DSFW: NTP daemon dies

  • 7011476
  • 10-Dec-2012
  • 10-Dec-2012

Environment

Novell Open Enterprise Server 2 SP3 (OES2SP3)
November 2012 Maintenance Patch
Domain Services for Windows
DSfW

Situation

NTP daemon in the DSFW server goes to dead state when the time provider on a Windows XP SP3 workstation lists the DSfW Domain Controller.

DSfW domain controller and has either /var/opt or /var/opt/novell or/var/opt/novell/xad/ directory in a separate partition.

Steps to reproduce:
  1. Joined Windows XP SP3 client to the domain
  2. From GPMC, Configure Windows NTP Client policy in "Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers
  3. Provide the server FDN as DC name
  4. Do a "gpupdate /force" from windows WS
  5. Do a gposync in the DSFW server
  6. From Windows WS run the below command:
  7. C:\w32tm /resync /rediscover
rpm : novell-xad-framework-2.2.6214-0.7
      novell-xad-dcerpc-1.3.6172-0.7

Resolution

Change the apparmor NTP profile from 'enforce' mode to 'complain' mode in order to allow the ntpd daemon to process
signed NTP requests coming from the windows workstations that are joined to the DSfW domain.

The workaround is to change the NTP apparmor profile from
'enforce' to 'complain' mode
  1. rcapparmor stop
  2. rcntp stop
  3. open a terminal
  4. in a terminal enter aa-complain /etc/apparmor.d/usr.sbin.ntpd /usr/sbin/ntpd
  5. rcapparmor start
  6. rcntp start

Cause

Apparmor abstraction currently has recorded the static information related to ntp in the /var/lib/ntp/var/opt/novell/xad/rpc/xadsd.
The information in the static file is valid for a basic setup meaning the entire root system is mounted on a single partition.
With Multiple filesystem partitions this static file is incorrect.
Along with the static information a new dynamic information (if needed) has to be set in the Apparmor abstraction.

Additional Information

Please note, this change is needed only on an OES2SP3 server that is acting as a DSfW domain controller.