Your message dated Mon, 11 Mar 2024 04:22:31 +0000
with message-id <[email protected]>
and subject line Bug#1033088: fixed in ntpsec 1.2.3+dfsg1-1
has caused the Debian Bug report #1033088,
regarding ntpsec: mssntp in ntp.conf breaks time service to all clients
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033088
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ntpsec
Version: 1.2.2+dfsg1-1
Severity: normal
X-Debbugs-Cc: [email protected]
Dear Maintainer,
On my LAN, I run Samba on Debian servers to implement Domain
Controllers (DCs) for an Active Directory (AD) domain. Per the Samba
documentation, I have set up authenticated time service (known as
MS-SNTP) on the DCs for Windows clients. Non-Windows clients also use
the DCs for non-auth time service, via unicast [S]NTP. Up to and
including bullseye, I have always used the 'ntp' package for this
purpose on the DCs, and it was functional.
Recently, however, upon upgrading from bullseye to bookworm, I found
that the DCs would no longer respond correctly to client requests for
time service. In other words, neither authenticated clients (Windows,
MS-SNTP) nor non-auth clients ([S]NTP) would receive any valid time
responses from the DCs running on bookworm.
Doing some experimentation, I discovered that when the 'mssntp'
keyword was removed from the 'restrict' line in 'ntp.conf', non-auth
time service was restored to clients (while MS-SNTP was disabled,
ofc). I can only assume this is a bug in the 'ntpsec' implementation
of MS-SNTP.
Without MS-SNTP service working on the DCs, Windows domain clients
(with the default time client settings) never receive time service
from the DCs as they should. Although it is easy enough to modify the
Windows time client settings to use non-auth NTP services, it would
be nice for MS-SNTP to work as advertised in 'ntpsec'.
Please let me know if there's any more information I can provide to
aid in troubleshooting/debugging this issue.
Thank you for your time.
Cheers,
-S.M.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-6-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ntpsec depends on:
ii adduser 3.131
ii init-system-helpers 1.65.2
ii libbsd0 0.11.7-2
ii libc6 2.36-8
ii libcap2 1:2.66-3
ii libssl3 3.0.8-1
ii netbase 6.4
ii python3 3.11.2-1
ii python3-ntp 1.2.2+dfsg1-1
ii sysvinit-utils [lsb-base] 3.06-2
ii tzdata 2022g-7
Versions of packages ntpsec recommends:
ii cron [cron-daemon] 3.0pl1-162
ii systemd 252.6-1
Versions of packages ntpsec suggests:
ii apparmor 3.0.8-3
pn certbot <none>
pn ntpsec-doc <none>
pn ntpsec-ntpviz <none>
-- Configuration Files:
/etc/ntpsec/ntp.conf changed:
driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
statsdir /var/log/ntpsec/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
tos maxclock 11
tos minclock 4 minsane 3
tos orphan 7
tinker panic 0
ntpsigndsocket /var/lib/samba/ntp_signd/
server 10.150.10.10 iburst burst prefer
server 10.150.10.11 iburst burst prefer
pool 0.pool.ntp.org iburst
pool 1.pool.ntp.org iburst
pool 2.pool.ntp.org iburst
pool 3.pool.ntp.org iburst
restrict default kod nomodify limited mssntp
restrict 127.0.0.1
restrict ::1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: ntpsec
Source-Version: 1.2.3+dfsg1-1
Done: Richard Laager <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ntpsec, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Richard Laager <[email protected]> (supplier of updated ntpsec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Mar 2024 22:01:29 -0500
Source: ntpsec
Architecture: source
Version: 1.2.3+dfsg1-1
Distribution: unstable
Urgency: low
Maintainer: Richard Laager <[email protected]>
Changed-By: Richard Laager <[email protected]>
Closes: 931414 1033088 1058451 1059931 1060506 1065567
Changes:
ntpsec (1.2.3+dfsg1-1) unstable; urgency=low
.
[ Richard Laager ]
* New upstream version
- Change mode6 alignment to four, which may break some compatibility with
classic NTP.
- Make ntpq stop dropping output timestamp leading zeroes.
- Reset some stats hourly, even when not logged into files.
- Add error logging, and stats for ms-sntp.
- We think we have fixed ms-sntp
Thanks to Jakob Haufe for testing. (Closes: 1033088)
- ntpd and ntpq both treat SHA-1 as an alias for SHA1. NIST uses SHA-1.
The crypto package from OpenSSL uses SHA1.
- The default crypto type for ntpq is now AES. RFC 8573 deprecated MD5.
