[Samba] The care and feeding of the signing socket; also NTPsec

samba samba at txschroeder.family
Thu Sep 19 22:29:49 UTC 2024


On 9/19/24 09:23, Rowland Penny via samba wrote:
> On Thu, 19 Sep 2024 06:44:13 -0700 (PDT)
> James Browning via samba <samba at lists.samba.org> wrote:
>
>> TLDW: I have a Samba install, and I can use help getting the signing
>> socket to return a signature with either Chrony or NTPsec; I would
>> appreciate some guidance on what I am doing incorrectly. I partially
>> followed the instructions at [1]; after checking and revising, I saw
>> that adding a line to start signd appeared to have broken everything
>> else. I have attached a  list of most of the steps I have taken.
>> After I get my web host back up tomorrow it will be mirrored at
>> https://dell-2018.jamesb192.com/j/ [1]
>> https://fedoramagazine.org/samba-as-ad-and-domain-controller/
> First (I have to point this out, fedora doesn't), the default Samba
> packages to create An AD domain on fedora use the MIT kdc, this is
> still classed as experimental, so they shouldn't be used in production.
>
> You seem to have created an AD domain, but then went on to use tools to
> create users, groups and computers from an NT4-style domain, why did you
> not use samba-tool as shown on the fedora page you linked to ?
>
> Unless ntpsec has fixed its NTP server (and I haven't heard if they
> have), it doesn't work with a Samba DC, so I would suggest only using
> Chrony.
As of 03/10/24, ntpsec (version 1.2.3+dfsg1-1) is fixed in Debian 
Trixie; I can't speak for Fedora.

https://metadata.ftp-master.debian.org/changelogs//main/n/ntpsec/ntpsec_1.2.3+dfsg1-3_changelog

Dale

>
> Now we come to the 'biggy', do you know by having this line in your
> smb.conf:
>
> server services = ntp_signd
>
> You have turned everything else off ?
>
> I would remove it and restart Samba.
>
> I would also remove the spurious machines you have added to
> /etc/passwd, that is not where they live and how you join them.
>
> Rowland
>




More information about the samba mailing list