Package: samba Version: 2:4.9.5+dfsg-5+deb10u1 Severity: important File: samba4
Dear Maintainer, when using samba as pdc with ntpd time synchronisation on windows clients fails because ntp cannot write to /var/lib/samba/ntp_signd/socket. Following the descriptions on https://wiki.samba.org/index.php/Time_Synchronisation samba should provide time to windows clients. However, doing "w32tm /resync /rediscover" on a windows client yields an error "no time data available". Further investigation with strace found the following on the pdc when w32tm was run on the client: [pid 9063] 19:08:52 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} --- [pid 9063] 19:08:52 rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call) [pid 9063] 19:08:52 select(23, [16 17 18 19 20 21 22], NULL, NULL, NULL) = 1 (in [19]) [pid 9063] 19:08:52 recvmsg(19, {msg_name={sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("192.168.43.183")}, msg_namelen=28->16, msg_iov=[{iov_base="\333\0\21\351\0\0\10\25\0\t\7\205\0\0\0\0\341\324_\21\316,\220\201\0\0\0\0\0\0\0\0"..., iov_len=2120}], msg_iovlen=1, msg_control=[{cmsg_len=32, cmsg_level=SOL_SOCKET, cmsg_type=SCM_TIMESTAMPNS, cmsg_data={tv_sec=1579802932, tv_nsec=860702542}}], msg_controllen=32, msg_flags=0}, 0) = 68 [pid 9063] 19:08:52 recvmsg(19, {msg_namelen=28}, 0) = -1 EAGAIN (Resource temporarily unavailable) [pid 9063] 19:08:52 socket(AF_UNIX, SOCK_STREAM, 0) = 7 [pid 9063] 19:08:52 connect(7, {sa_family=AF_UNIX, sun_path="/var/lib/samba/ntp_signd//socket"}, 110) = -1 EACCES (Permission denied) [pid 9063] 19:08:52 close(7) = 0 Clearly ntp cannot access the socket which produces the error on the client. Doing a #chmod g+w /var/lib/samba/ntp_signd/socket resultet in the following on the pdc when w32tm was run on the client: [pid 9075] 19:09:55 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} --- [pid 9075] 19:09:55 rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call) [pid 9075] 19:09:55 select(23, [16 17 18 19 20 21 22], NULL, NULL, NULL) = 1 (in [19]) [pid 9075] 19:09:55 recvmsg(19, {msg_name={sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("192.168.43.183")}, msg_namelen=28->16, msg_iov=[{iov_base="\333\0\21\351\0\0\10\25\0\t\7\205\0\0\0\0\341\324_\21\3169q:\0\0\0\0\0\0\0\0"..., iov_len=2120}], msg_iovlen=1, msg_control=[{cmsg_len=32, cmsg_level=SOL_SOCKET, cmsg_type=SCM_TIMESTAMPNS, cmsg_data={tv_sec=1579802995, tv_nsec=938174583}}], msg_controllen=32, msg_flags=0}, 0) = 68 [pid 9075] 19:09:55 recvmsg(19, {msg_namelen=28}, 0) = -1 EAGAIN (Resource temporarily unavailable) [pid 9075] 19:09:55 socket(AF_UNIX, SOCK_STREAM, 0) = 7 [pid 9075] 19:09:55 connect(7, {sa_family=AF_UNIX, sun_path="/var/lib/samba/ntp_signd//socket"}, 110) = 0 [pid 9075] 19:09:55 write(7, "\0\0\0@", 4) = 4 [pid 9075] 19:09:55 write(7, "\0\0\0\0\0\0\0\0\1\0\0\0\210\5\0\0\34\3\21\351\0\0\10Z\0\0005\f\271\220\241\252"..., 64) = 64 [pid 9075] 19:09:55 read(7, "\0\0\0P", 4) = 4 [pid 9075] 19:09:55 read(7, "\0\0\0\0\0\0\0\3\0\0\1\0\34\3\21\351\0\0\10Z\0\0005\f\271\220\241\252\341\324_\332"..., 80) = 80 [pid 9075] 19:09:55 sendto(19, "\34\3\21\351\0\0\10Z\0\0005\f\271\220\241\252\341\324_\332X?