[Samba] samba 4.5.0 on hpux ia64: Configuring time synchronization for samba AD DC

mathias dufresne infractory at gmail.com
Thu Dec 15 16:49:32 UTC 2016

2016-12-09 11:09 GMT+01:00 Arjit Gupta via samba <samba at lists.samba.org>:

> As mentioned in below link:-
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> Active_Directory_Domain_Controller
> I am trying to synchronize time for Kerberos with NTP. But NTP(4.2.6)
> supported
> on hpux is not build with
> enabled signed ntp support *(**--enable-ntp-signd)* for time
> synchronization mechanism.
> What would be the impact if i don’t configuring time synchronization for
> Samba AD DC ?

Not much: AD is based on Kerberos authentication and Kerberos
authentication relies on time, machines must be using same time (5min of
decay max).
So all you risk is authentication does not work.

Some grumpy people would say it is not good that authentication does work
for an authentication system. I could agree...

So just configure "ntpd" to keep your DC synchronized with the rest of the
world and make that ntpd accepting request from your AD clients. Then your
AD clients will be able to retrieve time from DC and so they will use same
time and no more issue. In addition all your machines should show the right
time if your DCs are synchronizing on real NTP somewhere.

And if your issue is because you can't make signed ntp request, just make
unsigned ntp request. Even security guru should not say this information
(time) is too critical...

> Arjit Kumar

More information about the samba mailing list