Bug 57147 – rdate via SNTP doesn't receive an answer in UCS 5.2-0 alpha

Bug 57147 - rdate via SNTP doesn't receive an answer in UCS 5.2-0 alpha


Summary:	rdate via SNTP doesn't receive an answer in UCS 5.2-0 alpha

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	NTP
Version:	UCS 5.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.2
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:	56661
Blocks:
	Show dependency tree / graph

Reported:	2024-03-14 12:45 CET by Arvid Requate
Modified:	2024-03-15 19:18 CET (History)
CC List:	1 user (show)

See Also:	24953 56661 chrony
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2024-03-14 12:45:00 CET

This hangs in UCS 5.2-0 alpha:

root@backup81:~# rdate -np 10.200.8.80  ## the primary
rdate: Not enough valid responses received in time
rdate: Unable to get a reasonable time estimate

Simple attempts at fixing like restarting ntpd, samba or disabling univention-firewall didn't help. Also didn't see obvious error messages in syslog of the primary.

Comment 1 Philipp Hahn

2024-03-14 16:57:14 CET

<man:rdate(1)>
TIME → [RFC 868](https://datatracker.ietf.org/doc/html/rfc868) → UDP/TCP port 37
NTP → [RFC 958](https://datatracker.ietf.org/doc/html/rfc958) → UDP port 123
SNTP → [RFC 2030](https://datatracker.ietf.org/doc/html/rfc2030) → UDP/TCP port 123

$ getent services 37
time                  37/tcp timserver
$ getent services ntp
ntp                   123/udp

# journalctl -u ntpsec -g SNTP
Feb 15 09:38:18 dc30 ntpd[1141564]: CONFIG: MS-SNTP signd operations currently block ntpd degrading service to all clients.

# grep -n restrict /etc/ntpsec/ntp.conf
31:restrict default mssntp noquery
                    ^^^^^^
32:restrict 127.0.0.1
33:restrict ::1

It works™ after after removing the "mssntp":

# rdate -np 10.200.17.30
rdate: Ignoring NTP server with alarm flag set
rdate: Unable to get a reasonable time estimate

Comment 2 Arvid Requate

2024-03-14 21:49:23 CET

Sure, we need mssntp to deliver AD DC behavior for Windows clients.
The question is, what changed with respect to UCS 5.0-6, where the
"rdate -n" check for SNTP still works.

Comment 3 Marius Meschter

2024-03-15 15:07:05 CET

In Debian 12 ntp has been replaced by ntpsec. Ntpsec claims "almost full compatibility and interoperation with NTP Classic", however some differences are pointed out in this page: https://docs.ntpsec.org/latest/ntpsec.html

Comment 4 Arvid Requate

2024-03-15 19:05:08 CET

https://wiki.samba.org/index.php/Time_Synchronisation has the warning

> It has been reported that ntpsec will not work with Samba. There is Debian bug report
>  here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033088 and the corresponding
> NTPsec issue here: https://gitlab.com/NTPsec/ntpsec/-/issues/785 . Until this note has
> been removed, it is recommended that only Chrony is used.

And there's https://groups.google.com/g/linux.debian.bugs.dist/c/x-ynMEPUxzs

Comment 5 Arvid Requate

2024-03-15 19:18:36 CET

Looking back at Philipps analysis https://forge.univention.org/bugzilla/show_bug.cgi?id=47939#c7
maybe chrony is the way forward. ntpsec breaking Samba/AD DC functionality is not an option IMHO.