\336\333\341\324_\363\346I\372\37"..., 68, 0, {sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("192.168.43.183")}, 16) = 68 [pid 9075] 19:09:55 close(7) = 0 Now ntp can access the socket and the client gets the new time. But this is only a temporary fix. When samba is restarted it sets the permissions on /var/lib/samba/ntp_signd/socket back to the ones found below. This appears to be not the intended behavior since clients in a domain should be able to query the pdc for time. Cheers Jens #ll /var/lib/samba/ ... drwxr-x---+ 2 root ntp 4096 Jan 23 19:20 ntp_signd ... #ll /var/lib/samba/ntp_signd srwxr-xr-x 1 root root 0 Jan 23 19:20 socket #getent group | grep ntp ntp:x:120:ntp == ntp.conf == # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntp/ntp.drift logfile /var/log/ntp ntpsigndsocket /var/lib/samba/ntp_signd/ # Leap seconds definition provided by tzdata leapfile /usr/share/zoneinfo/leap-seconds.list # Enable this if you want statistics to be logged. statsdir /var/log/ntpstats/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable # Local clock. Note that is not the "localhost" address! server 127.127.1.0 fudge 127.127.1.0 stratum 10 # Where to retrieve the time from server 0.pool.ntp.org iburst prefer server 1.pool.ntp.org iburst prefer server 2.pool.ntp.org iburst prefer # Access control # Default restriction: Allow clients only to query the time restrict default kod nomodify notrap nopeer mssntp # No restrictions for "localhost" restrict 127.0.0.1 # Enable the time sources to only provide time to this host restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery tinker panic 0 == == == smb.conf == # Global parameters [global] log level = 1 os level = 200 interfaces = ens3 lo workgroup = ... realm = ... netbios name = AUTH server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes winbind use default domain = yes preferred master = yes local master = yes log file = /var/log/samba/log.%m panic action = /usr/share/samba/panic-action %d #may be hardcoded for ad pdc time server = Yes map acl inherit = Yes ## ssl tls enabled = yes tls certfile = /etc/ssl/cert/... tls keyfile = /etc/ssl/private/... tls cafile = /etc/ssl/certs/... usershare path = [netlogon] path = /var/lib/samba/sysvol/... read only = No [sysvol] path = /var/lib/samba/sysvol read only = No == -- Package-specific info: * /etc/samba/smb.conf present, but not attached * /var/lib/samba/dhcp.conf not present -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages samba depends on: ii adduser 3.118 ii dpkg 1.19.7 ii libbsd0 0.9.1-2 ii libc6 2.28-10 ii libldb1 2:1.5.1+really1.4.6-3 ii libpam-modules 1.3.1-5 ii libpam-runtime 1.3.1-5 ii libpopt0 1.16-12 ii libpython2.7 2.7.16-2+deb10u1 ii libtalloc2 2.1.14-2 ii libtdb1 1.3.16-2+b1 ii libtevent0 0.9.37-1 ii lsb-base 10.2019051400 ii procps 2:3.3.15-2 ii python 2.7.16-1 ii python-dnspython 1.16.0-1 ii python-samba 2:4.9.5+dfsg-5+deb10u1 ii python2.7 2.7.16-2+deb10u1 ii samba-common 2:4.9.5+dfsg-5+deb10u1 ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 ii samba-libs 2:4.9.5+dfsg-5+deb10u1 ii tdb-tools 1.3.16-2+b1 Versions of packages samba recommends: ii attr 1:2.4.48-4 ii logrotate 3.14.0-4 ii samba-dsdb-modules 2:4.9.5+dfsg-5+deb10u1 ii samba-vfs-modules 2:4.9.5+dfsg-5+deb10u1 Versions of packages samba suggests: ii bind9 1:9.11.5.P4+dfsg-5.1 ii bind9utils 1:9.11.5.P4+dfsg-5.1 pn ctdb <none> pn ldb-tools <none> ii ntp 1:4.2.8p12+dfsg-4 pn smbldap-tools <none> pn ufw <none> ii winbind 2:4.9.5+dfsg-5+deb10u1 -- no debconf information
