Hi Martin Thanks very much for this reply. I did stop the AppArmor service:
service apparmor stop but this made no change in the behavior. Here's what I see when I start ntpd interactively with two levels of debugging (below) (for security reasons, I changed the name of the company-internal ntp server to REDACTED). And, again, a 'nslookup' of thentp server hostname completes without error. Maybe I should note that /etc/resolv.conf on this system has two entries; the second DNS server is the one that can resolve the ntp server hostname. But that shouldn't matter, right? Ntpd should be able to do a DNS lookup from a second DNS server, I hope. This same setup does work correctly on my other SLES 12 SP2 system. Thoughts? Thanks tl lava93109:~ # /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -c /etc/ntp.conf -d -d & [1] 63154 lava93109:~ # 11 Jun 08:05:15 ntpd[63154]: ntpd 4.2.8p13@1.3847-o Wed Mar 13 12:24:30 UTC 2019 (1): Starting 11 Jun 08:05:15 ntpd[63154]: Command line: /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -c /etc/ntp.conf -d -d ntp_rlimit: STACK: 50 4k pages ntp_rlimit: MEMLOCK: -1 MB 11 Jun 08:05:15 ntpd[63154]: set_process_priority: Leave priority alone: priority_done is <2> 11 Jun 08:05:15 ntpd[63154]: proto: precision = 0.077 usec (-24) Finished Parsing!! 11 Jun 08:05:15 ntpd[63154]: basedate set to 2019-03-01 11 Jun 08:05:15 ntpd[63154]: gps base set to 2019-03-03 (week 2043) create_sockets(123) move_fd: estimated max descriptors: 1024, initial socket boundary: 16 11 Jun 08:05:15 ntpd[63154]: Listen and drop on 0 v6wildcard [::]:123 created interface #0: fd=16, bfd=-1, name=v6wildcard, flags=0x81, ifindex=0, sin=::, Disabled: 11 Jun 08:05:15 ntpd[63154]: Listen and drop on 1 v4wildcard 0.0.0.0:123 created interface #1: fd=17, bfd=-1, name=v4wildcard, flags=0x89, ifindex=0, sin=0.0.0.0, bcast=0.0.0.0, mask=255.255.255.255, Disable create_interface(127.0.0.1#123) 11 Jun 08:05:15 ntpd[63154]: Listen normally on 2 lo 127.0.0.1:123 hack_restrict: op RESTRICT_FLAGS addr 127.0.0.1 mask 255.255.255.255 ippeerlimit -4 mflags 00003000 rflags 00000001 created interface #2: fd=18, bfd=-1, name=lo, flags=0x5, ifindex=1, sin=127.0.0.1, mask=255.0.0.0, Enabled: create_interface(10.7.93.109#123) 11 Jun 08:05:15 ntpd[63154]: Listen normally on 3 eth0 10.7.93.109:123 hack_restrict: op RESTRICT_FLAGS addr 10.7.93.109 mask 255.255.255.255 ippeerlimit -4 mflags 00003000 rflags 00000001 created interface #3: fd=19, bfd=-1, name=eth0, flags=0x19, ifindex=2, sin=10.7.93.109, bcast=10.7.93.255, mask=255.255.255.0, Enabled create_interface(::1#123) 11 Jun 08:05:15 ntpd[63154]: Listen normally on 4 lo [::1]:123 hack_restrict: op RESTRICT_FLAGS addr ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -4 mflags 00003000 rflags 00000001 created interface #4: fd=20, bfd=-1, name=lo, flags=0x5, ifindex=1, sin=::1, Enabled: create_interface(2620:0:170:70d:2ce0:9284:5d16:a96b#123) 11 Jun 08:05:15 ntpd[63154]: Listen normally on 5 eth0 [2620:0:170:70d:2ce0:9284:5d16:a96b]:123 hack_restrict: op RESTRICT_FLAGS addr 2620:0:170:70d:2ce0:9284:5d16:a96b mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -4 m003000 rflags 00000001 created interface #5: fd=21, bfd=-1, name=eth0, flags=0x11, ifindex=2, sin=2620:0:170:70d:2ce0:9284:5d16:a96b, Enabled: create_interface(2620:0:170:70d:5024:590:fb36:cb75#123) 11 Jun 08:05:15 ntpd[63154]: Listen normally on 6 eth0 [2620:0:170:70d:5024:590:fb36:cb75]:123 hack_restrict: op RESTRICT_FLAGS addr 2620:0:170:70d:5024:590:fb36:cb75 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -4 mf03000 rflags 00000001 created interface #6: fd=22, bfd=-1, name=eth0, flags=0x11, ifindex=2, sin=2620:0:170:70d:5024:590:fb36:cb75, Enabled: create_interface(2620:0:170:70d:250:56ff:fe8a:24b3#123) 11 Jun 08:05:15 ntpd[63154]: Listen normally on 7 eth0 [2620:0:170:70d:250:56ff:fe8a:24b3]:123 hack_restrict: op RESTRICT_FLAGS addr 2620:0:170:70d:250:56ff:fe8a:24b3 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -4 mf03000 rflags 00000001 created interface #7: fd=23, bfd=-1, name=eth0, flags=0x11, ifindex=2, sin=2620:0:170:70d:250:56ff:fe8a:24b3, Enabled: create_interface(fe80::250:56ff:fe8a:24b3%2#123) 11 Jun 08:05:15 ntpd[63154]: Listen normally on 8 eth0 [fe80::250:56ff:fe8a:24b3%2]:123 hack_restrict: op RESTRICT_FLAGS addr fe80::250:56ff:fe8a:24b3%2 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -4 mflags 00flags 00000001 created interface #8: fd=24, bfd=-1, name=eth0, flags=0x11, ifindex=2, sin=fe80::250:56ff:fe8a:24b3%2, Enabled: create_sockets: Total interfaces = 9 11 Jun 08:05:15 ntpd[63154]: Listening on routing socket on fd #25 for interface updates forked worker child (pid 63155) dump_restrict: restrict_def4: 0x55c222216000 restrict node at 0x55c222216000: 0.0.0.0/0.0.0.0 count 0, rflags 00000, mflags 00000, ippeerlimit -1, expire 0, next (nil) dump_restrict: restrict_def6: 0x55c222215fc0 restrict node at 0x55c222215fc0: ::/:: count 0, rflags 00000, mflags 00000, ippeerlimit -1, expire 0, next (nil) dump_restrict: restrictlist4: 0x55c222262f80 restrict node at 0x55c222b5ff20: 127.0.0.1/255.255.255.255 count 0, rflags 00001, mflags 03000, ippeerlimit -4, expire 0, next 0x55c22 restrict node at 0x55c222b5ff48: 10.7.93.109/255.255.255.255 count 0, rflags 00001, mflags 03000, ippeerlimit -4, expire 0, next 0x55c0 restrict node at 0x55c222216000: 0.0.0.0/0.0.0.0 count 0, rflags 00000, mflags 00000, ippeerlimit -1, expire 0, next (nil) dump_restrict: restrictlist6: 0x55c222262f88 restrict node at 0x55c222b60f80: fe80::250:56ff:fe8a:24b3/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff count 0, rflags 00001, mflags 03000,imit -4, expire 0, next 0x55c222b60f00 restrict node at 0x55c222b60f00: 2620:0:170:70d:5024:590:fb36:cb75/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff count 0, rflags 00001, mfla, ippeerlimit -4, expire 0, next 0x55c222b60ec0 restrict node at 0x55c222b60ec0: 2620:0:170:70d:2ce0:9284:5d16:a96b/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff count 0, rflags 00001, mfl0, ippeerlimit -4, expire 0, next 0x55c222b60f40 restrict node at 0x55c222b60f40: 2620:0:170:70d:250:56ff:fe8a:24b3/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff count 0, rflags 00001, mfla, ippeerlimit -4, expire 0, next 0x55c222b60e80 restrict node at 0x55c222b60e80: ::1/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff count 0, rflags 00001, mflags 03000, ippeerlimit -4, expixt 0x55c222215fc0 restrict node at 0x55c222215fc0: ::/:: count 0, rflags 00000, mflags 00000, ippeerlimit -1, expire 0, next (nil) loop_config: item 1 freq 0.000000 kernel loop status 0x41 (Clock Unsynchronized) 11 Jun 08:05:15 ntpd[63154]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized event at 0 0.0.0.0 c01d 0d kern kernel time sync enabled kernel loop status 0x41 (Clock Unsynchronized) 11 Jun 08:05:15 ntpd[63154]: kernel reports TIME_ERROR: 0x41: Clock Unsynchronized event at 0 0.0.0.0 c012 02 freq_set kernel 0.000 PPM rstclock: mu 0 state 1 poll 3 count 0 event at 0 0.0.0.0 c011 01 freq_not_set event at 0 0.0.0.0 c016 06 restart blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0 blocking_getaddrinfo given node localhost serv ntp fam 0 flags 0 intres: resolver returned: Temporary failure in name resolution (-3), retrying sleep until 08:05:17 scheduled at 08:05:15 (>= 17:00:00) auth_agekeys: at 1 keys 1 expired 0 timer: interface update blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0 intres: resolver