From firesmith at protonmail.com Mon Apr 12 20:33:43 2021 From: firesmith at protonmail.com (Kodiak Firesmith) Date: Mon, 12 Apr 2021 18:33:43 +0000 Subject: NTP checks and AD-based NTP services Message-ID: <5FT5a_01IbYZqOFeZerGbHQgUf4qHQpM4fK33Ia9MQIFkgr-ANDo7K0zp52UQKTZ9o-eOBa5RBHGIJnbSUlMfVX0PgS-Sgeo1dXpUe57zMw=@protonmail.com> Hello Folks, I'm not a programmer, just an ops guy so please bear with me. Currently we have a need to monitor both appliance-based NTP services, and Active Directory-based NTP services. I discovered that I wasn't able to use check_ntp_peer to monitor AD-based NTP as we wouldn't get any response from AD (while all other methods of interrogating AD-based NTP are working fine (eg: Chrony, ntpdate -q). I can however use check_ntp_time against AD-based NTP services, though I can't do things like check stratum, so this is of limited use. I have *zero* access to Active Directory's administrative information, so I immediately fired up tcpdump to see what was different, and discovered that check_ntp_peer uses NTPv2 requests, and check_ntp_time uses NTPv4 requests. AD seems to ignore NTPv2 and responds to NTPv4 with packets that self-identify as NTPv3. I suppose my request at this point is: Could some C programmer please take a look at check_ntp_peer and perhaps refactor the code to create NTPv4 requests as check_ntp_time does? Here's the packet capture: check_ntp_peer: 09:45:20.547797 IP (tos 0x0, ttl 64, id 40308, offset 0, flags [DF], proto UDP (17), length 40) 123.123.123.166.56721 > 123.123.123.17.123: NTPv2, length 12 Reserved, Leap indicator: (0), Stratum 1 (primary reference), poll 0 (1s), precision 1 Root Delay: 0.000000, Root dispersion: 0.000000 [|ntp] check_ntp_time: 14:15:48.323492 IP (tos 0x0, ttl 64, id 33946, offset 0, flags [DF], proto UDP (17), length 76) 123.123.123.166.44232 > 123.123.123.17.123: NTPv4, length 48 Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 4 (16s), precision -6 Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec) Reference Timestamp: 0.000000000 Originator Timestamp: 0.000000000 Receive Timestamp: 0.000000000 Transmit Timestamp: 3827240148.323479000 (2021/04/12 14:15:48) Originator - Receive Timestamp: 0.000000000 Originator - Transmit Timestamp: 3827240148.323479000 (2021/04/12 14:15:48) 14:15:48.323813 IP (tos 0x0, ttl 128, id 12733, offset 0, flags [none], proto UDP (17), length 76) 123.123.123.17.123 > 123.123.123.166.44232: NTPv3, length 48 Server, Leap indicator: (0), Stratum 5 (secondary reference), poll 4 (16s), precision -6 Root Delay: 0.136962, Root dispersion: 0.210037, Reference-ID: 123.123.123.22 Reference Timestamp: 3827239257.946514999 (2021/04/12 14:00:57) Originator Timestamp: 3827240148.323479000 (2021/04/12 14:15:48) Receive Timestamp: 3827240148.321514999 (2021/04/12 14:15:48) Transmit Timestamp: 3827240148.321514999 (2021/04/12 14:15:48) Originator - Receive Timestamp: -0.001964000 Originator - Transmit Timestamp: -0.001964000 We're using the version of monitoring-plugins bundled with Ubuntu 20.04, which is 2.2. I did however check the release notes for 2.3.0 & 2.3.1 as well as the commit log for check_ntp_peer, and nothing has changed since 2.2. Thanks very much, - Kodiak Firesmith Sent with [ProtonMail](https://protonmail.com) Secure Email. -------------- next part -------------- An HTML attachment was scrubbed... URL: