ntp from running | ||
| + | ====References==== | ||
| + | *https://wiki.samba.org/index.php/Time_Synchronisation | ||
| + | *http://blog.mycroes.nl/2013/03/setting-up-ntp-signing-ntpsignd-with.html | ||
| + | *https://lists.samba.org/archive/samba-technical/2010-December/075013.html | ||
Revision as of 13:36, 6 May 2015
Contents
Samba DC NTP
- This guide is to show a working setup of using ntp on a domain controller to keep the domain joined machines in sync with the domain controllers.
- By default windows machines joined to the domain will try to sync there time with the domain controller
Install
- We are using samba as our DC so ntp is installed to sync time
- Install ntp
yum install ntp
- our version supports ntp_signd(4.2.6), if yours does not you will have to download ntp and compile with --enable-ntp-signd from http://www.ntp.org/
=Permissions
- set appropriate permissions on the socket
chown root:ntp /usr/local/samba/var/lib/ntp_signd/ chmod 750 /usr/local/samba/var/lib/ntp_signd/
Edit ntp.conf
- open ntp.conf
vim /etc/ntp.conf
- add ntpsigndsocket and mssntp
restrict default mssntp kod nomodify notrap nopeer noquery ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
Check from Windows
- From a Windows computer joined to the domain you can use the w32tm command to force a sync with the DC
C:\w32tm /resync
- This should output
PS C:\Windows\system32> w32tm /resync Sending resync command to local computer The command completed successfully.
Debugging
- If you are having errors with either w32tm /resync or with Time-Service(Event ID 24) warnings in Event Viewer you can enable a log to help see where the time sync is going wrong
- From a windows computer you can enable a log for w32tm by running
PS C:\Windows\system32> w32tm /debug /enable /file:C:\time.log /entries:0-300 /size:10000000
- When you're done logging you can disable logging by running
w32tm /debug /disable
- NTP can be debugged by adding in a logfile into /etc/ntp.conf
vim /etc/ntp.conf
- add this line
logfile /var/log/ntp
- You can check there and in /var/log/messages for errors
tail -n 1000 /var/log/messages | grep ntp
- however if the log doesn't contain that usefule of information stop ntp and run it in debug mode
service ntpd stop
- or
systemctl stop ntpd
- and start with
ntpd -d
- Now from a domain joined windows machine run w32tm /resync and see what is going on
- Hitting Ctrl+c will stop ntp from running
