On 06.03.2025 17:05, Luis Peromarta via samba wrote:> Hi Miguel.
>
> I can update the wiki (and my web page) if needs be. However , and I have
tried a few times, I can not reproduce the problem and all my clientes sync up
correctly without this key.
>
> Can you help me reproduce ?
> On 6 Mar 2025 at 16:02 +0000, miguel medalha via samba <samba at
lists.samba.org>, wrote:
>>>>> And feedback from Chrony list was, that it seems, that
Windows was
>>>>> using "extended MS-SNTP authenticator", that they
think is not supported
>>>>> by samba... After registry change it used classic MS-SNTP
authenticator
>>>>> requests.
>>> I confirm that your tip does work and effectively solves the issue
of
>> secure NTP.
>>>
HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient/
>> SignatureAuthAllowed
>>> Change from 1 to 0.
>>> After distributing this registry setting via GPO, the Windows
clients are
>> synchronizing correctly.
>>
>> Can someone with the required access please update the Samba Wiki with
this
>> information?
>>
>> https://wiki.samba.org/index.php/Time_Synchronisation
>>
>> This could prevent a lot of grief and head scratching to many
sysadmins...
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
Hi folks,
For me, time sync does not work without setting this registry entry
since about Samba 4.17.something.
Setting the registry value does not solve the basic problem, however. If
the value is set to zero, the time sync is without signature. In small
to medium size settings, where the sysadmins have got personal knowledge
of every device, this is probably just annoying. In large to very large
installations, it is definitely a security issue, albeit not a serious one.
Just my buck...
Best regards,
Peter