NTP Configuration [Was: Re: A successful Samba 4 deployment]

Fri Dec 3 06:37:09 MST 2010

On Thu, 2010-12-02 at 22:56 +0000, Matt Ficken (Insight Global) wrote:
> Windows uses the SNTP protocol(NTP + a Authentication Extension). See
> [MS-SNTP]
> (http://msdn.microsoft.com/en-us/library/cc246877(v=PROT.13).aspx),
> which extends [RFC1305]. The standard NTP authentication mechanism is
> in Appendix C of [RFC1305], and [MS-SNTP] is a further extension of
> that. 
> I think samba's NTP-SIGND test suite covers it.

Right, that is my understanding.  

But it doesn't really answer my question: If I have a working Samba4 AD
domain, and an appropriate NTPD built with --enable-ntp-signd what are
the steps required to provision their integration?

They do not seem to 'magically' find each other.  My [admittedly quite
limited] understanding is that signing support in NTP creates a local
signing socket [the signdsocketdir ntp.conf option].  Does Samba need to
know the location of this socket somehow?  Does NTP need access to a
Kerberos keytab?

If this currently isn't really operational is there some 'hack' to get
Windows 7 to use an unsigned time server so that clock drift doesn't
start causing Kerberos authentication failures?

> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org [mailto:samba-technical-bounces at lists.samba.org] On Behalf Of Christopher R. Hertel
> Sent: Thursday, December 02, 2010 12:43 PM
> To: Mark Rutherford
> Cc: samba-technical at lists.samba.org
> Subject: Re: NTP Configuration [Was: Re: A successful Samba 4 deployment]
> Does Windows use NTP or SNTP protocol?
> Mark Rutherford wrote:
> > I never got it to work personally.
> > If anyone has better luck with this I would love to hear it.
> > My Windows clients do not appear to be sending the requests in a format
> > the NTP daemon thinks it should sign.
> > So the NTP daemon sends back an unsigned reply, from what I can tell.
> > I just have not had time to sit there with a debugger to see what it's
> > doing.
> > On 12/2/2010 3:23 PM, Adam Tauno Williams wrote:
> >> On Thu, 2010-11-11 at 05:27 -0500, Mark Rutherford wrote:
> >>> The version in Debian Lenny does not appear to be compiled with
> >>> --enable-ntp-signd so your 
> >>> going to have to compile it yourself.
> >>> I was looking at the patch supplied to the NTP developers for clues and
> >>> found a lot:
> >>> https://support.ntp.org/bugs/show_bug.cgi?id=1028
> >>> Putting ntpd in debug I never appear to get into send_via_ntp_signd() so
> >>> I fear that I will be sitting here
> >>> with wireshark, gdb and a Windows box unless anyone has a clue how my
> >>> clients could be misconfigured?
> >>> Is...
> >>> w32tm /resync /rediscover
> >>> the proper way to get a windows client to query the domain controller
> >>> for time?
> >>> When I do this I can see the ntp server getting the request, so it does
> >>> something.
> >> Are there any required steps to integrating NTP&  Samba4?  The Samba4
> >> howto does not mention time service at all.  The suggested configuration
> >> below declares the path "/data/samba/samba4/prefix/var/run/ntp_signd/";
> >> does Samba4 need to be informed of the NTP socket's path in some manner
> >> (smb.conf directive?)?
> >> <ASIDE>I have a compatible NTP running on openSUSE 11.3 from the repo @
> >> http://download.opensuse.org/repositories/home:/namtrac/openSUSE_11.3/
> >> openSUSE has a bug for this issue [proper version of NTP]
> >> <https://bugzilla.novell.com/show_bug.cgi?id=657194>
> >> </ASIDE>
> >>> On 11/9/2010 2:45 PM, Andrew Bartlett wrote:
> >>>> On Tue, 2010-11-09 at 11:00 -0500, Mark Rutherford wrote:
> >>>>> We have been running for almost 2 weeks now without any major
> >>>>> problems.
> >>>>> All the problems I have encountered have been minor and fixed fairly
> >>>>> quickly.
> >>>>> The second issue has been time on clients.
> >>>>> I have ntpd running on the DC but windows clients just throw event
> >>>>> logs
> >>>>> about not being able to get time from the domain controller for the
> >>>>> last 8 times, etc etc.
> >>>>> I have read some places that Windows uses sntp instead of ntp so I am
> >>>>> not really sure about what I should be doing.
> >>>> They are essentially the same protocol for PC-level clients, and they
> >>>> use real NTP now anyway.
> >>>> You need to install a current version of the ntp server, and have it
> >>>> compiled with the options to know to talk to samba.  (compile ntp with
> >>>> the --enable-ntp-signd configure option or use current debian or
> >>>> ubuntu).
> >>>> in the ntp.conf you need (from memory)
> >>>> restrict mynet mssntp
> >>>> signdsocketdir /data/samba/samba4/prefix/var/run/ntp_signd/