[Samba] Long Term Support Samba releases?
Rowland Penny
rpenny at samba.org
Wed Aug 9 19:43:08 UTC 2023
On 09/08/2023 20:20, Andrew Bartlett via samba wrote:
> On Wed, 2023-08-09 at 14:26 -0300, Elias Pereira via samba wrote:
>> hello,
>>
>> The wiki configuration for ntp does not work with this
>> configuration samba4.18.5 + debian 12 + ntpsec. At least for me, it
>> didn't
>> work.
>>
>> I had to remove the "notrap" and "mssntp" options so that the Windows
>> clients could synchronize with the DCs again.
>>
>> # Access control
>> # Default restriction: Allow clients only to query the time
>> restrict default kod nomodify notrap nopeer limited mssntp
>>
>> What is the implication regarding security in removing these options?
>
> I wrote the mssntp feature for ntp, and got it merged upstream.
>
> mssntp provides a feature where the time responses are signed using the
> computer account's password. This allows the computer to trust the
> Samba AD DC to provide secure time. Without it the time server will
> not be automatically trusted.
>
> I spoke with the ntpsec project manager at a confernece after their
> launch, and they said that they removed it as they didn't know what it
> was for. The ntpsec project didn't reach out to me about it sadly, I
> would have glady explained it.
>
> It is unfortunate, but I would note in their defence they were trimming
> down a lot of portability and other historical features to meet their
> new mission, and clearly Samba AD is not a core part of their mission,
> as it seems neither have they restore it.
>
> Andrew Bartlett
>
Well, I can understand (to a certain extent) removing what could be dead
code, but when they are told that they have made a mistake and don't
seem to have made any attempt to fix the problem, then words fail me.
It might just be easier to get Debian to bring back NTP.
Rowland
More information about the samba
mailing list