[Pkg-samba-maint] Bug#949697: samba4: samba 4 with ntpd wrong permission on /var/lib/samba/ntp_signd/socket
Jens Schmidt
schmidt at iils.de
Thu Jan 23 18:44:19 GMT 2020
Package: samba
Version: 2:4.9.5+dfsg-5+deb10u1
Severity: important
File: samba4
Dear Maintainer,
when using samba as pdc with ntpd time synchronisation on windows clients
fails because ntp cannot write to /var/lib/samba/ntp_signd/socket.
Following the descriptions on https://wiki.samba.org/index.php/Time_Synchronisation
samba should provide time to windows clients.
However, doing "w32tm /resync /rediscover" on a windows client yields an
error "no time data available".
Further investigation with strace found the following on the pdc when w32tm was run on the client:
[pid 9063] 19:08:52 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
[pid 9063] 19:08:52 rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call)
[pid 9063] 19:08:52 select(23, [16 17 18 19 20 21 22], NULL, NULL, NULL) = 1 (in [19])
[pid 9063] 19:08:52 recvmsg(19, {msg_name={sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("192.168.43.183")}, msg_namelen=28->16, msg_iov=[{iov_base="\333\0\21\351\0\0\10\25\0\t\7\205\0\0\0\0\341\324_\21\316,\220\201\0\0\0\0\0\0\0\0"..., iov_len=2120}], msg_iovlen=1, msg_control=[{cmsg_len=32, cmsg_level=SOL_SOCKET, cmsg_type=SCM_TIMESTAMPNS, cmsg_data={tv_sec=1579802932, tv_nsec=860702542}}], msg_controllen=32, msg_flags=0}, 0) = 68
[pid 9063] 19:08:52 recvmsg(19, {msg_namelen=28}, 0) = -1 EAGAIN (Resource temporarily unavailable)
[pid 9063] 19:08:52 socket(AF_UNIX, SOCK_STREAM, 0) = 7
[pid 9063] 19:08:52 connect(7, {sa_family=AF_UNIX, sun_path="/var/lib/samba/ntp_signd//socket"}, 110) = -1 EACCES (Permission denied)
[pid 9063] 19:08:52 close(7) = 0
Clearly ntp cannot access the socket which produces the error on the client.
Doing a
#chmod g+w /var/lib/samba/ntp_signd/socket
resultet in the following on the pdc when w32tm was run on the client:
[pid 9075] 19:09:55 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
[pid 9075] 19:09:55 rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call)
[pid 9075] 19:09:55 select(23, [16 17 18 19 20 21 22], NULL, NULL, NULL) = 1 (in [19])
[pid 9075] 19:09:55 recvmsg(19, {msg_name={sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("192.168.43.183")}, msg_namelen=28->16, msg_iov=[{iov_base="\333\0\21\351\0\0\10\25\0\t\7\205\0\0\0\0\341\324_\21\3169q:\0\0\0\0\0\0\0\0"..., iov_len=2120}], msg_iovlen=1, msg_control=[{cmsg_len=32, cmsg_level=SOL_SOCKET, cmsg_type=SCM_TIMESTAMPNS, cmsg_data={tv_sec=1579802995, tv_nsec=938174583}}], msg_controllen=32, msg_flags=0}, 0) = 68
[pid 9075] 19:09:55 recvmsg(19, {msg_namelen=28}, 0) = -1 EAGAIN (Resource temporarily unavailable)
[pid 9075] 19:09:55 socket(AF_UNIX, SOCK_STREAM, 0) = 7
[pid 9075] 19:09:55 connect(7, {sa_family=AF_UNIX, sun_path="/var/lib/samba/ntp_signd//socket"}, 110) = 0
[pid 9075] 19:09:55 write(7, "\0\0\0@", 4) = 4
[pid 9075] 19:09:55 write(7, "\0\0\0\0\0\0\0\0\1\0\0\0\210\5\0\0\34\3\21\351\0\0\10Z\0\0005\f\271\220\241\252"..., 64) = 64
[pid 9075] 19:09:55 read(7, "\0\0\0P", 4) = 4
[pid 9075] 19:09:55 read(7, "\0\0\0\0\0\0\0\3\0\0\1\0\34\3\21\351\0\0\10Z\0\0005\f\271\220\241\252\341\324_\332"..., 80) = 80
[pid 9075] 19:09:55 sendto(19, "\34\3\21\351\0\0\10Z\0\0005\f\271\220\241\252\341\324_\332X?\336\333\341\324_\363\346I\372\37"..., 68, 0, {sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("192.168.43.183")}, 16) = 68
[pid 9075] 19:09:55 close(7) = 0
Now ntp can access the socket and the client gets the new time. But this is only a temporary fix.
