[Samba] Samba4: W2k c­lients cannot set / sync ­time with samba4 AD DC

Andrew Bartlett abartlet at samba.org
Thu Apr 25 17:28:30 MDT 2013

On Thu, 2013-04-25 at 08:13 -0700, Gregory Sloop wrote:
> iM> Well, the NTP server on samba4 server is definitely (!) up and 
> iM> running. I can triple-check that by "ps", "netstat" and of course by 
> iM> getting the time of all my other clients (winxp, win7, linux, unix) so
> iM> NTP server is definitely running on samba4 host.
> Up and running doesn't mean it "works" and that clients can contact
> it.
> If you have not SPECIFICALLY taken a non W2K client and done an
> explicit NTP sync that you can verify worked, and/or done a complete
> capture of a successful NTP session, I don't think you're actually
> verified that NTP works.
> ---
> IMO, this pursuit seems really crazy - like you want to do nothing to
> mitigate things on your end, and want the Samba folks to support a
> long-dead client without any mitigation or changes on the long-dead
> client end.
> ALL W2K support ended in July 2010! [Nearly three YEARS ago!] Non
> extended support [i.e. non-security related support] ended in 2005!
> Yes, 2005!
> So, expecting it all to work without very substantial changes on the
> client side seems pretty demanding, at least IMO.

I'm looked into the PCAP files provided privately, and the source code.
I can confidently explain that the reason the clients do not trigger the
authenticated time response is because they send un-initialised data on
in the 'MAC' field, which the server expects to be zero for these
clients.  (Otherwise, it thinks it could be a legitimate, RFC-compliant
authenticated time client)

This is the code in ntpd/ntp_proto.c:

		 * If the signature is 20 bytes long, the last 16 of
		 * which are zero, then this is a Microsoft client
		 * wanting AD-style authentication of the server's
		 * reply.  
		 * This is described in Microsoft's WSPP docs, in MS-SNTP:
		 * http://msdn.microsoft.com/en-us/library/cc212930.aspx
	} else if (has_mac == MAX_MD5_LEN && (restrict_mask & RES_MSSNTP) &&
	   (retcode == AM_FXMIT || retcode == AM_NEWPASS) &&
	   (memcmp(zero_key, (char *)pkt + authlen + 4, MAX_MD5_LEN - 4) ==
	   0)) {
		is_authentic = AUTH_NONE;
#endif /* HAVE_NTP_SIGND */

As such, this is unlikely to ever be fixed in the ntp.org server, but of
course local patches may be possible.  It seems much simpler to just set
the time by another route, on such legacy clients. 

This is the end of the investigation I can afford into this matter, any
further discussion really needs to be with the ntp.org developers, as
this is now their code.  (I wrote it originally). 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list