Your message dated Mon, 31 Oct 2022 13:24:44 +0300
with message-id <[email protected]>
and subject line Re: samba4: samba 4 with ntpd wrong permission on
/var/lib/samba/ntp_signd/socket
has caused the Debian Bug report #949697,
regarding samba4: samba 4 with ntpd wrong permission on
/var/lib/samba/ntp_signd/socket
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
949697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949697
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: samba
Version: 2:4.9.5+dfsg-5+deb10u1
Severity: important
File: samba4
Dear Maintainer,
when using samba as pdc with ntpd time synchronisation on windows clients
fails because ntp cannot write to /var/lib/samba/ntp_signd/socket.
Following the descriptions on
https://wiki.samba.org/index.php/Time_Synchronisation
samba should provide time to windows clients.
However, doing "w32tm /resync /rediscover" on a windows client yields an
error "no time data available".
Further investigation with strace found the following on the pdc when w32tm was
run on the client:
[pid 9063] 19:08:52 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
[pid 9063] 19:08:52 rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system
call)
[pid 9063] 19:08:52 select(23, [16 17 18 19 20 21 22], NULL, NULL, NULL) = 1
(in [19])
[pid 9063] 19:08:52 recvmsg(19, {msg_name={sa_family=AF_INET,
sin_port=htons(123), sin_addr=inet_addr("192.168.43.183")}, msg_namelen=28->16,
msg_iov=[{iov_base="\333\0\21\351\0\0\10\25\0\t\7\205\0\0\0\0\341\324_\21\316,\220\201\0\0\0\0\0\0\0\0"...,
iov_len=2120}], msg_iovlen=1, msg_control=[{cmsg_len=32,
cmsg_level=SOL_SOCKET, cmsg_type=SCM_TIMESTAMPNS, cmsg_data={tv_sec=1579802932,
tv_nsec=860702542}}], msg_controllen=32, msg_flags=0}, 0) = 68
[pid 9063] 19:08:52 recvmsg(19, {msg_namelen=28}, 0) = -1 EAGAIN (Resource
temporarily unavailable)
[pid 9063] 19:08:52 socket(AF_UNIX, SOCK_STREAM, 0) = 7
[pid 9063] 19:08:52 connect(7, {sa_family=AF_UNIX,
sun_path="/var/lib/samba/ntp_signd//socket"}, 110) = -1 EACCES (Permission
denied)
[pid 9063] 19:08:52 close(7) = 0
Clearly ntp cannot access the socket which produces the error on the client.
Doing a
#chmod g+w /var/lib/samba/ntp_signd/socket
resultet in the following on the pdc when w32tm was run on the client:
[pid 9075] 19:09:55 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
[pid 9075] 19:09:55 rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system
call)
[pid 9075] 19:09:55 select(23, [16 17 18 19 20 21 22], NULL, NULL, NULL) = 1
(in [19])
[pid 9075] 19:09:55 recvmsg(19, {msg_name={sa_family=AF_INET,
sin_port=htons(123), sin_addr=inet_addr("192.168.43.183")}, msg_namelen=28->16,
msg_iov=[{iov_base="\333\0\21\351\0\0\10\25\0\t\7\205\0\0\0\0\341\324_\21\3169q:\0\0\0\0\0\0\0\0"...,
iov_len=2120}], msg_iovlen=1, msg_control=[{cmsg_len=32,
cmsg_level=SOL_SOCKET, cmsg_type=SCM_TIMESTAMPNS, cmsg_data={tv_sec=1579802995,
tv_nsec=938174583}}], msg_controllen=32, msg_flags=0}, 0) = 68
[pid 9075] 19:09:55 recvmsg(19, {msg_namelen=28}, 0) = -1 EAGAIN (Resource
temporarily unavailable)
[pid 9075] 19:09:55 socket(AF_UNIX, SOCK_STREAM, 0) = 7
[pid 9075] 19:09:55 connect(7, {sa_family=AF_UNIX,
sun_path="/var/lib/samba/ntp_signd//socket"}, 110) = 0
[pid 9075] 19:09:55 write(7, "\0\0\0@", 4) = 4
[pid 9075] 19:09:55 write(7,
"\0\0\0\0\0\0\0\0\1\0\0\0\210\5\0\0\34\3\21\351\0\0\10Z\0\0005\f\271\220\241\252"...,
64) = 64
[pid 9075] 19:09:55 read(7, "\0\0\0P", 4) = 4
[pid 9075] 19:09:55 read(7,
