Please build ntpd with --enable-ntp-signd

mfoley · 02-11-2024, 11:53 AM

This post is not so much an issue as a suggestion to the Slackware distribution maintainers. In future slackpkg updates, could you please build ntpd with the --enable-ntp-signd option?

Without this option the Linux host cannot act as a ntp time server to Windows computers. And, since Windows computers are an inevitability in any LAN nowadays, --enable-ntp-signd should be a default option. It certainly won't hurt anything to have that enabled even if the end user has no need to time-sync with Windows computers.

I just spent a couple of weeks getting this sorted out. I knew about this and thought I had built my ntpd from source with that option, but apparently I didn't do something right in the build process.

Likewise, I would suggest the SlackBuilds maintainer of chrony do the same.

Slackware makes a great Windows Active Directory domain controller, one command to provision -- except for this ntpd defect. ntp-signd is required for a domain controller with Windows domain members. If that were part of the distro, there would be zero extra work and the domain controller would be set up in a few minutes.

Thanks

Petri Kaukasoina · 02-11-2024, 12:08 PM

Quote:

Originally Posted by mfoley

could you please build ntpd with the --enable-ntp-signd option?

Slackware 15.0 and -current have ntp built with that option.

mfoley · 02-11-2024, 11:18 PM

Quote:

Originally Posted by Petri Kaukasoina

Slackware 15.0 and -current have ntp built with that option.

I tried using ntpd on 15.0. It does not work. If it did, I wouldn't have spent two weeks trying to figure out why the Windows domain members couldn't time-sync with the Slackware DC. Here is a tcpdump -v port 123 example:

Code:

# tcpdump -v -i eth0 port 123
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:23:07.468629 IP (tos 0x0, ttl 128, id 22607, offset 0, flags [none], proto UDP (17), length 96)
(query from Windows domain member)
    192.168.0.53.ntp > mail.hprs.local.ntp: NTPv3, Client, length 68
        Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 7 (128s), precision -23
        Root Delay: 0.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
          Reference Timestamp:  3916127270.315146199 (2024-02-05T13:07:50Z)
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3916480949.611151499 (2024-02-09T15:22:29Z)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3916480949.611151499 (2024-02-09T15:22:29Z)
        Key id: 1711538176
        Authentication: 00000000000000000000000000000000

(Response from Linux Slackware ntpd)
10:23:07.468836 IP (tos 0xb8, ttl 64, id 2268, offset 0, flags [DF], proto UDP (17), length 80)
    mail.hprs.local.ntp > 192.168.0.53.ntp: NTPv3, Server, length 52
        Leap indicator:  (0), Stratum 3 (secondary reference), poll 7 (128s), precision -19
        Root Delay: 0.035171, Root dispersion: 0.085723, Reference-ID: 0x179da0a8
          Reference Timestamp:  3916479890.214796580 (2024-02-09T15:04:50Z)
          Originator Timestamp: 3916480949.611151499 (2024-02-09T15:22:29Z)
          Receive Timestamp:    3916480987.468629691 (2024-02-09T15:23:07Z)
          Transmit Timestamp:   3916480987.468801127 (2024-02-09T15:23:07Z)
            Originator - Receive Timestamp:  +37.857478191
            Originator - Transmit Timestamp: +37.857649627
        Key id: 0

Notice the corresponding Key Id and Authentication response are missing. This is what it should look like:

Code:

00:13:50.097861 IP (tos 0x0, ttl 128, id 50708, offset 0, flags [none], proto UDP (17), length 96)
    192.168.0.53.ntp > mail.hprs.local.ntp: NTPv3, Client, length 68
        Leap indicator:  (0), Stratum 3 (secondary reference), poll 14 (16384s), precision -23
        Root Delay: 0.072402, Root dispersion: 0.229812, Reference-ID: 0xc0a80002
          Reference Timestamp:  3916695438.121388499 (2024-02-12T02:57:18Z)
          Originator Timestamp: 3916695438.048416776 (2024-02-12T02:57:18Z)
          Receive Timestamp:    3916695438.028704999 (2024-02-12T02:57:18Z)
          Transmit Timestamp:   3916703630.074392099 (2024-02-12T05:13:50Z)
            Originator - Receive Timestamp:  -0.019711776
            Originator - Transmit Timestamp: +8192.025975323
        Key id: 1711538176
        Authentication: 00000000000000000000000000000000

00:13:50.098870 IP (tos 0x0, ttl 64, id 9038, offset 0, flags [DF], proto UDP (17), length 96)
    mail.hprs.local.ntp > 192.168.0.53.ntp: NTPv3, Server, length 68
        Leap indicator:  (0), Stratum 2 (secondary reference), poll 14 (16384s), precision -20
        Root Delay: 0.068817, Root dispersion: 0.001937, Reference-ID: 0xcc11cd18
          Reference Timestamp:  3916703275.920825018 (2024-02-12T05:07:55Z)
          Originator Timestamp: 3916703630.074392099 (2024-02-12T05:13:50Z)
          Receive Timestamp:    3916703630.097181325 (2024-02-12T05:13:50Z)
          Transmit Timestamp:   3916703630.097409863 (2024-02-12T05:13:50Z)
            Originator - Receive Timestamp:  +0.022789225
            Originator - Transmit Timestamp: +0.023017763
        Key id: 1711538176
        Authentication: b142fcd974cf6a07576159effc2101f0

I tried with ntpd copied from another Slackware 15.0 system. Same result. I tried building ntpd from sources with --enable-ntp-signd. Same result.

