----- Original Message ----- > From: "Andrew Martin" <amar...@xes-inc.com> > To: samba@lists.samba.org > Sent: Monday, July 8, 2013 4:34:17 PM > Subject: [Samba] Samba4, NTP, and Ubuntu 12.04 > > Hello, > > I have a question regarding signed NTP support for Samba4 on Ubuntu > 12.04. I have followed most of the steps outlined here: > https://wiki.samba.org/index.php/Configure_NTP > > These steps I did differently are: > * I did not install from source because the latest Ubuntu package for > ntp available on Ubuntu 12.04 includes ntp-signd support already > * I did not install Samba4 to /usr/local/samba, so I also modified > that part of ntp.conf > * Ubuntu uses AppArmor instead of SELinux - I found that the apparmor > profile for ntp already includes support for ntp-signd for Samba4: > https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/930266 > > Therefore, I created the /var/run/samba/ntp_signd directory and set > permissions on it: > # mkdir /var/run/samba/ntp_signd > # chown root:ntp /var/run/samba/ntp_signd > # chmod 0750 /var/run/samba/ntp_signd > # ls -l /var/run/samba | grep ntp_signd > drwxr-x--- 2 root ntp 40 Jul 8 13:59 ntp_signd > > The contents of my /etc/ntp.conf are: > server 0.us.pool.ntp.org > server 1.us.pool.ntp.org > server 2.us.pool.ntp.org > server 3.us.pool.ntp.org > server 127.127.1.0 > fudge 127.127.1.0 stratum 10 > server 0.pool.ntp.org iburst prefer > server 1.pool.ntp.org iburst prefer > driftfile /var/lib/ntp/ntp.drift > logfile /var/log/ntp > ntpsigndsocket /var/run/samba/ntp_signd > restrict default kod nomodify notrap nopeer mssntp > restrict 127.0.0.1 > restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer > noquery > restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer > noquery > > I then restarted ntpd with "service ntp restart" and attempted to run > "w32tm /rsync" from a domain member. Using Wireshark, I see the > query packet leave the client going to the server, but the server > never sends a packet in response. Performing an strace on the ntpd > process reveals that it cannot access > /var/run/samba/ntp_signd/socket - "No such file or directory". After > trying a number of things (permissions, other locations for > ntp_signd, changes to ntp.conf), I eventually reverted to this > (above) configuration. > > After a period of time, it just starts working. I can run "w32tm > /resync" successfully and see the response packet from the server > via Wireshark. I then rebooted the Samba4 DC server to test that it > continues to work after a restart. The /var/run directory is emptied > on reboot, so now the /var/run/samba directory does not contain > ntp_signd; it does not exist. Yet even with that directory not > existing, the Windows client is still able to sync time from the > server! The strace no longer contains the "No such file or > directory" error. How is this possible? Is this working correctly? > > Thanks, > > Andrew > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > Shortly after sending this, it seems that it is broken again. Running "w32tm /resync /rediscover" results in the following when running an strace of ntpd: clock_gettime(CLOCK_REALTIME, {1373319691, 901532802}) = 0 select(23, [16 17 18 19 20 21 22], NULL, NULL, NULL) = 1 (in [19]) clock_gettime(CLOCK_REALTIME, {1373319692, 870307370}) = 0 select(23, [16 17 18 19 20 21 22], NULL, NULL, {0, 0}) = 1 (in [19], left {0, 0}) recvmsg(19, {msg_name(16)={sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("192.168.0.12")}, msg_iov(1)=[{"\333\0\21\372\0\0\17\37\0\10\344W\0\0\0\0\325\205\256\367\16c\343\325\0\0\0\0\0\0\0\0"..., 2120}], msg_controllen=32, {cmsg_len=32, cmsg_level=SOL_SOCKET, cmsg_type=0x1d /* SCM_??? */, ...}, msg_flags=0}, 0) = 68 recvmsg(19, 0x7fff97a8af90, 0) = -1 EAGAIN (Resource temporarily unavailable) clock_gettime(CLOCK_REALTIME, {1373319692, 871317466}) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 4 connect(4, {sa_family=AF_FILE, path="/var/run/samba/ntp_signd/socket"}, 110) = -1 ENOENT (No such file or directory) close(4) = 0
I verified permissions on ntp_signd: # ls -l /var/run/samba/ | grep ntp_signd drwxr-x--- 2 root ntp 40 Jul 8 16:40 ntp_signd On Ubuntu, ntpd runs as the "ntp" user (UID 106) and group "ntp" (GID 113): # ps aux | grep ntp ntp 12984 0.0 0.0 41924 2212 ? Ss 16:38 0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 106:113 Therefore, I tried chowning ntp_signd to ntp:ntp, but this did not improve the situation. The syslog does not reveal any errors: ntpd 4.2.6p3@1.2290-o Tue Jun 5 20:12:08 UTC 2012 (1) ntpd[13187]: proto: precision = 0.166 usec ntpd[13187]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16 ntpd[13187]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 ntpd[13187]: Listen and drop on 1 v6wildcard :: UDP 123 ntpd[13187]: Listen normally on 2 lo 127.0.0.1 UDP 123 ntpd[13187]: Listen normally on 3 eth0 10.52.0.102 UDP 123 ntpd[13187]: Listen normally on 4 eth0 fe80::5054:ff:fece:1e3b UDP 123 ntpd[13187]: Listen normally on 5 lo ::1 UDP 123 ntpd[13187]: peers refreshed ntpd[13187]: Listening on routing socket on fd #22 for interface updates ntpd degrading service to all clients. Waiting a few more minutes and it is working again, with no errors in the syslog. I have not seen the /var/run/samba/ntp_signd/socket socket file created at any point during this testing. Any ideas on what I can do to fix this Samba4 NTP setup? Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
