NTP checks and AD-based NTP services

Kodiak Firesmith firesmith at protonmail.com
Mon Apr 12 20:33:43 CEST 2021
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Folks,
I'm not a programmer, just an ops guy so please bear with me.

Currently we have a need to monitor both appliance-based NTP services, and Active Directory-based NTP services. I discovered that I wasn't able to use check_ntp_peer to monitor AD-based NTP as we wouldn't get any response from AD (while all other methods of interrogating AD-based NTP are working fine (eg: Chrony, ntpdate -q).

I can however use check_ntp_time against AD-based NTP services, though I can't do things like check stratum, so this is of limited use. I have *zero* access to Active Directory's administrative information, so I immediately fired up tcpdump to see what was different, and discovered that check_ntp_peer uses NTPv2 requests, and check_ntp_time uses NTPv4 requests. AD seems to ignore NTPv2 and responds to NTPv4 with packets that self-identify as NTPv3.

I suppose my request at this point is: Could some C programmer please take a look at check_ntp_peer and perhaps refactor the code to create NTPv4 requests as check_ntp_time does?

Here's the packet capture:

check_ntp_peer:

09:45:20.547797 IP (tos 0x0, ttl 64, id 40308, offset 0, flags [DF], proto UDP (17), length 40)
123.123.123.166.56721 > 123.123.123.17.123: NTPv2, length 12
Reserved, Leap indicator: (0), Stratum 1 (primary reference), poll 0 (1s), precision 1
Root Delay: 0.000000, Root dispersion: 0.000000 [|ntp]

check_ntp_time:

14:15:48.323492 IP (tos 0x0, ttl 64, id 33946, offset 0, flags [DF], proto UDP (17), length 76)
123.123.123.166.44232 > 123.123.123.17.123: NTPv4, length 48
Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 4 (16s), precision -6
Root Delay: 1.000000, Root dispersion: 1.000000, Reference-ID: (unspec)
Reference Timestamp: 0.000000000
Originator Timestamp: 0.000000000
Receive Timestamp: 0.000000000
Transmit Timestamp: 3827240148.323479000 (2021/04/12 14:15:48)
Originator - Receive Timestamp: 0.000000000
Originator - Transmit Timestamp: 3827240148.323479000 (2021/04/12 14:15:48)

14:15:48.323813 IP (tos 0x0, ttl 128, id 12733, offset 0, flags [none], proto UDP (17), length 76)
123.123.123.17.123 > 123.123.123.166.44232: NTPv3, length 48
Server, Leap indicator: (0), Stratum 5 (secondary reference), poll 4 (16s), precision -6
Root Delay: 0.136962, Root dispersion: 0.210037, Reference-ID: 123.123.123.22
Reference Timestamp: 3827239257.946514999 (2021/04/12 14:00:57)
Originator Timestamp: 3827240148.323479000 (2021/04/12 14:15:48)
Receive Timestamp: 3827240148.321514999 (2021/04/12 14:15:48)
Transmit Timestamp: 3827240148.321514999 (2021/04/12 14:15:48)
Originator - Receive Timestamp: -0.001964000
Originator - Transmit Timestamp: -0.001964000

We're using the version of monitoring-plugins bundled with Ubuntu 20.04, which is 2.2. I did however check the release notes for 2.3.0 & 2.3.1 as well as the commit log for check_ntp_peer, and nothing has changed since 2.2.

Thanks very much,
- Kodiak Firesmith

Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-plugins.org/archive/help/attachments/20210412/ee323147/attachment.html>
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Help mailing list