If Slackware 15.0 ntpd is built with --enable-ntp-signd, it's not working. When I built the ntpd sources on 14.2 with --enable-ntp-signd it worked and ran properly for many years.

I finally downloaded the chrony sources and built that with --enable-ntp-signd and that's what gave the reply packet shown above.

henca · 02-12-2024, 12:38 AM

Quote:

Originally Posted by mfoley

I tried building ntpd from sources with --enable-ntp-signd. Same result.

Whether or not that option was there in the original SlackBuild script it obviously does not help.

Quote:

Originally Posted by mfoley

If Slackware 15.0 ntpd is built with --enable-ntp-signd, it's not working. When I built the ntpd sources on 14.2 with --enable-ntp-signd it worked and ran properly for many years.

What if you build the same version as used in Slackware 14.2 for Slackware 15.0? Maybe something has broken upstream in ntpd?

Quote:

Originally Posted by mfoley

I finally downloaded the chrony sources and built that with --enable-ntp-signd and that's what gave the reply packet shown above.

At least you have found a solution to your problem.

regards Henrik

allend · 02-12-2024, 07:24 AM

@mfoley - Just curious. You posted a solution for this using ntp that seems to gel with the Samba wiki page that you linked then and that was last updated 27 October 2023, at 15:58.

Slackware 15.0 has been out for a while now, so I am a little surprised that there have been no other reports of this not working.

If you have been trying NTPsec, then the links on the Samba wiki page show that this has been a known issue that may have been fixed in release 1.2.3

mfoley · 02-12-2024, 03:39 PM

Quote:

Originally Posted by allend

@mfoley - Just curious. You posted a solution for this using ntp that seems to gel with the Samba wiki page that you linked then and that was last updated 27 October 2023, at 15:58.

Your referenced post is from Nov 20, 2020 which is when our office upgraded to Windows 10. This was still Slackware 14.2. Windows 10 was probably the first version that needed signd. My old 14.2 DC shows that I downloaded and built ntp-4.2.8p15 with --enable-ntp-signd on Nov 21, 2020. The actual error in that post is me messing up the ntp.conf by adding the "socket" to the ntpsigndsocket setting instead of just the directory /var/lib/samba/ntp_signd. If you look at posting #4 in that thread, It gives my solution which step 1 says, "I had to build ntpd from sources with --enable-ntp-signd."

I see that thread ending Nov 21, 2020, not Oct, 2023.

Quote:

Slackware 15.0 has been out for a while now, so I am a little surprised that there have been no other reports of this not working.

If you have been trying NTPsec, then the links on the Samba wiki page show that this has been a known issue that may have been fixed in release 1.2.3

Nope, not using NTPsec. I started with the ntpd as installed from the 15.0 ISO image -- clean install, not an upgrade from 14.2. When that didn't work I then downloaded the ntpd-4.2.8p17 sources from http://www.ntp.org, just like I did years ago with 14.2. I built that (or so I thought) with --enable-ntp-signd. When that didn't work, I built it again. I'll allow that it is possible that I messed something up on the build, but I've done that before without problem. Failing all that, I copied an unmodified ntpd from another up-to-date 15.0 system. That didn't work either.

On the 14.2 system, I could check syslog and I would get one of two messages:

Code:

(If built with --enable-ntp-signd)
# grep ntpd /var/log/syslog
Nov 19 01:50:14 mail ntpd[17169]: MS-SNTP signd operations currently block ntpd degrading service to all clients.

(If not built with --enable-ntp-signd)
Nov 19 01:40:33 mail ntpd[10076]: mssntp restrict bit ignored, 
  this ntpd was configured without --enable-ntp-signd.

With 15.0 I got neither of those messages. I got no joy until I downloaded chrony sources and built with --enable-ntp-signd.

I can't explain why no one else has reported this unless a) no one else has tried setting up a Slackware 15.0 domain controller with Windows members. b) For those who have built such a DC, no one has acatually checked the Windows member with 'w32tm /query /source' to see if the Windows computer is actually time-syncing with the DC. c) My system is somehow different from everyone else who has created a DC with Windows members.

If you have such a domain configured, or if any reader of this thread does, please run 'w32tm /query /source' on one of your Windows domain members and post back the results (assuming you're running the as-shipped Samba 15.0 ntpd).

allend · 02-13-2024, 05:54 AM

The date I quoted was for the Samba wiki page.

I was wanting to check that you had followed the steps that had previously worked for you.

Like I said, just curious. My days of getting Windows and Linux to play nice are thankfully over.
When I am in a masochistic frame of mind, I will boot a Windows 10 install and update it, attempting to guess what is happening and how long it will take.

Thanks for the detailed reply and sharing your solution. Good fortune to you.