[Samba] samba4.18.5 + debian 12 + ntpsec

Elias Pereira empbilly at gmail.com
Wed Aug 9 22:42:11 UTC 2023 

Andew,

I'm not sure if you saw the issue opened on the project's GitLab. They need
something to test.
https://gitlab.com/NTPsec/ntpsec/-/issues/785

On Wed, Aug 9, 2023 at 4:20 PM Andrew Bartlett <abartlet at samba.org> wrote:

> On Wed, 2023-08-09 at 14:26 -0300, Elias Pereira via samba wrote:
> > hello,
> >
> > The wiki configuration for ntp does not work with this
> > configuration samba4.18.5 + debian 12 + ntpsec. At least for me, it
> > didn't
> > work.
> >
> > I had to remove the "notrap" and "mssntp" options so that the Windows
> > clients could synchronize with the DCs again.
> >
> > # Access control
> > # Default restriction: Allow clients only to query the time
> > restrict default kod nomodify notrap nopeer limited mssntp
> >
> > What is the implication regarding security in removing these options?
>
> I wrote the mssntp feature for ntp, and got it merged upstream.
>
> mssntp provides a feature where the time responses are signed using the
> computer account's password.  This allows the computer to trust the
> Samba AD DC to provide secure time.  Without it the time server will
> not be automatically trusted.
>
> I spoke with the ntpsec project manager at a confernece after their
> launch, and they said that they removed it as they didn't know what it
> was for.  The ntpsec project didn't reach out to me about it sadly, I
> would have glady explained it.
>
> It is unfortunate, but I would note in their defence they were trimming
> down a lot of portability and other historical features to meet their
> new mission, and clearly Samba AD is not a core part of their mission,
> as it seems neither have they restore it.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead                https://catalyst.net.nz/services/samba
> Catalyst.Net <https://catalyst.net.nz/services/sambaCatalyst.Net> Ltd
>
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
>
> Samba Development and Support: https://catalyst.net.nz/services/samba
>
> Catalyst IT - Expert Open Source Solutions
>
>

-- 
Elias Pereira

More information about the samba mailing list