Univention Bugzilla – Bug 57147
rdate via SNTP doesn't receive an answer in UCS 5.2-0 alpha
Last modified: 2024-03-15 19:18:36 CET
This hangs in UCS 5.2-0 alpha: root@backup81:~# rdate -np 10.200.8.80 ## the primary rdate: Not enough valid responses received in time rdate: Unable to get a reasonable time estimate Simple attempts at fixing like restarting ntpd, samba or disabling univention-firewall didn't help. Also didn't see obvious error messages in syslog of the primary.
<man:rdate(1)> TIME → [RFC 868](https://datatracker.ietf.org/doc/html/rfc868) → UDP/TCP port 37 NTP → [RFC 958](https://datatracker.ietf.org/doc/html/rfc958) → UDP port 123 SNTP → [RFC 2030](https://datatracker.ietf.org/doc/html/rfc2030) → UDP/TCP port 123 $ getent services 37 time 37/tcp timserver $ getent services ntp ntp 123/udp # journalctl -u ntpsec -g SNTP Feb 15 09:38:18 dc30 ntpd[1141564]: CONFIG: MS-SNTP signd operations currently block ntpd degrading service to all clients. # grep -n restrict /etc/ntpsec/ntp.conf 31:restrict default mssntp noquery ^^^^^^ 32:restrict 127.0.0.1 33:restrict ::1 It works™ after after removing the "mssntp": # rdate -np 10.200.17.30 rdate: Ignoring NTP server with alarm flag set rdate: Unable to get a reasonable time estimate
Sure, we need mssntp to deliver AD DC behavior for Windows clients. The question is, what changed with respect to UCS 5.0-6, where the "rdate -n" check for SNTP still works.
In Debian 12 ntp has been replaced by ntpsec. Ntpsec claims "almost full compatibility and interoperation with NTP Classic", however some differences are pointed out in this page: https://docs.ntpsec.org/latest/ntpsec.html
https://wiki.samba.org/index.php/Time_Synchronisation has the warning > It has been reported that ntpsec will not work with Samba. There is Debian bug report > here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033088 and the corresponding > NTPsec issue here: https://gitlab.com/NTPsec/ntpsec/-/issues/785 . Until this note has > been removed, it is recommended that only Chrony is used. And there's https://groups.google.com/g/linux.debian.bugs.dist/c/x-ynMEPUxzs
Looking back at Philipps analysis https://forge.univention.org/bugzilla/show_bug.cgi?id=47939#c7 maybe chrony is the way forward. ntpsec breaking Samba/AD DC functionality is not an option IMHO.