Where does ListeningThread -- Recvd 52 of 48/68 bytes
come from?
If you follow the instructions for setting up Samba 4 AD DC for time synchronization, ntpd
(coming out of Debian’s ntp
package at some version 4.2.8) should just work.1
I came to this discovery after giving up and discarding my /etc/ntp.conf
. Suddenly, after restarting ntpd and running w32tm /resync
, things just worked. It’s not the software that’s broken — it’s me that was crazy.
The packet was now 110 bytes in Wireshark (68 of which was data). This was a stark improvement over seeing a 94 byte packet (52 of which was data). C:\temp\ntpDebug.log
2 no longer contained this:
ListeningThread -- Recvd 52 of 48/68 bytes
Hoozah! Now I wanted to figure out what was causing ntpd to send 52b packets, and not either 48b or 68b packets.
Turns out that my restrict
statements had unexpected side effects. For instance, Samba wiki-recommended config tries to unrestrict localhost using restrict 127.0.0.1
. 3
But I wanted to do the same for IPv6 localhost, so I did restrict ::1
. This seems to have greatly confused ntpd
.
The way out?
restrict -4 127.0.0.1 restrict -6 ::1
Second mistake was restrict 10.10.10.0 mask 255.255.255.0
. It didn’t specify that mssntp
should be enabled. For good measure I threw in -4
:
restrict -4 10.10.10.0 mask 255.255.255.0 mssntp
Given that Samba config doesn’t recommend any special allowlisting for my internal IP range, I’ll just remove this line completely; the default restriction from the wiki should cover everything clients need to do anyway:
# Access control # Default restriction: Allow clients only to query the time restrict default kod nomodify notrap nopeer mssntp
Moral of the story? ntpd
seems to be awfully sensitive to restrict
statements. If w32time service complains or breaks in some way, be sure to remove the statements bit by bit, or make sure IPv4 and IPv6 statements don’t stomp over each other.
-
Granted, I needed to modify the path to the socket to say
/var/lib/samba/ntp_signd/
instead of/usr/local/samba/var/lib/ntp_signd/
, but otherwise it just worked. ↩ -
That file was created using
w32tm /debug /enable /file:C:\temp\ntpDebug.log /size:102400 /entries:0-300
which I found somewhere online. ↩ - Apparently, passing no restrictions at all after the address simply means “unrestrict these peers”. ↩
–
via blog.vucica.net