[Samba] The failure of that guy from NTPsec getting an RID / Key Identifier

James Browning jamesb192 at jamesb192.com
Tue Jan 21 13:59:59 UTC 2025 

I want to exchange information on how to get my MS-SNTP client working. 
Additionally, I am seeking guidance on how to program retrieving a valid 'Key 
Identifier'; that should be enough to get my MS-SNTP client working. Once 
accomplished, I can adequately test the ntp_signd code in NTPsec.

Microsoft may have deprecated the implementation previously supported by Samba 
and third-party time servers. This change would be frustrating because it 
would require developers, including myself, to integrate support for the new 
76-byte authenticator. I thank Peter Milesson for locating the relevant 
document[1] containing this information (sections 2.2.3 & 2.2.4, pages 15-16).

I am attempting to prompt Samba to sign a response using a random RID(?) of 
3,735,928,559. Despite my efforts, it has not been successful and always 
returns a signing error. The client sends a UDP datagram with the listed 
payload to my NTPsec server; however, the time server fails to persuade Samba 
to sign the response.

Here is an information dump from the client.
----
ntpdig: querying ::1 (localhost)
ntpdig: Sent to ::1:
e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 eb 39 3c 2f 2f f6 e0 00 .........9<//...
de ad be ef 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00                                     ....
ntpdig: querying 127.0.0.1 (localhost)
ntpdig: Sent to 127.0.0.1:
e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 eb 39 3c 34 31 5d 48 00 .........9<41]H.
de ad be ef 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00                                     ....
ntpdig: no eligible servers
----

Here are some NTPsec log lines (wrapped).
----
2025-01-20T13:18:39 ntpd[102986]: SIGND: bad Samba repy op want 3, got 4.
2025-01-20T13:18:44 ntpd[102986]: SIGND: bad Samba repy op want 3, got 4.
----

[1]  https://winprotocoldocs-bhdugrdyduf5h2e4.b02.azurefd.net/MS-SNTP/%5BMS-SNTP%5D.pdf

Attached is a packet capture from:
	`tcpdump -i lo "udp port 123" -w mssntp.pcap`

-30-

More information about the samba mailing list