MSSNTP issue.

maurizio at cimaschi.it maurizio at cimaschi.it
Sun Aug 2 12:54:52 UTC 2020 

Dear all,
I've got an issue trying to use NTPsec to sync the clock of WIN machines
to a DC running on a Raspberry PI-4.
NTPsec works normally without the "mssntp" keyword; by this I mean that
it sync to external NTP servers, disciplines the local clock, and acts
as a local server for non-authenticathed clients. But if I add the
"mssntp" keyword it stops answer to clients while it continues to
disciplines the local clock to NTP servers.
The logs do not show anything related to this issue, so I'm really
puzzled.

Some info about the environment.

OS:
Linux raspberry 5.4.51-v7l+ #1327 SMP Thu Jul 23 11:04:39 BST 2020 armv7l GNU/Linux

NTP version:
ntpd ntpsec-1.1.3 2019-11-18T06:04:00Z

NTPsec configuration file:
*****
# /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list

# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.
#statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable

# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 1 minsane 1

# Specify one or more NTP servers.

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <https://www.pool.ntp.org/join.html>
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
server ntp1.inrim.it
server ntp2.inrim.it
server ntp.se

# Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html
# for details.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.


# By default, exchange time with everybody, but don't allow configuration.
restrict default kod notrap nomodify nopeer noquery limited

# NTP Sign
ntpsigndsocket /var/lib/samba/ntp_signd
restrict 192.168.38.0/24 mssntp notrap nomodify nopeer noquery
#restrict 192.168.38.0/24 notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# logging
logconfig +syncall +clockall +peerall +sysall
*****

NTP sync:
     remote           refid      st t when poll reach   delay   offset   jitter
===============================================================================
*ntp1.inrim.it   .CTD.            1 u  113  128  377  27.5032   0.1769   0.1682
-ntp2.inrim.it   .CTD.            1 u   55  128  377  30.0795   1.8471   0.1513
-ntp.se          .PPS.            1 u  118  128  377  49.9124  -4.2151   0.1523


Timedatectl:
               Local time: Sun 2020-08-02 12:50:18 UTC
           Universal time: Sun 2020-08-02 12:50:18 UTC
                 RTC time: n/a
                Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
              NTP service: n/a
          RTC in local TZ: no

Strace to the ntp_sign socket (it seems to work to me):
socket(AF_UNIX, SOCK_STREAM, 0)         = 4
connect(4, {sa_family=AF_UNIX, sun_path="/var/lib/samba/ntp_signd/socket"}, 110) = 0
write(4, "\0\0\0@", 4)                  = 4
write(4, "\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0$\2\10\363\0\0\7{\0\0\360\254\301\314r\350"..., 64) = 64
read(4, "\0\0\0\f", 4)                  = 4
read(4, "\0\0\0\0\0\0\0\4\0\0\1\0", 12) = 12
close(4)                                = 0


Thank you for for interest in the subject. Regards

More information about the users mailing list