chronyd: No suitable source for synchronisation

miccze · 10-05-2018, 06:46 AM

Hi,

I have set up Samba AD domain controller and now i'm trying to add another Centos7 host to the domain. Im stuck on time sync. Since the added host is VM, i will need time synchronisation. I have installed Chrony on both nodes. On PDC it works like a charm, it perfectly syncing the time with pool.ntp servers.
My PDC's chrony.conf:

Code:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Allow NTP client access from local network.
#allow 192.168.0.0/16

# Serve time even if not synchronized to a time source.
#local stratum 10

# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking

# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the
# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.
hwclockfile /etc/adjtime

# This directive enables kernel synchronisation (every 11 minutes) of the
# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
rtcsync

# ipaddress of this DC
bindcmdaddress 192.168.8.210
bindcmdaddress 0.0.0.0
bindcmdaddress ::

cmdallow 192.168.8.0/24 # dns netmask

ntpsigndsocket  /usr/local/samba/var/lib/ntp_signd

output of chronyc sources command:

Code:

[root@rpicent1 mcadmin]# chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^- 46.175.224.7.maxnet.net.>     3   8   377   183   +104us[ +104us] +/-   89ms
^* time.assecobs.pl              1   8   377   241    -16ms[  -14ms] +/-   40ms
^- afrodyta.complex.net.pl       2   8   377   178    -21ms[  -21ms] +/-   77ms
^+ ntp2.tktelekom.pl             2   8   377   310  -5573us[-3753us] +/-   60ms

and open ports:
[root@rpicent1 mcadmin]# netstat -plaunt | grep chronyd
udp 0 0 0.0.0.0:323 0.0.0.0:* 1814/chronyd
udp6 0 0 :::323 :::* 1814/chronyd

The problem comes when im trying to sync the domain-member-to-be with PDC's chronyd. Below the setup on the Centos VM i'm trying to add to domain:

/etc/chrony.conf:

Code:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server rpicent1.mcnet.local iburst
server 192.168.8.210 iburst

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Allow NTP client access from local network.
#allow 192.168.0.0/16

# Serve time even if not synchronized to a time source.
#local stratum 10

# Specify file containing keys for NTP authentication.
keyfile /etc/chrony.keys

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking

# Stop bad estimates upsetting machine clock
maxupdateskew 100.0

# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the
# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.
hwclockfile /etc/adjtime


#ipaddress of this Unix domain member
bindcmdaddress 192.168.8.200

#specify source port
acquisitionport 323

chronyc sources:

Code:

210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^? 192.168.8.210                 0   6     0     -     +0ns[   +0ns] +/-    0ns

when i stop chronyd and try to manually sync time i get this:

Code:

[root@MCCentos01 mcadmin]# chronyd -q 'pool 192.168.8.210 iburst'
2018-10-04T13:06:07Z chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 +DEBUG)
2018-10-04T13:06:07Z Initial frequency -18.428 ppm
2018-10-04T13:06:17Z No suitable source for synchronisation
2018-10-04T13:06:17Z chronyd exiting

I can't find much on this

Code:

No suitable source for synchronisation

error in chrony.
Have anyone had similar problem? Any help?

Thanks,

michaelk · 10-05-2018, 08:14 AM

Code:

# Allow NTP client access from local network.
#allow 192.168.0.0/16

As far as I know you still need to use the allow directive for clients to access the server.

miccze · 10-05-2018, 09:28 AM

i already have

Quote:

cmdallow 192.168.8.0/24 # dns netmask

in the PDC's chrony.conf. It should enable local network access.
Anyway, i uncommented that line on both PDC's and on the VM's(client) chrony.conf and still no luck. I even added to the Clients chrony.conf below lines to reflect correct subnet in my network:

Quote:

cmdallow 192.168.8.0/24

Quote:

Allow 192.168.8.0/24

Still no luck.

Of course i am able to ping one another - they are within the same network.
What is wrong here?

michaelk · 10-05-2018, 10:25 AM

cmdallow and bindcmdaddress is for getting the status of the daemon via the chronyc command. It is not used by ntp clients trying to sync time.

