NTP Configuration [Was: Re: A successful Samba 4 deployment]

Matthieu Patou mat at samba.org
Fri Dec 3 06:58:09 MST 2010

On 03/12/2010 16:37, Adam Tauno Williams wrote:
> On Thu, 2010-12-02 at 22:56 +0000, Matt Ficken (Insight Global) wrote:
>> Windows uses the SNTP protocol(NTP + a Authentication Extension). See
>> [MS-SNTP]
>> (http://msdn.microsoft.com/en-us/library/cc246877(v=PROT.13).aspx),
>> which extends [RFC1305]. The standard NTP authentication mechanism is
>> in Appendix C of [RFC1305], and [MS-SNTP] is a further extension of
>> that.
>> I think samba's NTP-SIGND test suite covers it.
> Right, that is my understanding.
> But it doesn't really answer my question: If I have a working Samba4 AD
> domain, and an appropriate NTPD built with --enable-ntp-signd what are
> the steps required to provision their integration?
> They do not seem to 'magically' find each other.  My [admittedly quite
> limited] understanding is that signing support in NTP creates a local
> signing socket [the signdsocketdir ntp.conf option].  Does Samba need to
> know the location of this socket somehow?  Does NTP need access to a
> Kerberos keytab?
> If this currently isn't really operational is there some 'hack' to get
> Windows 7 to use an unsigned time server so that clock drift doesn't
> start causing Kerberos authentication failures?
Basically you need this two stanza in your ntp.conf file:
ntpsigndsocket /usr/local/samba/var/run/ntp_signd
restrict default mssntp

The first one is to indicate where the socket is. The second one is to 
indicate to ntpd to accept request for microsoft signed ntp.

The last part was added last year by guys from ntp in order to have a 
more secure by default ntp server as even if you compile it with

--enable-ntp-signd the dialog on the socket will only be polled if this parameter is set.

The best way to debug this is to start ntpd without forking and to add a 
strace before it, ie:

strace ntpd -n

And look what files/sockets are opened !



Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the samba-technical mailing list