[Samba] Time synchronization problem. Chrony, ntp

Peter Milesson miles at atmos.eu
Sun Jan 19 09:55:57 UTC 2025


Hi folks,

In this discussion, I think the elephant in the room has not been 
properly mentioned yet. That is NTP security for Windows clients in 
Samba AD domains.

With the procedures proposed in this discussion, you get a working time 
sync for Windows clients, but with no security whatsoever. What does not 
work here (or intermittently works), is secure time sync of Windows 
clients to a Samba DC with chrony, using signing. This is what a Windows 
client expects, when getting its time from a AD DC (w32tm /config 
/syncfromflags:DOMHIER). If the time sync response is erroneous, the 
client reverts to using the local clock, which may, or may not, have 
substantial drift. Over time, there will be more and more cases where 
services get denied. Without security, you could probably introduce a 
rouge NTP server that effectively renders the whole domain inoperable 
for Windows clients, if working, secure NTP services are not supplied by 
the DCs.

I am not in the position to put the blame on anybody, but it is obvious 
that the failing components here are either Samba or chrony, or a 
combination of both. With respect to constantly raised threat levels, 
and (occasional) remedies, I feel it is finally time to address this 
problem comprehensibly. This discussion has been popping up occasionally 
during at least the last 10 years, and it really would be nice to 
getting it resolved once and for all.

FYI, this is a link to the latest documentation about Windows time sync 
from Microsoft: 
https://winprotocoldocs-bhdugrdyduf5h2e4.b02.azurefd.net/MS-SNTP/%5bMS-SNTP%5d.pdf

Intentionally I have not mentioned ntpsec, as it did not work almost a 
year ago, and no updates have been published since (Debian).

Best regards,

Peter




More information about the samba mailing list