----- Original Message -----> From: "Andrew Martin" <amartin at xes-inc.com>
> To: samba at lists.samba.org
> Sent: Monday, July 8, 2013 4:34:17 PM
> Subject: [Samba] Samba4, NTP, and Ubuntu 12.04
>
> Hello,
>
> I have a question regarding signed NTP support for Samba4 on Ubuntu
> 12.04. I have followed most of the steps outlined here:
> https://wiki.samba.org/index.php/Configure_NTP
>
> These steps I did differently are:
> * I did not install from source because the latest Ubuntu package for
> ntp available on Ubuntu 12.04 includes ntp-signd support already
> * I did not install Samba4 to /usr/local/samba, so I also modified
> that part of ntp.conf
> * Ubuntu uses AppArmor instead of SELinux - I found that the apparmor
> profile for ntp already includes support for ntp-signd for Samba4:
> https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/930266
>
> Therefore, I created the /var/run/samba/ntp_signd directory and set
> permissions on it:
> # mkdir /var/run/samba/ntp_signd
> # chown root:ntp /var/run/samba/ntp_signd
> # chmod 0750 /var/run/samba/ntp_signd
> # ls -l /var/run/samba | grep ntp_signd
> drwxr-x--- 2 root ntp 40 Jul 8 13:59 ntp_signd
>
> The contents of my /etc/ntp.conf are:
> server 0.us.pool.ntp.org
> server 1.us.pool.ntp.org
> server 2.us.pool.ntp.org
> server 3.us.pool.ntp.org
> server 127.127.1.0
> fudge 127.127.1.0 stratum 10
> server 0.pool.ntp.org iburst prefer
> server 1.pool.ntp.org iburst prefer
> driftfile /var/lib/ntp/ntp.drift
> logfile /var/log/ntp
> ntpsigndsocket /var/run/samba/ntp_signd
> restrict default kod nomodify notrap nopeer mssntp
> restrict 127.0.0.1
> restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> noquery
> restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer
> noquery
>
> I then restarted ntpd with "service ntp restart" and attempted to
run
> "w32tm /rsync" from a domain member. Using Wireshark, I see the
> query packet leave the client going to the server, but the server
> never sends a packet in response. Performing an strace on the ntpd
> process reveals that it cannot access
> /var/run/samba/ntp_signd/socket - "No such file or directory".
After
> trying a number of things (permissions, other locations for
> ntp_signd, changes to ntp.conf), I eventually reverted to this
> (above) configuration.
>
> After a period of time, it just starts working. I can run "w32tm
> /resync" successfully and see the response packet from the server
> via Wireshark. I then rebooted the Samba4 DC server to test that it
> continues to work after a restart. The /var/run directory is emptied
> on reboot, so now the /var/run/samba directory does not contain
> ntp_signd; it does not exist. Yet even with that directory not
> existing, the Windows client is still able to sync time from the
> server! The strace no longer contains the "No such file or
> directory" error. How is this possible? Is this working correctly?
>
> Thanks,
>
> Andrew
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Shortly after sending this, it seems that it is broken again.
Running "w32tm /resync /rediscover" results in the following
when running an strace of ntpd:
clock_gettime(CLOCK_REALTIME, {1373319691, 901532802}) = 0
select(23, [16 17 18 19 20 21 22], NULL, NULL, NULL) = 1 (in [19])
clock_gettime(CLOCK_REALTIME, {1373319692, 870307370}) = 0
select(23, [16 17 18 19 20 21 22], NULL, NULL, {0, 0}) = 1 (in [19], left {0,
0})
recvmsg(19, {msg_name(16)={sa_family=AF_INET, sin_port=htons(123),
sin_addr=inet_addr("192.168.0.12")},
msg_iov(1)=[{"\333\0\21\372\0\0\17\37\0\10\344W\0\0\0\0\325\205\256\367\16c\343\325\0\0\0\0\0\0\0\0"...,
2120}], msg_controllen=32, {cmsg_len=32, cmsg_level=SOL_SOCKET, cmsg_type=0x1d
/* SCM_??? */, ...}, msg_flags=0}, 0) = 68
recvmsg(19, 0x7fff97a8af90, 0) = -1 EAGAIN (Resource temporarily
unavailable)
clock_gettime(CLOCK_REALTIME, {1373319692, 871317466}) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 4
connect(4, {sa_family=AF_FILE,
path="/var/run/samba/ntp_signd/socket"}, 110) = -1 ENOENT (No such
file or directory)
close(4) = 0
I verified permissions on ntp_signd:
# ls -l /var/run/samba/ | grep ntp_signd
drwxr-x--- 2 root ntp 40 Jul 8 16:40 ntp_signd
On Ubuntu, ntpd runs as the "ntp" user (UID 106) and group
"ntp" (GID 113):
# ps aux | grep ntp
ntp 12984 0.0 0.0 41924 2212 ? Ss 16:38 0:00 /usr/sbin/ntpd
-p /var/run/ntpd.pid -g -u 106:113
Therefore, I tried chowning ntp_signd to ntp:ntp, but this did not improve the
situation.
The syslog does not reveal any errors:
ntpd 4.2.6p3 at 1.2290-o Tue Jun 5 20:12:08 UTC 2012 (1)
ntpd[13187]: proto: precision = 0.166 usec
ntpd[13187]: ntp_io: estimated max descriptors: 1024, initial socket boundary:
16
ntpd[13187]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
ntpd[13187]: Listen and drop on 1 v6wildcard :: UDP 123
ntpd[13187]: Listen normally on 2 lo 127.0.0.1 UDP 123
ntpd[13187]: Listen normally on 3 eth0 10.52.0.102 UDP 123
ntpd[13187]: Listen normally on 4 eth0 fe80::5054:ff:fece:1e3b UDP 123
ntpd[13187]: Listen normally on 5 lo ::1 UDP 123
ntpd[13187]: peers refreshed
ntpd[13187]: Listening on routing socket on fd #22 for interface updates
ntpd degrading service to all clients.
Waiting a few more minutes and it is working again, with no
errors in the syslog. I have not seen the
/var/run/samba/ntp_signd/socket socket file created at any
point during this testing. Any ideas on what I can do to
fix this Samba4 NTP setup?
Thanks,
Andrew