ListeningThread -- Recvd 52 of 48/68 bytes come from?
If you follow the instructions for setting up Samba 4 AD DC for time synchronization,
ntpd (coming out of Debian's
ntp package at some version 4.2.8) should just work.1
I came to this discovery after giving up and discarding my
/etc/ntp.conf. Suddenly, after restarting ntpd and running
w32tm /resync, things just worked. It's not the software that's broken — it's me that was crazy.
The packet was now 110 bytes in Wireshark (68 of which was data). This was a stark improvement over seeing a 94 byte packet (52 of which was data).
C:\temp\ntpDebug.log 2 no longer contained this:
ListeningThread -- Recvd 52 of 48/68 bytes
Hoozah! Now I wanted to figure out what was causing ntpd to send 52b packets, and not either 48b or 68b packets.
Turns out that my
restrict statements had unexpected side effects. For instance, Samba wiki-recommended config tries to unrestrict localhost using
restrict 127.0.0.1. 3
But I wanted to do the same for IPv6 localhost, so I did
restrict ::1. This seems to have greatly confused
The way out?
restrict -4 127.0.0.1 restrict -6 ::1
Second mistake was
restrict 10.10.10.0 mask 255.255.255.0. It didn't specify that
mssntp should be enabled. For good measure I threw in
restrict -4 10.10.10.0 mask 255.255.255.0 mssntp
Given that Samba config doesn't recommend any special allowlisting for my internal IP range, I'll just remove this line completely; the default restriction from the wiki should cover everything clients need to do anyway:
# Access control # Default restriction: Allow clients only to query the time restrict default kod nomodify notrap nopeer mssntp
Moral of the story?
ntpd seems to be awfully sensitive to
restrict statements. If w32time service complains or breaks in some way, be sure to remove the statements bit by bit, or make sure IPv4 and IPv6 statements don't stomp over each other.
Granted, I needed to modify the path to the socket to say
/usr/local/samba/var/lib/ntp_signd/, but otherwise it just worked. ↩
That file was created using
w32tm /debug /enable /file:C:\temp\ntpDebug.log /size:102400 /entries:0-300which I found somewhere online. ↩
- Apparently, passing no restrictions at all after the address simply means "unrestrict these peers". ↩