Package: ntpsec
Version: 1.2.2+dfsg1-1
Severity: normal
X-Debbugs-Cc: stevem...@gmail.com
Dear Maintainer,
On my LAN, I run Samba on Debian servers to implement Domain
Controllers (DCs) for an Active Directory (AD) domain. Per the Samba
documentation, I have set up authenticated time service (known as
MS-SNTP) on the DCs for Windows clients. Non-Windows clients also use
the DCs for non-auth time service, via unicast [S]NTP. Up to and
including bullseye, I have always used the 'ntp' package for this
purpose on the DCs, and it was functional.
Recently, however, upon upgrading from bullseye to bookworm, I found
that the DCs would no longer respond correctly to client requests for
time service. In other words, neither authenticated clients (Windows,
MS-SNTP) nor non-auth clients ([S]NTP) would receive any valid time
responses from the DCs running on bookworm.
Doing some experimentation, I discovered that when the 'mssntp'
keyword was removed from the 'restrict' line in 'ntp.conf', non-auth
time service was restored to clients (while MS-SNTP was disabled,
ofc). I can only assume this is a bug in the 'ntpsec' implementation
of MS-SNTP.
Without MS-SNTP service working on the DCs, Windows domain clients
(with the default time client settings) never receive time service
from the DCs as they should. Although it is easy enough to modify the
Windows time client settings to use non-auth NTP services, it would
be nice for MS-SNTP to work as advertised in 'ntpsec'.
Please let me know if there's any more information I can provide to
aid in troubleshooting/debugging this issue.
Thank you for your time.
Cheers,
-S.M.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-6-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ntpsec depends on:
ii adduser 3.131
ii init-system-helpers 1.65.2
ii libbsd0 0.11.7-2
ii libc6 2.36-8
ii libcap2 1:2.66-3
ii libssl3 3.0.8-1
ii netbase 6.4
ii python3 3.11.2-1
ii python3-ntp 1.2.2+dfsg1-1
ii sysvinit-utils [lsb-base] 3.06-2
ii tzdata 2022g-7
Versions of packages ntpsec recommends:
ii cron [cron-daemon] 3.0pl1-162
ii systemd 252.6-1
Versions of packages ntpsec suggests:
ii apparmor 3.0.8-3
pn certbot <none>
pn ntpsec-doc <none>
pn ntpsec-ntpviz <none>
-- Configuration Files:
/etc/ntpsec/ntp.conf changed:
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
statsdir /var/log/ntpsec/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
tos maxclock 11
tos minclock 4 minsane 3
tos orphan 7
tinker panic 0
ntpsigndsocket /var/lib/samba/ntp_signd/
server 10.150.10.10 iburst burst prefer
server 10.150.10.11 iburst burst prefer
pool 0.pool.ntp.org iburst
pool 1.pool.ntp.org iburst
pool 2.pool.ntp.org iburst
pool 3.pool.ntp.org iburst
restrict default kod nomodify limited mssntp
restrict 127.0.0.1
restrict ::1
-- no debconf information