- There are now log files with hourly statistics for NTS and NTS-KE
traffic: filegen ntsstats and filegen ntskestats,
- Fix ntploggps issue where count_used_satellites checked before it is
initialized.
- Add support for ecdhcurves list.
- Fix ntpdig crash when using 2.ntp.pool.org with a host without IPv6
support.
- ntpdig shows packet delay in JSON output.
* Install systemd ntp-units.d file (Closes: 1065567)
* Switch pkg-config for pkgconf
* Change systemd build-dep to systemd-dev (Closes: 1058451, 1060506)
.
[ Simon Hyde ]
* Fixup if-up scripts, fixes #1059931/#931414 (Closes: 1059931, 931414)
Checksums-Sha1:
b8f45d645df28d8d67ca74d446a9e8bbb37b5b54 2594 ntpsec_1.2.3+dfsg1-1.dsc
4e28e87e8e3eda3fe36f54f7898d239454af3c61 2327860 ntpsec_1.2.3+dfsg1.orig.tar.xz
db25d602e1fccf3f62d42dcffd6d2489639d8968 57920
ntpsec_1.2.3+dfsg1-1.debian.tar.xz
43e9602dabef63f093832c8ff5ea3df52ed65411 8734
ntpsec_1.2.3+dfsg1-1_source.buildinfo
Checksums-Sha256:
2278e44047a4d173a78c26ba4ed837309b271d5c650f7a53bb175559b0cc8874 2594
ntpsec_1.2.3+dfsg1-1.dsc
99674bbb98a43875fcdd627b5bf28d3dc94109e0ddfef4dc340be8c097612bdb 2327860
ntpsec_1.2.3+dfsg1.orig.tar.xz
7a29998ac44122fc73b241996471e8b439c198b671216a5e47418e9444604a7b 57920
ntpsec_1.2.3+dfsg1-1.debian.tar.xz
ed8850bb06eedd771e2920986c264a969444f0b0e9f37868ae77126e47a42ccd 8734
ntpsec_1.2.3+dfsg1-1_source.buildinfo
Files:
4b19c82553ba54e68a73953c33b7e1d2 2594 net optional ntpsec_1.2.3+dfsg1-1.dsc
5925d80ffb722a256bb0e5699d709343 2327860 net optional
ntpsec_1.2.3+dfsg1.orig.tar.xz
bc2e33a100f21bd4408253e6bfe804c9 57920 net optional
ntpsec_1.2.3+dfsg1-1.debian.tar.xz
7d30728e50998154a68821eecb8cc30a 8734 net optional
ntpsec_1.2.3+dfsg1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1Ot9lOeOTujs4H+U+HlhmcBFhs4FAmXufVEACgkQ+HlhmcBF
hs7SRBAAwxV8Imr1Un9N8aJniexcnMO8xk/cb1UCENlLvioCVDjUNv++m9NLeqjr
f5w0XAbtOYVmB8K4rroThm8DZhS7esarx9vkozKDJkXa37zFO1dhNNwgEhhWqzZC
nXpauHv/hY5GlovFlV+JvTcfyJrTD/h+wBkAXF0kMPUYelHC4A/IT5qnVKul9luB
PTbDrlGfAxwtMxLxiXcH15V3BU8nV4Kzr5EIXTLU2zGt2o4EWmp4OmgZGwGRhSml
HQeEd1YB7uwmA64LALhuXsagQXCaj0aY0C5Y+49FvKHra/l9wrArX5jLkRSxUkk4
oIEK5thyAuDV2nGLJBiIabXe8R/Bws3/AR9YYtg965LcWhlhaXzvF6loItTQW910
vP6rJU+enSnb35dzGaplo8ajtO1FnhqvsA+Qt/k5sgpCJXfOR+L7SKZSwgNwaHaF
l/eNtKAqbvZtc/XSyY+FQADWUu8JClPnnHjjsd4680nLnyZWbDBOm+CYlaZdp9HV
bYz8z2q0u+d7XBscn5yCUmOcoLl+VfCSHqfuDlRBlSU60y9acEk/wLTvGMqTsGJj
CWsRoHXFGGtrg8aC0q6XbJ61/4fXfQzhMTX/uyOM5WA4vsREoJnUfgo/7J/gBolz
ySflY2GkiYlFRh2ZzVsBpGKp23o4jFVJdtloPVkXCUL5wFu4HfY=
=UZq6
-----END PGP SIGNATURE-----
pgpVqFm4ch1LE.pgp
Description: PGP signature
--- End Message ---