When samba is restarted it sets the permissions on
/var/lib/samba/ntp_signd/socket back to the ones found below.
This appears to be not the intended behavior since clients in a domain
should be able to query the pdc for time.
Cheers Jens
#ll /var/lib/samba/
...
drwxr-x---+ 2 root ntp 4096 Jan 23 19:20 ntp_signd
...
#ll /var/lib/samba/ntp_signd
srwxr-xr-x 1 root root 0 Jan 23 19:20 socket
#getent group | grep ntp
ntp:x:120:ntp
== ntp.conf ==
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/lib/samba/ntp_signd/
# Leap seconds definition provided by tzdata
leapfile /usr/share/zoneinfo/leap-seconds.list
# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Where to retrieve the time from
server 0.pool.ntp.org iburst prefer
server 1.pool.ntp.org iburst prefer
server 2.pool.ntp.org iburst prefer
# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
tinker panic 0
== ==
== smb.conf ==
# Global parameters
[global]
log level = 1
os level = 200
interfaces = ens3 lo
workgroup = ...
realm = ...
netbios name = AUTH
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
winbind use default domain = yes
preferred master = yes
local master = yes
log file = /var/log/samba/log.%m
panic action = /usr/share/samba/panic-action %d
#may be hardcoded for ad pdc
time server = Yes
map acl inherit = Yes
## ssl
tls enabled = yes
tls certfile = /etc/ssl/cert/...
tls keyfile = /etc/ssl/private/...
tls cafile = /etc/ssl/certs/...
usershare path =
[netlogon]
path = /var/lib/samba/sysvol/...
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
==
-- Package-specific info:
* /etc/samba/smb.conf present, but not attached
* /var/lib/samba/dhcp.conf not present
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages samba depends on:
ii adduser 3.118
ii dpkg 1.19.7
ii libbsd0 0.9.1-2
ii libc6 2.28-10
ii libldb1 2:1.5.1+really1.4.6-3
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpopt0 1.16-12
ii libpython2.7 2.7.16-2+deb10u1
ii libtalloc2 2.1.14-2
ii libtdb1 1.3.16-2+b1
ii libtevent0 0.9.37-1
ii lsb-base 10.2019051400
ii procps 2:3.3.15-2
ii python 2.7.16-1
ii python-dnspython 1.16.0-1
ii python-samba 2:4.9.5+dfsg-5+deb10u1
ii python2.7 2.7.16-2+deb10u1
ii samba-common 2:4.9.5+dfsg-5+deb10u1
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1
ii samba-libs 2:4.9.5+dfsg-5+deb10u1
ii tdb-tools 1.3.16-2+b1
Versions of packages samba recommends:
ii attr 1:2.4.48-4
ii logrotate 3.14.0-4
ii samba-dsdb-modules 2:4.9.5+dfsg-5+deb10u1
ii samba-vfs-modules 2:4.9.5+dfsg-5+deb10u1
Versions of packages samba suggests:
ii bind9 1:9.11.5.P4+dfsg-5.1
ii bind9utils 1:9.11.5.P4+dfsg-5.1
pn ctdb <none>
pn ldb-tools <none>
ii ntp 1:4.2.8p12+dfsg-4
pn smbldap-tools <none>
pn ufw <none>
ii winbind 2:4.9.5+dfsg-5+deb10u1
-- no debconf information
More information about the Pkg-samba-maint
mailing list