mssntp in ntp.conf breaks time service to all clients
I have not independently verified this.
A Debian user reported: https://bugs.debian.org/1033088
On my LAN, I run Samba on Debian servers to implement Domain Controllers (DCs) for an Active Directory (AD) domain. Per the Samba documentation, I have set up authenticated time service (known as MS-SNTP) on the DCs for Windows clients. Non-Windows clients also use the DCs for non-auth time service, via unicast [S]NTP. Up to and including bullseye, I have always used the 'ntp' package for this purpose on the DCs, and it was functional.
Recently, however, upon upgrading from bullseye to bookworm,
This is NTP Classic 4.2.8p15+dfsg-1 to ntpsec 1.2.2.
I found that the DCs would no longer respond correctly to client requests for time service. In other words, neither authenticated clients (Windows, MS-SNTP) nor non-auth clients ([S]NTP) would receive any valid time responses from the DCs running on bookworm.
Doing some experimentation, I discovered that when the 'mssntp' keyword was removed from the 'restrict' line in 'ntp.conf', non-auth time service was restored to clients (while MS-SNTP was disabled, ofc). I can only assume this is a bug in the 'ntpsec' implementation of MS-SNTP.
Without MS-SNTP service working on the DCs, Windows domain clients (with the default time client settings) never receive time service from the DCs as they should. Although it is easy enough to modify the Windows time client settings to use non-auth NTP services, it would be nice for MS-SNTP to work as advertised in 'ntpsec'.
The Debian package is build with --enable-mssntp
.