[Samba] Time synchronization problem. Chrony, ntp
Peter Milesson
miles at atmos.eu
Sun Jan 19 09:55:57 UTC 2025
Hi folks,
In this discussion, I think the elephant in the room has not been
properly mentioned yet. That is NTP security for Windows clients in
Samba AD domains.
With the procedures proposed in this discussion, you get a working time
sync for Windows clients, but with no security whatsoever. What does not
work here (or intermittently works), is secure time sync of Windows
clients to a Samba DC with chrony, using signing. This is what a Windows
client expects, when getting its time from a AD DC (w32tm /config
/syncfromflags:DOMHIER). If the time sync response is erroneous, the
client reverts to using the local clock, which may, or may not, have
substantial drift. Over time, there will be more and more cases where
services get denied. Without security, you could probably introduce a
rouge NTP server that effectively renders the whole domain inoperable
for Windows clients, if working, secure NTP services are not supplied by
the DCs.
I am not in the position to put the blame on anybody, but it is obvious
that the failing components here are either Samba or chrony, or a
combination of both. With respect to constantly raised threat levels,
and (occasional) remedies, I feel it is finally time to address this
problem comprehensibly. This discussion has been popping up occasionally
during at least the last 10 years, and it really would be nice to
getting it resolved once and for all.
FYI, this is a link to the latest documentation about Windows time sync
from Microsoft:
https://winprotocoldocs-bhdugrdyduf5h2e4.b02.azurefd.net/MS-SNTP/%5bMS-SNTP%5d.pdf
Intentionally I have not mentioned ntpsec, as it did not work almost a
year ago, and no updates have been published since (Debian).
Best regards,
Peter
More information about the samba
mailing list