samba - Dec 2016 - samba 4.5.0 on hpux ia64: Configuring time synchronization for samba AD DC

As mentioned in below link:-


https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller


I am trying to synchronize time for Kerberos with NTP. But NTP(4.2.6) supported
on hpux is not build with

enabled signed ntp support *(**--enable-ntp-signd)* for time
synchronization mechanism.


What would be the impact if i don’t configuring time synchronization for
Samba AD DC ?

Arjit Kumar

2016-12-09 11:09 GMT+01:00 Arjit Gupta via samba <samba at
lists.samba.org>:
> As mentioned in below link:-
>
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> Active_Directory_Domain_Controller
>
>
> I am trying to synchronize time for Kerberos with NTP. But NTP(4.2.6)
> supported
> on hpux is not build with
>
> enabled signed ntp support *(**--enable-ntp-signd)* for time
> synchronization mechanism.
>
>
> What would be the impact if i don’t configuring time synchronization for
> Samba AD DC ?
>
Not much: AD is based on Kerberos authentication and Kerberos
authentication relies on time, machines must be using same time (5min of
decay max).
So all you risk is authentication does not work.

Some grumpy people would say it is not good that authentication does work
for an authentication system. I could agree...

So just configure "ntpd" to keep your DC synchronized with the rest of
the
world and make that ntpd accepting request from your AD clients. Then your
AD clients will be able to retrieve time from DC and so they will use same
time and no more issue. In addition all your machines should show the right
time if your DCs are synchronizing on real NTP somewhere.

And if your issue is because you can't make signed ntp request, just make
unsigned ntp request. Even security guru should not say this information
(time) is too critical...

>
> Arjit Kumar
>