[Samba] The care and feeding of the signing socket; also NTPsec

Rowland Penny rpenny at samba.org
Thu Sep 19 14:23:53 UTC 2024


On Thu, 19 Sep 2024 06:44:13 -0700 (PDT)
James Browning via samba <samba at lists.samba.org> wrote:

> TLDW: I have a Samba install, and I can use help getting the signing
> socket to return a signature with either Chrony or NTPsec; I would
> appreciate some guidance on what I am doing incorrectly. I partially
> followed the instructions at [1]; after checking and revising, I saw
> that adding a line to start signd appeared to have broken everything
> else. I have attached a  list of most of the steps I have taken.
> After I get my web host back up tomorrow it will be mirrored at
> https://dell-2018.jamesb192.com/j/ [1]
> https://fedoramagazine.org/samba-as-ad-and-domain-controller/

First (I have to point this out, fedora doesn't), the default Samba
packages to create An AD domain on fedora use the MIT kdc, this is
still classed as experimental, so they shouldn't be used in production.

You seem to have created an AD domain, but then went on to use tools to
create users, groups and computers from an NT4-style domain, why did you
not use samba-tool as shown on the fedora page you linked to ?

Unless ntpsec has fixed its NTP server (and I haven't heard if they
have), it doesn't work with a Samba DC, so I would suggest only using
Chrony.

Now we come to the 'biggy', do you know by having this line in your
smb.conf:

server services = ntp_signd

You have turned everything else off ?

I would remove it and restart Samba.

I would also remove the spurious machines you have added to
/etc/passwd, that is not where they live and how you join them.

Rowland



More information about the samba mailing list