"\0\0\0\0\0\0\0\3\0\0\1\0\34\3\21\351\0\0\10Z\0\0005\f\271\220\241\252\341\324_\332"...,
80) = 80
[pid 9075] 19:09:55 sendto(19,
"\34\3\21\351\0\0\10Z\0\0005\f\271\220\241\252\341\324_\332X?\336\333\341\324_\363\346I\372\37"...,
68, 0, {sa_family=AF_INET, sin_port=htons(123),
sin_addr=inet_addr("192.168.43.183")}, 16) = 68
[pid 9075] 19:09:55 close(7) = 0
Now ntp can access the socket and the client gets the new time. But this is
only a temporary fix.
When samba is restarted it sets the permissions on
/var/lib/samba/ntp_signd/socket back to the ones found below.
This appears to be not the intended behavior since clients in a domain
should be able to query the pdc for time.
Cheers Jens
#ll /var/lib/samba/
...
drwxr-x---+ 2 root ntp 4096 Jan 23 19:20 ntp_signd
...
#ll /var/lib/samba/ntp_signd
srwxr-xr-x 1 root root 0 Jan 23 19:20 socket
#getent group | grep ntp
ntp:x:120:ntp
== ntp.conf ==
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/lib/samba/ntp_signd/
# Leap seconds definition provided by tzdata
leapfile /usr/share/zoneinfo/leap-seconds.list
# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Where to retrieve the time from
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
server 2.pool.ntp.org iburst prefer
# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
tinker panic 0
== ==
== smb.conf ==
# Global parameters
[global]
log level = 1
os level = 200
interfaces = ens3 lo
workgroup = ...
realm = ...
netbios name = AUTH
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
winbind use default domain = yes
preferred master = yes
local master = yes
log file = /var/log/samba/log.%m
panic action = /usr/share/samba/panic-action %d
#may be hardcoded for ad pdc
time server = Yes
map acl inherit = Yes
## ssl
tls enabled = yes
tls certfile = /etc/ssl/cert/...
tls keyfile = /etc/ssl/private/...
tls cafile = /etc/ssl/certs/...
usershare path =
[netlogon]
path = /var/lib/samba/sysvol/...
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
==
-- Package-specific info:
* /etc/samba/smb.conf present, but not attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages samba depends on:
ii adduser 3.118
ii dpkg 1.19.7
ii libbsd0 0.9.1-2
ii libc6 2.28-10
ii libldb1 2:1.5.1+really1.4.6-3
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpopt0 1.16-12
ii libpython2.7 2.7.16-2+deb10u1
ii libtalloc2 2.1.14-2
ii libtdb1 1.3.16-2+b1
ii libtevent0 0.9.37-1
ii lsb-base 10.2019051400
ii procps 2:3.3.15-2
ii python 2.7.16-1
ii python-dnspython 1.16.0-1
ii python-samba 2:4.9.5+dfsg-5+deb10u1
ii python2.7 2.7.16-2+deb10u1
ii samba-common 2:4.9.5+dfsg-5+deb10u1
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1
ii samba-libs 2:4.9.5+dfsg-5+deb10u1
ii tdb-tools 1.3.16-2+b1
Versions of packages samba recommends:
ii attr 1:2.4.48-4
ii logrotate 3.14.0-4
ii samba-dsdb-modules 2:4.9.5+dfsg-5+deb10u1
ii samba-vfs-modules 2:4.9.5+dfsg-5+deb10u1
Versions of packages samba suggests:
ii bind9 1:9.11.5.P4+dfsg-5.1
ii bind9utils 1:9.11.5.P4+dfsg-5.1
pn ctdb <none>
pn ldb-tools <none>
ii ntp 1:4.2.8p12+dfsg-4
pn smbldap-tools <none>
pn ufw <none>
ii winbind 2:4.9.5+dfsg-5+deb10u1
-- no debconf information
--- End Message ---
--- Begin Message ---
On Thu, 23 Jan 2020 19:44:19 +0100 Jens Schmidt <[email protected]> wrote:
Package: samba
Version: 2:4.9.5+dfsg-5+deb10u1
Severity: important
File: samba4
Dear Maintainer,
when using samba as pdc with ntpd time synchronisation on windows clients
fails because ntp cannot write to /var/lib/samba/ntp_signd/socket.
