[Samba] DC Time Problems
Hal Murray
halmurray+samba at sonic.net
Thu Oct 26 00:37:51 UTC 2023
Rowland said:
> If, ntpsec is now working again with Samba AD, then great, but it doesn't
> seem to have percolated down to Debian.
We'd like to verify that the fix works before we do a release. (None of the
NTPsec developers know anything about Samba and many of us know little about
Windows.)
Is anybody willing to help?
If so, please contact me so we can work out the details.
We need somebody running samba and Windows clients that are setup to use
MS-SNTP authentication.
Ideally, you could work from our git head, but I can build binaries for most
distros.
> Whilst (it would seem) there was never a Linux ntp_signd client, ...
In order to do a Linux client, the client needs to get the key-id to put in
the request, and the key to verify that the response was correctly signed.
Are the key-id and key already stored on the client? If so, it should be easy
to write a script to put the key into a keys-file and add a line to ntp.conf.
(We would need a few lines of code in ntpd to zero the MAC slot rather than
authenticate the packet.)
Can you use NTS? For that, the ntpd server needs a certificate and private
key which you can get via Let's Encrypt and certbot if you don't have a better
way. Then normal Linux ntpd on the client just needs:
server <server-name-here> nts
--
These are my opinions. I hate spam.
More information about the samba
mailing list