On Wed, 2023-08-09 at 14:26 -0300, Elias Pereira via samba wrote:> hello, > > The wiki configuration for ntp does not work with this > configuration samba4.18.5 + debian 12 + ntpsec. At least for me, it > didn't > work. > > I had to remove the "notrap" and "mssntp" options so that the Windows > clients could synchronize with the DCs again. > > # Access control > # Default restriction: Allow clients only to query the time > restrict default kod nomodify notrap nopeer limited mssntp > > What is the implication regarding security in removing these options?I wrote the mssntp feature for ntp, and got it merged upstream. mssntp provides a feature where the time responses are signed using the computer account's password. This allows the computer to trust the Samba AD DC to provide secure time. Without it the time server will not be automatically trusted. I spoke with the ntpsec project manager at a confernece after their launch, and they said that they removed it as they didn't know what it was for. The ntpsec project didn't reach out to me about it sadly, I would have glady explained it. It is unfortunate, but I would note in their defence they were trimming down a lot of portability and other historical features to meet their new mission, and clearly Samba AD is not a core part of their mission, as it seems neither have they restore it. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
On 09/08/2023 20:20, Andrew Bartlett via samba wrote:> On Wed, 2023-08-09 at 14:26 -0300, Elias Pereira via samba wrote: >> hello, >> >> The wiki configuration for ntp does not work with this >> configuration samba4.18.5 + debian 12 + ntpsec. At least for me, it >> didn't >> work. >> >> I had to remove the "notrap" and "mssntp" options so that the Windows >> clients could synchronize with the DCs again. >> >> # Access control >> # Default restriction: Allow clients only to query the time >> restrict default kod nomodify notrap nopeer limited mssntp >> >> What is the implication regarding security in removing these options? > > I wrote the mssntp feature for ntp, and got it merged upstream. > > mssntp provides a feature where the time responses are signed using the > computer account's password. This allows the computer to trust the > Samba AD DC to provide secure time. Without it the time server will > not be automatically trusted. > > I spoke with the ntpsec project manager at a confernece after their > launch, and they said that they removed it as they didn't know what it > was for. The ntpsec project didn't reach out to me about it sadly, I > would have glady explained it. > > It is unfortunate, but I would note in their defence they were trimming > down a lot of portability and other historical features to meet their > new mission, and clearly Samba AD is not a core part of their mission, > as it seems neither have they restore it. > > Andrew Bartlett >Well, I can understand (to a certain extent) removing what could be dead code, but when they are told that they have made a mistake and don't seem to have made any attempt to fix the problem, then words fail me. It might just be easier to get Debian to bring back NTP. Rowland
Andew, I'm not sure if you saw the issue opened on the project's GitLab. They need something to test. https://gitlab.com/NTPsec/ntpsec/-/issues/785 On Wed, Aug 9, 2023 at 4:20?PM Andrew Bartlett <abartlet at samba.org> wrote:> On Wed, 2023-08-09 at 14:26 -0300, Elias Pereira via samba wrote: > > hello, > > > > The wiki configuration for ntp does not work with this > > configuration samba4.18.5 + debian 12 + ntpsec. At least for me, it > > didn't > > work. > > > > I had to remove the "notrap" and "mssntp" options so that the Windows > > clients could synchronize with the DCs again. > > > > # Access control > > # Default restriction: Allow clients only to query the time > > restrict default kod nomodify notrap nopeer limited mssntp > > > > What is the implication regarding security in removing these options? > > I wrote the mssntp feature for ntp, and got it merged upstream. > > mssntp provides a feature where the time responses are signed using the > computer account's password. This allows the computer to trust the > Samba AD DC to provide secure time. Without it the time server will > not be automatically trusted. > > I spoke with the ntpsec project manager at a confernece after their > launch, and they said that they removed it as they didn't know what it > was for. The ntpsec project didn't reach out to me about it sadly, I > would have glady explained it. > > It is unfortunate, but I would note in their defence they were trimming > down a lot of portability and other historical features to meet their > new mission, and clearly Samba AD is not a core part of their mission, > as it seems neither have they restore it. > > Andrew Bartlett > > -- > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead https://catalyst.net.nz/services/samba > Catalyst.Net <https://catalyst.net.nz/services/sambaCatalyst.Net> Ltd > > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group > company > > Samba Development and Support: https://catalyst.net.nz/services/samba > > Catalyst IT - Expert Open Source Solutions > >-- Elias Pereira