The command port is 323 by default which is how chronyc talks to the daemon and why 323 is open on the server. Port 123 is used by clients to get the time information from the server. You set the acquisitionport i.e. data to 323 on the client. That isn't going to work.

miccze · 10-05-2018, 11:17 AM

I tried connecting by port 123 before and it didn't work. I tried again now and it's still doesnt work:

As you can see below, PDC server is listening on port 123:

Quote:

[root@rpicent1 mcadmin]# netstat -plaunt | egrep "chronyd"
udp 0 0 0.0.0.0:123 0.0.0.0:* 2413/chronyd
udp 0 0 0.0.0.0:323 0.0.0.0:* 2413/chronyd
udp6 0 0 :::323 :::* 2413/chronyd

On the client side i changed the acquisitionport to 123. Same issue. I commented the acquisitionport directive - no results. Still client cannot find suitable source for synchronisation.

michaelk · 10-05-2018, 11:43 AM

Did you allow port 123 on the server's firewall?

I assumed you restarted chronyd on the server after you configured the allow directive? You need to wait for the server to sync before the client will see it as a suitable source.

Sync is when you see the * as the second character.

Code:

^* time.assecobs.pl              1   8   377   241    -16ms[  -14ms] +/-   40ms

miccze · 10-05-2018, 12:49 PM

Yes, i restarted chronyd on both client and server. the setup on the server works and it's connected one of the pool servers. -

Quote:

[root@rpicent1 mcadmin]# chronyc sources
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^- ntp.wide-net.pl 2 6 7 1 +470us[-2852us] +/- 68ms
^* 178.252.19.225.interneti> 2 6 7 0 -8138us[ -11ms] +/- 58ms
^- pestovo.admin.sardinasys> 3 6 7 1 -29ms[ -32ms] +/- 101ms
^+ ntp2.pl 2 6 7 1 +5002us[+1680us] +/- 69ms

When i switched back to the pool servers on the client, it worked. So chronyd seems to be working fine on client.
However, when i switch to the PDC as the source ...... BREAKTHROUGH - it worked!

Wow, i connected to the pool servers and then switched back to the PDC and it connected! Is it possible that the time was so different that it didn't work? And only after the time was properly set by the external servers the it was able to connect? Below output:

Quote:

[root@MCCentos01 mcadmin]# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.8.210 3 6 17 6 -63us[ +581us] +/- 44ms

I'm a little worried now, because it's suppose correct time on the domain member. So it need to work when the time is not correct - i will monitor this, once the time will go wrong again. However, for now it seems to be working.
Michaelk, thanks again for your help. I will get back with the further news. Stay tuned

miccze · 10-15-2018, 03:41 AM

So the chronyd connected succesfully and stay connected since then.
However, since it's a Virtual Machine, whenever host goes to sleep, VM also does not work, so the time stops and it's resumes once the VM goes up - and it's still causes problems, because when it resumes, chrony does not re-synchronize time with Domain Controller.
So i figured that i will make a scheduled job in cron to restart chronyd.service every hour. Later found out that it's bad idea because when time stops on machine, the job doesnt meet it's trigger to run (the hour).
So next idea was to run scheduled job on Domain Controller which will remotely connect to VM and restart the chronyd.service. Time works fine on DC so it should be run regularly.
However, when i scheduled the job i'm stuck on the need to interactively input password to restart service on remote machine. So i tried to edit sudoers (visudo) and make a rule so my user would be able to operate services with no password.
So i made an override sudoer file which looks like this:

Quote:

[root@MCCentos01 MC]# cat /etc/sudoers.d/myOverrides
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
mcadmin ALL=(ALL) NOPASSWD: SERVICES

Overriding sudoers like this should eliminate the rule order problem, so the rules in the overrides should take precedence. Before i made it that by override file way, i tried editing sudoers directly - didnt work. I added the rule at the end of sudoers file and it still didn't work.

Result of sudo -l command:

Quote:

[mcadmin@MCCentos01 ~]$ sudo -l
Matching Defaults entries for mcadmin on MCCentos01:
!visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User mcadmin may run the following commands on MCCentos01:
(ALL) ALL
(ALL) NOPASSWD: /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload,
/usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

And whenever i try to restart service, it still asks me for password. I'm looking for the reason and what should be done to solve the problem. I appreciate any help