samba - Mar 2025 - Time sync issue

On 06.03.2025 17:05, Luis Peromarta via samba wrote:
> Hi Miguel.
>
> I can update the wiki (and my web page) if needs be. However , and I have
tried a few times, I can not reproduce the problem and all my clientes sync up
correctly without this key.
>
> Can you help me reproduce ?
> On 6 Mar 2025 at 16:02 +0000, miguel medalha via samba <samba at
lists.samba.org>, wrote:
>>>>> And feedback from Chrony list was, that it seems, that
Windows was
>>>>> using "extended MS-SNTP authenticator", that they
think is not supported
>>>>> by samba... After registry change it used classic MS-SNTP
authenticator
>>>>> requests.
>>> I confirm that your tip does work and effectively solves the issue
of
>> secure NTP.
>>>
HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient/
>> SignatureAuthAllowed
>>> Change from 1 to 0.
>>> After distributing this registry setting via GPO, the Windows
clients are
>> synchronizing correctly.
>>
>> Can someone with the required access please update the Samba Wiki with
this
>> information?
>>
>> https://wiki.samba.org/index.php/Time_Synchronisation
>>
>> This could prevent a lot of grief and head scratching to many
sysadmins...
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
Hi folks,

For me, time sync does not work without setting this registry entry 
since about Samba 4.17.something.

Setting the registry value does not solve the basic problem, however. If 
the value is set to zero, the time sync is without signature. In small 
to medium size settings, where the sysadmins have got personal knowledge 
of every device, this is probably just annoying. In large to very large 
installations, it is definitely a security issue, albeit not a serious one.

Just my buck...

Best regards,

Peter

> Setting the registry value does not solve the basic problem, however. If 
> the value is set to zero, the time sync is without signature.
I'm not sure about that...

Using type NT5DS, with the registry key set to 0, communication from the DCs
to clients now contains lines like this:

Key id: 2651062272
Authentication: d3a98613645ce42afeb5bb8701397952

Which didn't happen before, type NT5DS didn't work at all. What is
happening
here, then?

Communication from the clients to DCs, on the other end, gives results like
this:
 
 Key id: 1845886976
 Authentication: 00000000000000000000000000000000

This, of course, is from "tcpdump -K -v udp port 123"

Am 06.03.25 um 17:25 schrieb Peter Milesson via samba:
> For me, time sync does not work without setting this registry entry 
> since about Samba 4.17.something.
Let me enter this thread here ..

today I heard from a customer that their domain-member-PCs show 
different times for years already!

I had assumed to have solved that back then.

Let me ask this:

* should (win11) domain-member-PCs sync time correctly with 
samba-4.21.4-DCs *without* specific GPOs?

* if no: what is the recommended procedure right now? (I will check the 
mentioned wiki-page and what you guys tried to add there .. unsure if 
that worked yet ;-) )

I have to fix that asap ... for now I removed an old GPO to maybe get 
rid of old and wrong stuff. So far I have no feedback from the customer.

As debian distros were mentioned also: my samba-DCs run on bookworm.

Thanks for any pointers