[Samba] chrony configuration for secondary samba DC
Rowland Penny
rpenny at samba.org
Mon Jun 4 16:27:30 UTC 2018
On Mon, 4 Jun 2018 17:45:20 +0200
Miroslav Lichvar <mlichvar at redhat.com> wrote:
> On Mon, Jun 04, 2018 at 04:54:36PM +0200, Andreas Schneider wrote:
> > On Monday, 4 June 2018 14:52:34 CEST Rowland Penny wrote:
> > > In ntp.conf you set a line like this:
> > >
> > > restrict default kod nomodify notrap nopeer mssntp
> > >
> > > I cannot find anything that tells me what chrony replaces
> > > 'restrict' with. Is it needed ? is there something that replaces
> > > it, or can you safely ignore it?
> > >
> > > Until all the questions are answered and all the kinks are ironed
> > > out, Samba shouldn't support chrony in the way it does ntp
> >
> > Miroslav, can you explain the missing details?
>
> I think the important difference between ntpd and chrony wrt to
> ntp_signd is that ntpd has a special restriction for MS-SNTP packets
> (the mssntp option). I think this is because it is generally not
> possible to limit all client access (e.g. servers can always request
> time from ntpd clients) and also to limit addresses that can block
> ntpd as the communication with ntp_signd is synchronous.
>
> chronyd doesn't make a difference between non-MS-SNTP and MS-SNTP
> packets. There is no blocking due to ntp_signd.
>
> So, when migrating from ntpd to chrony, all "restrict XXX mssntp"
> lines should have a corresponding "allow XXX" line in chrony.conf.
>
That is sort of what I thought, but the docs aren't really that
clear ;-)
Rowland
More information about the samba
mailing list