Following the descriptions on
https://wiki.samba.org/index.php/Time_Synchronisation
samba should provide time to windows clients.
In this wiki page, at least these days, they show that ntp_signd directory
is group-accessible to either ntp or chrony, depending on the actual software
in use.
However, doing "w32tm /resync /rediscover" on a windows client yields an
error "no time data available".
Further investigation with strace found the following on the pdc when w32tm was
run on the client:
[pid 9063] 19:08:52 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
[pid 9063] 19:08:52 rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system
call)
[pid 9063] 19:08:52 select(23, [16 17 18 19 20 21 22], NULL, NULL, NULL) = 1
(in [19])
[pid 9063] 19:08:52 recvmsg(19, {msg_name={sa_family=AF_INET, sin_port=htons(123),
sin_addr=inet_addr("192.168.43.183")}, msg_namelen=28->16,
msg_iov=[{iov_base="\333\0\21\351\0\0\10\25\0\t\7\205\0\0\0\0\341\324_\21\316,\220\201\0\0\0\0\0\0\0\0"...,
iov_len=2120}], msg_iovlen=1, msg_control=[{cmsg_len=32, cmsg_level=SOL_SOCKET,
cmsg_type=SCM_TIMESTAMPNS, cmsg_data={tv_sec=1579802932, tv_nsec=860702542}}], msg_controllen=32,
msg_flags=0}, 0) = 68
[pid 9063] 19:08:52 recvmsg(19, {msg_namelen=28}, 0) = -1 EAGAIN (Resource
temporarily unavailable)
[pid 9063] 19:08:52 socket(AF_UNIX, SOCK_STREAM, 0) = 7
[pid 9063] 19:08:52 connect(7, {sa_family=AF_UNIX,
sun_path="/var/lib/samba/ntp_signd//socket"}, 110) = -1 EACCES (Permission
denied)
[pid 9063] 19:08:52 close(7) = 0
Clearly ntp cannot access the socket which produces the error on the client.
Doing a
#chmod g+w /var/lib/samba/ntp_signd/socket
resultet in the following on the pdc when w32tm was run on the client:
Samba does not ship this directory in the package, but it creates this directory
when needed. Currently it is created with mode 0750, ie, group-accessible, but
with group=0 (root).
You can create the directory yourself, or you can change its permissions to
whatever
needed on your system - be it group ntp or chrony or something else.
Samba itself can't know which group ownership it needs to be.
Maybe we can use a common group for this dir, I dunno, - this seems to be too
much
for just a single socket between samba DC and NTPD.
But whole thing seems to be wrong, - the location of this directory must be in
/run, not in /var/lib. And even /usr/share/doc/samba/README.Debian says it is
/run/samba/ntp_signd, not /var/lib/samba/ntp_signd. We should really move it
to /run, but there, ownership/permission will *not* be preserved across reboot,
obviously, and some other mechanism - tmpfiles.d? - will have to be used
instead.
Oh well.
But this aside, the issue seems to be just the missing permission set, so
closing this bug report for now.
Thanks,
/mjt
--- End Message ---