returned: Temporary failure in name resolution (-3), retrying sleep until 08:05:20 scheduled at 08:05:17 (>= 17:00:00) blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0 intres: resolver returned: Temporary failure in name resolution (-3), retrying sleep until 08:05:24 scheduled at 08:05:20 (>= 17:00:00) blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0 intres: resolver returned: Temporary failure in name resolution (-3), retrying sleep until 08:05:30 scheduled at 08:05:24 (>= 17:00:00) blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0 intres: resolver returned: Temporary failure in name resolution (-3), retrying sleep until 08:05:38 scheduled at 08:05:30 (>= 17:00:00) blocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0 intres: resolver returned: Temporary failure in name resolution (-3), retrying sleep until 08:05:50 scheduled at 08:05:38 (>= 17:00:00) timer: interface update fgblocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0 intres: resolver returned: Temporary failure in name resolution (-3), retrying sleep until 08:06:06 scheduled at 08:05:50 (>= 17:00:00) /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -c /etc/ntp.conf -d -d ^C11 Jun 08:05:53 ntpd[63154]: ntpd exiting on signal 2 (Interrupt) event at 37 0.0.0.0 c01d 0d kern kernel time sync disabled lava93109:~ # service apparmor stopblocking_getaddrinfo given node REDACTED serv ntp fam 0 flags 0 send_blocking_resp_internal: short write (0 of 64), Broken pipe 11 Jun 08:06:07 ntp_intres[63155]: blocking_getaddrinfo can not queue response -----Original Message----- From: Martin Burnicki <martin.burni...@burnicki.net> Sent: Wednesday, June 10, 2020 5:42 PM To: Lemons, Terry; questions@lists.ntp.org Subject: Re: [ntp:questions] 'Temporary failure in name resolution' ntpd error [EXTERNAL EMAIL] Hi, terry.lem...@dell.com wrote: > Hi > > I'm trying to diagnose a ntp problem with two systems in my environment. On > one system, ntp works correctly whether I specify the ntp server via hostname > or IP address. On the other system, ntp works correctly when I specify the > ntp server via IP address; but when I specify the ntp server via hostname, > the ntp service starts, but 'ntpq -p' returns "No association ID's returned". > When I run ntpd interactively with two level of debugging, I see the message, > "intres: resolver returned: Temporary failure in name resolution (-3), > retrying sleep until 13:09:55 scheduled at 13:09:53 (>= 17:00:00)" > > I'm trying to understand the difference in behavior between these two systems: > > > * Both systems are running SLES 12 SP2 > * Both systems are running ntp-4.2.8p13-85.1.x86_64 > * Both system have the same servers listed in /etc/resolv.conf > * Both system can resolve the hostname of the ntp server via 'nslookup' > * One system has been hardened (including the use of apparmor); on this > system, ntp no longer works correctly > * The other system has not been hardened; on this system, ntp works > correctly > > Why does ntpd have a problem with name resolution on one of these systems? >From what you said above, it sounds like AppArmor prevents ntpd from doing a >DNS lookup. In the past there could be problems when AppArmor prevented ntpd from accessing specific devices that represented hardware refclocks, e.g. a GPS receiver. Yet I've never heard that it could or did deny DNS lookups. It should be easy to check this, though, if you temporarily disable AppArmor, then see if ntpd can do the DNS lookup. If that works you should compare the AppArmor configuration for ntpd on both machines. I'm not so familiar with AppArmor that I could tell you how to tweak the configuration so that it works. Martin _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
