NTP synchronization problems for clients

[yaldoo]

Good morning,

I am on Debain 13 with the latest version of Samba-AD.
I followed the instructions https://samba.tranquil.it/doc/fr/samba_ ... ebian.html
I have the chrony service running, the socket has the correct permissions, but my server is not responding to signed requests (length 120)

w32tm /stripchart /computer:172.16.2.1 /samples:1 /dataonly

Code: Select all

14:57:49.034807 IP (tos 0x0, ttl 128, id 62657, offset 0, flags [none], proto UDP (17), length 76)
    10.0.248.10.54507 > 172.16.2.1.123: NTPv1, Client, length 48
        Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), precision 0
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
          Reference Timestamp:  0.000000000
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3978079066.333766699 (2026-01-22T13:57:46Z)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3978079066.333766699 (2026-01-22T13:57:46Z)
14:57:49.034891 IP (tos 0x0, ttl 64, id 55417, offset 0, flags [DF], proto UDP (17), length 76)
    172.16.2.1.123 > 10.0.248.10.54507: NTPv1, Server, length 48
        Leap indicator:  (0), Stratum 3 (secondary reference), poll 0 (1s), precision -26
        Root Delay: 0.019027, Root dispersion: 0.000473, Reference-ID: 0x3ed281ab
          Reference Timestamp:  3978079058.980249532 (2026-01-22T13:57:38Z)
          Originator Timestamp: 3978079066.333766699 (2026-01-22T13:57:46Z)
          Receive Timestamp:    3978079069.034855657 (2026-01-22T13:57:49Z)
          Transmit Timestamp:   3978079069.034928405 (2026-01-22T13:57:49Z)
            Originator - Receive Timestamp:  +2.701088958
            Originator - Transmit Timestamp: +2.701161705

w32tm /resync /nowait

Code: Select all

15:01:52.210935 IP (tos 0x0, ttl 128, id 18487, offset 0, flags [none], proto UDP (17), length 148)
    10.0.248.10.123 > 172.16.2.1.123: NTPv3, Client, length 120
        Leap indicator:  (0), Stratum 1 (primary reference), poll 17 (131072s), precision -23
        Root Delay: 0.000000, Root dispersion: 10.000000, Reference-ID: LOCL
          Reference Timestamp:  3978079309.366612899 (2026-01-22T14:01:49Z)
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3978079309.507616199 (2026-01-22T14:01:49Z)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3978079309.507616199 (2026-01-22T14:01:49Z)
        (72 more bytes after the header)

I get a response in the first case but not in the second.
I've tried everything, but nothing works. Have you ever encountered this problem?

[dcardon]

Hello Julien,

Regarding the DC(s), does Chrony say he's very happy with MS-SNTP?

Code: Select all

# cat  daemon.log | grep MS-SNTP
Sep  4 19:18:52 dc-xxxxx chronyd[893]: MS-SNTP authentication enabled

and that there is no

Code: Select all

CONFIG: MS-SNTP signd operations currently block ntpd degrading service to all clients.

Denis

[yaldoo]

Thank you for your replies. The logs seem OK on both of my DCs

Code: Select all

# sudo journalctl -g "MS-SNTP"
Jan 23 08:45:13 ad-xxxxxx chronyd[801]: MS-SNTP authentication enabled

I don't have a log file in /var/log/chrony though

I tried upgrading and rebooting... nothing worked

In your opinion, can I push an NTP server via GPO?

[dcardon]

Hi Julien,

by default, Windows workstations will operate in NTDS5 NTP mode, meaning they will connect to domain controllers for NTP using a secure method (SNTP) based on the machine's Active Directory account.

If needed, you can implement a Group Policy Object (GPO) to point to other NTP servers, but this will then be standard NTP instead of SNTP, which I don't think is a problem unless you need a network with a high level of security.

But anyway, NTDS5 NTP mode should work out of the box...

Best regards,

Denis