[Samba] Time sync issue
Peter Milesson
miles at atmos.eu
Wed Feb 19 16:51:59 UTC 2025
On 19.02.2025 16:50, miguel medalha via samba wrote:
>> And feedback from Chrony list was, that it seems, that Windows was
>> using "extended MS-SNTP authenticator", that they think is not supported
>> by samba... After registry change it used classic MS-SNTP authenticator
>> requests.
> I confirm that your tip does work and effectively solves the issue of secure NTP.
>
> HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient/ SignatureAuthAllowed
>
> Change from 1 to 0.
>
> After distributing this registry setting via GPO, the Windows clients are synchronizing correctly.
>
> Thank you!
>
>
>
Hi folks,
I can confirm this works with Chrony. Windows domain members now sync
with the DCs.
But, what's the difference between setting the Windows domain members to
sync with AD DCs as DOMHIER, compared to defining time sync with the
Samba AD DCs as MANUALPEERLIST? In practice probably no difference at
all. The signing is gone for sure, which should be the holy grail here.
Syncing directly with the AD infrastructure is probably more secure
anyway. Introducing a rouge AD DC is probably a much more complex task,
than introducing rouge NTP servers. And the GPO is simpler than what has
been posted as a remedy previously.
Let's hope this gets solved once and for all in the near future. After
recurring posts for the last 10 years about time sync problems on
Windows clients, I started to giving up hope.
Thanks for the information, really appreciated.
Peter
More information about the samba
mailing list