NTP Configuration [Was: Re: A successful Samba 4 deployment]

Adam Tauno Williams awilliam at whitemice.org
Fri Dec 3 09:01:56 MST 2010

sOn Fri, 2010-12-03 at 16:58 +0300, Matthieu Patou wrote: 
> On 03/12/2010 16:37, Adam Tauno Williams wrote:
> > On Thu, 2010-12-02 at 22:56 +0000, Matt Ficken (Insight Global) wrote:
> >> Windows uses the SNTP protocol(NTP + a Authentication Extension). See
> >> [MS-SNTP]
> >> (http://msdn.microsoft.com/en-us/library/cc246877(v=PROT.13).aspx),
> >> which extends [RFC1305]. The standard NTP authentication mechanism is
> >> in Appendix C of [RFC1305], and [MS-SNTP] is a further extension of
> >> that.
> >> I think samba's NTP-SIGND test suite covers it.
> > Right, that is my understanding.
> > But it doesn't really answer my question: If I have a working Samba4 AD
> > domain, and an appropriate NTPD built with --enable-ntp-signd what are
> > the steps required to provision their integration?
> > They do not seem to 'magically' find each other.  My [admittedly quite
> > limited] understanding is that signing support in NTP creates a local
> > signing socket [the signdsocketdir ntp.conf option].  Does Samba need to
> > know the location of this socket somehow?  Does NTP need access to a
> > Kerberos keytab?
> > If this currently isn't really operational is there some 'hack' to get
> > Windows 7 to use an unsigned time server so that clock drift doesn't
> > start causing Kerberos authentication failures?
> Basically you need this two stanza in your ntp.conf file:
> ntpsigndsocket /usr/local/samba/var/run/ntp_signd
> restrict default mssntp

Thanks, the document I had referred to 'signdsocketdir' which is not [or
no longer] valid.

> The first one is to indicate where the socket is. The second one is to 
> indicate to ntpd to accept request for microsoft signed ntp.
> The last part was added last year by guys from ntp in order to have a 
> more secure by default ntp server as even if you compile it with
> --enable-ntp-signd the dialog on the socket will only be polled if this parameter is set.
> The best way to debug this is to start ntpd without forking and to add a 
> strace before it, ie:
> strace ntpd -n
> And look what files/sockets are opened !

"testparm --verbose" revealed there is a Samba directive ("ntp signd
socket directory") whose default value [in my case:
"/opt/ad/samba4/var/run/ntp_signd"] is a directory that contains a
socket that samba is listening on.

samba:/opt/ad/samba4 # fuser -u /opt/ad/samba4/var/run/ntp_signd/socket 
/opt/ad/samba4/var/run/ntp_signd/socket:  3363(root)

But sadly my ntpd, which happy with the ntpsigndsocket directive has no
interest in that socket.

Running "strace -o file ntpd -dddd -n" and looking at stdout or the
trace information shows no attempt by ntpd to open a socket at the
specified location.


More information about the samba-technical mailing list