[Samba] DC Time Problems

Hal Murray halmurray+samba at sonic.net
Thu Oct 26 00:37:51 UTC 2023

Rowland said:
> If, ntpsec is now working again with Samba AD, then great, but it doesn't
> seem to have percolated down to Debian. 

We'd like to verify that the fix works before we do a release.  (None of the 
NTPsec developers know anything about Samba and many of us know little about 

Is anybody willing to help?
If so, please contact me so we can work out the details.

We need somebody running samba and Windows clients that are setup to use 
MS-SNTP authentication.

Ideally, you could work from our git head, but I can build binaries for most 

> Whilst (it would seem) there was never a Linux ntp_signd client, ...

In order to do a Linux client, the client needs to get the key-id to put in 
the request, and the key to verify that the response was correctly signed.  

Are the key-id and key already stored on the client?  If so, it should be easy 
to write a script to put the key into a keys-file and add a line to ntp.conf.  
(We would need a few lines of code in ntpd to zero the MAC slot rather than 
authenticate the packet.)

Can you use NTS?  For that, the ntpd server needs a certificate and private 
key which you can get via Let's Encrypt and certbot if you don't have a better 
way.  Then normal Linux ntpd on the client just needs:
  server <server-name-here> nts

These are my opinions.  I hate spam.

More information about the samba mailing list