× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

MAC OS X ntp.conf resetting to DC & DC NTP timeout

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 5
Registered: ‎04-13-2017
#1 of 9 1,008
Accepted Solution

MAC OS X ntp.conf resetting to DC & DC NTP timeout

I have a problem that I need some assistance with.

 

On the MAC OS X (El Capitan), the /etc/ntp.conf keeps getting overwritten to a DC instead of our organizational time server. The DCs are synced to the organizational time server, but the Mac centrify clients (CentrifyDC 5.3.3-602) can not sync to the DCs.  The DCs have NTP enabled but adinfo --test shows

ntp:  udp/123 timeout.

 

So...2 problems: 

1) the DCs do not let the mac clients sync to them as an NTP client.

2) the /etc/ntp.conf file gets overwritten with a DC.

    I have set the option:    adclient.sntp.enabled: false   in /etc/centrifydc/centrifydc.conf

    and configured our orgizational time sever in the /etc/ntp.conf.

    

 

We are not using group policy on the Mac clients.

The windows clients (using group policy) set to our organizational time server.

 

 

 

 

Centrify Guru I
Posts: 1,719
Registered: ‎07-26-2012
#2 of 9 1,001

Re: MAC OS X ntp.conf resetting to DC & DC NTP timeout

@Sofia,

 

After making the configuration change, did you run 'sudo adreload'  or restart the CentrifyDC client?

 

That is needed for the changes to be committed.

 

Note that at that point you are responsible for keeping the client time within 5 minutes of the AD domain controllers.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 5
Registered: ‎04-13-2017
#3 of 9 940

Re: MAC OS X ntp.conf resetting to DC & DC NTP timeout

I have done that and have rebooted the workstation (mac) multiple times.

 

If I run a adgpudate it will set it back.

 

I have found in mac_mapper_ntp.pl the following:

 

# By default adclient will use its own NTP client.
# The default behavior can be overriden by:
# 1. a standard Microsoft Policy:
# Software\Policies\Microsoft\W32time\TimeProviders\NtpClient
# This standard policy can be found in Windows\inf\system.adm, and can be
# set in GPOE under:
# Computer Configuration -> Administrative Template -> System ->
# Windows Time Service -> Time Providers -> Enable Windows NTP Client.
# 2. adclient.sntp.enabled property in centrifydc.conf.
#
#
# Map: 1. modify /etc/ntp.conf based on the status of adclient NTP service
# Enable: enable system NTP service and set domain controller
# as NTP server
# Disable: do not change the status of system NTP service,
# but restore original NTP server setting
#
# Unmap: do not change the status of system NTP service, but restore
# original NTP server setting

------------------------------------------------------

Number 2 does not work.  even if set this option to false, it is set back to true

 

It seems number 1 is performing this action no matter what I do.

 

I'd like to permanently disable the adclient NTP function where it puts it back to 

the DC.

I am thinking of using the SetAdditionalProperties.pl script to set the adclient.sntp.enabled to false.

 

 

 

 

 

Centrify Guru I
Posts: 1,719
Registered: ‎07-26-2012
#4 of 9 938

Re: MAC OS X ntp.conf resetting to DC & DC NTP timeout

You did not answer my original question.

 

After making the change in the configuration file, run `sudo adreload`  or restart CentrifyDC, I did not say to run agpupdate (if you are using Express, Group Policies won't work for you).

 

Note that you an use these tips:

 

To parse the contents of the centrify.conf file
$ adinfo --config

 

To show the client's in memory configuration parameters
$ adinfo --sysinfo config

 

These are from the cheat sheet: http://community.centrify.com/t5/TechBlog/TIPS-A-Centrify-Server-Suite-Cheat-Sheet/ba-p/22568

 

This way you know what's in the config file, vs what adclient is working with.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 5
Registered: ‎04-13-2017
#5 of 9 936

Re: MAC OS X ntp.conf resetting to DC & DC NTP timeout

Actually I did.  I stated that I did that & also rebooted multiple times.

 

Anyway..here is the relevant answers:

 

adinfo --config

adclient.sntp.enabled: true

 

adinfo --sysinfo config

adclient.sntp.enabled: true

 

now..I will perform the update (to the config file and reload)

/etc/centrifydc/centrifydc.conf

adclient.sntp.enabled: false

 

adreload (I am sudoed to root)

 

Ok...now

adinfo --config

adclient.sntp.enabled: false

 

adinfo --sysinfo config

adclient.sntp.enabled: false

 

rebooting.....

 

/etc/centrifydc/centrifydc.conf

adclient.sntp.enabled: true  (This is upon login..the setting reverted to true)

 

adinfo --config

adclient.sntp.enabled: true

 

adinfo --sysinfo config

adclient.sntp.enabled: true

 

Any other ideas?  what process would be overriding the config file and putting that setting back?

 

Centrify Guru I
Posts: 1,719
Registered: ‎07-26-2012
#6 of 9 927

Re: MAC OS X ntp.conf resetting to DC & DC NTP timeout

I can think of group policy or a DevOps solution.

What does adinfo say about licensed features?

 

Are you a commercial customer?

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 5
Registered: ‎04-13-2017
#7 of 9 924

Re: MAC OS X ntp.conf resetting to DC & DC NTP timeout

adinfo:

Licensed Features: Enabled

 

I don't think we are a commercial customer.  

 

 

Participant II
Posts: 5
Registered: ‎04-13-2017
#8 of 9 848

Re: MAC OS X ntp.conf resetting to DC & DC NTP timeout

SOLVED:

 

Windows domain group policy was not allowing configuration for the domain controllers (separate group policy) that was enabling the NTP server.

 

So...Domain controllers had NTP client and server enabled.  Domain computers only had NTP client enabled.

Domain controllers were not getting their server enabled.  

 

This issue has been resolved..

 

Highlighted
Centrify Guru I
Posts: 1,719
Registered: ‎07-26-2012
#9 of 9 846

Re: MAC OS X ntp.conf resetting to DC & DC NTP timeout

@Sofia, thanks for letting-us know.  Don't forget to mark your post as the solution.  Smiley Happy

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: