[Samba] Time sync issue

[James Browning]

> On 02/18/2025 1:06 AM PST Virgo Pärna via samba <samba at lists.samba.org> wrote:
> 
>  
> When chasing possible issues with Windows 11 being unable to log in, I 
> initially noticed, that on primary DC ntpdate -q dc.domain did not 
> respond. And I did fix it (but incorrectly).
> 	Yesterday I noticed, that none of the windows computers have actually 
> synced time since few days after Samba upgrade.
> 	I did have backup Samba DC also, running in the container. There I 
> upgraded Samba at the same time. And computers were actually syncing to 
> that backup dc.
> 	Primary dc was using ntpsec timeserver. Backup dc was using chrony.
> 	I now noticed, that ntpsec complained at startup, that restrict line in 
> configuration file, that specified mssntp was invalid.
> 	After correcting that line that server stopped responding even ntpdate 
> -q requests. There were no errors or warnings in ntpsec log. And ntpsec 
> had permission for /var/lib/samba/ntp_signd/
> 
> 	So I replaced it with chrony, changed /var/lib/samba/ntp_signd/ 
> permissions to allow chrony and configured chrony to
> ntpsigndsocket /var/lib/samba/ntp_signd/
> 	Basically same configuration, that used to work in bdc container.
> 
> 	After restarting chrony, chrony would respond ntpdate -q requests, that 
> was advancement compared to ntpsec. But Windows computers would still 
> not sync. Using Wireshark I could see, that when running
> w32tm /resync
> there were packets goint to time server but not response. Requests had 
> Key ID and 68 byte Message Authentication Code (with one byte set to 01, 
> according to WireShark).
> w32tm /monitor would send requests not from 123 port and without Key ID 
> and Message Authentication Code. And that would receive response.
> 
> After changing in Windows registry under 
> HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient
> value of SignatureAuthAllowed from 1 to 0 and restarting w32time service 
> w32tm /resync would work and there would be responses and time would 
> sync. And Wireshark shows, that requests are sent with same Key ID 
> value, but Message Authentication Code is instead 16 bytes all zeros. 
> And it does receive responses.
> 
> lsof | grep /var/lib/samba/ntp_
> shows that ntp_signd has /var/lib/samba/ntp_signd/socket open in LISTEN 
> and CONNECTED mode.
> 
> 
> 
> PS: That did not fix and login issue. And had been strange, if it had, 
> because clock was maximum few second out of sync. So kerberos should not 
> have had any issues.

TLDR: A lot of versioons of NTPsec break completely when asked to
also serve MS-SNTP. The ability to serve MS-SNTP in most versions of
NTPsec is not attached either. Lying crap weasels who do not look at
the code will cite heresay that it was remove completely from
NTPsec. The Samba wiki has a page 'time synchronization' something
something that goes in to differet details. Time for Y'all to crap
on NTPsec again. You should just use chrony without the crapping
upon NTPsec.

Bitter, Me, heck yes.

-30-