[Samba] Time synchronization problem. Chrony, ntp
miguel medalha
medalist at sapo.pt
Mon Jan 20 14:01:19 UTC 2025
> If you don't want to be dependent on the maintainer and get it quickly,
> you can checkout the debian source of ntpsec, take the version from
> Trixie. replace (some of) the dependencies with those of Bookworm and
> build the package.
> Debian's ntpsec versions: https://salsa.debian.org/debian/ntpsec/-/tags
I thought that this is relevant to the matter at hand:
https://serverfault.com/questions/1066117/ntp-server-is-setup-for-ntp-keys-h
ow-can-we-configure-windows-server-to-communi
Q: NTP Server is setup for ntp keys. How can we configure windows server to
communicate to our time server using the keys?
A: w32time is not compatible with ntpd's symmetric key implementation.
Meinberg cites Microsoft MS-SNTP spec in which packets are either using MS
netlogon based auth extension, or unauthenticated. ntpd gained experimental
mssntp support, but no guarantee it will be available on your NTP server.
The goal of NTP auth is to reduce the risk of an impostor NTP server serving
the wrong time. When this is difficult to implement, use alternative
controls at the network level.
Assuming you wish to continue running your NTP servers on not-Windows,
remove the keys and use unauthenticated. Domain controllers use it as an
"internet" source. Protect the NTP server by restricting access to it. Use a
private network for transport. Limit queries to allowed subnets with
firewalls and possibly ntpd's restrict keyword.
More information about the samba
mailing list