On Wed, 2023-08-09 at 14:26 -0300, Elias Pereira via samba
wrote:> hello,
>
> The wiki configuration for ntp does not work with this
> configuration samba4.18.5 + debian 12 + ntpsec. At least for me, it
> didn't
> work.
>
> I had to remove the "notrap" and "mssntp" options so
that the Windows
> clients could synchronize with the DCs again.
>
> # Access control
> # Default restriction: Allow clients only to query the time
> restrict default kod nomodify notrap nopeer limited mssntp
>
> What is the implication regarding security in removing these options?
I wrote the mssntp feature for ntp, and got it merged upstream.
mssntp provides a feature where the time responses are signed using the
computer account's password. This allows the computer to trust the
Samba AD DC to provide secure time. Without it the time server will
not be automatically trusted.
I spoke with the ntpsec project manager at a confernece after their
launch, and they said that they removed it as they didn't know what it
was for. The ntpsec project didn't reach out to me about it sadly, I
would have glady explained it.
It is unfortunate, but I would note in their defence they were trimming
down a lot of portability and other historical features to meet their
new mission, and clearly Samba AD is not a core part of their mission,
as it seems neither have they restore it.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions