[Samba] samba4.18.5 + debian 12 + ntpsec

Andrew Bartlett abartlet at samba.org
Wed Aug 9 19:20:21 UTC 2023

On Wed, 2023-08-09 at 14:26 -0300, Elias Pereira via samba wrote:
> hello,
> The wiki configuration for ntp does not work with this
> configuration samba4.18.5 + debian 12 + ntpsec. At least for me, it
> didn't
> work.
> I had to remove the "notrap" and "mssntp" options so that the Windows
> clients could synchronize with the DCs again.
> # Access control
> # Default restriction: Allow clients only to query the time
> restrict default kod nomodify notrap nopeer limited mssntp
> What is the implication regarding security in removing these options?

I wrote the mssntp feature for ntp, and got it merged upstream.

mssntp provides a feature where the time responses are signed using the
computer account's password.  This allows the computer to trust the
Samba AD DC to provide secure time.  Without it the time server will
not be automatically trusted.

I spoke with the ntpsec project manager at a confernece after their
launch, and they said that they removed it as they didn't know what it
was for.  The ntpsec project didn't reach out to me about it sadly, I
would have glady explained it.  

It is unfortunate, but I would note in their defence they were trimming
down a lot of portability and other historical features to meet their
new mission, and clearly Samba AD is not a core part of their mission,
as it seems neither have they restore it. 

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list