Rowland Penny
2024-Sep-19 14:23 UTC
[Samba] The care and feeding of the signing socket; also NTPsec
On Thu, 19 Sep 2024 06:44:13 -0700 (PDT) James Browning via samba <samba at lists.samba.org> wrote:> TLDW: I have a Samba install, and I can use help getting the signing > socket to return a signature with either Chrony or NTPsec; I would > appreciate some guidance on what I am doing incorrectly. I partially > followed the instructions at [1]; after checking and revising, I saw > that adding a line to start signd appeared to have broken everything > else. I have attached a list of most of the steps I have taken. > After I get my web host back up tomorrow it will be mirrored at > https://dell-2018.jamesb192.com/j/ [1] > https://fedoramagazine.org/samba-as-ad-and-domain-controller/First (I have to point this out, fedora doesn't), the default Samba packages to create An AD domain on fedora use the MIT kdc, this is still classed as experimental, so they shouldn't be used in production. You seem to have created an AD domain, but then went on to use tools to create users, groups and computers from an NT4-style domain, why did you not use samba-tool as shown on the fedora page you linked to ? Unless ntpsec has fixed its NTP server (and I haven't heard if they have), it doesn't work with a Samba DC, so I would suggest only using Chrony. Now we come to the 'biggy', do you know by having this line in your smb.conf: server services = ntp_signd You have turned everything else off ? I would remove it and restart Samba. I would also remove the spurious machines you have added to /etc/passwd, that is not where they live and how you join them. Rowland
samba
2024-Sep-19 22:29 UTC
[Samba] The care and feeding of the signing socket; also NTPsec
On 9/19/24 09:23, Rowland Penny via samba wrote:> On Thu, 19 Sep 2024 06:44:13 -0700 (PDT) > James Browning via samba <samba at lists.samba.org> wrote: > >> TLDW: I have a Samba install, and I can use help getting the signing >> socket to return a signature with either Chrony or NTPsec; I would >> appreciate some guidance on what I am doing incorrectly. I partially >> followed the instructions at [1]; after checking and revising, I saw >> that adding a line to start signd appeared to have broken everything >> else. I have attached a list of most of the steps I have taken. >> After I get my web host back up tomorrow it will be mirrored at >> https://dell-2018.jamesb192.com/j/ [1] >> https://fedoramagazine.org/samba-as-ad-and-domain-controller/ > First (I have to point this out, fedora doesn't), the default Samba > packages to create An AD domain on fedora use the MIT kdc, this is > still classed as experimental, so they shouldn't be used in production. > > You seem to have created an AD domain, but then went on to use tools to > create users, groups and computers from an NT4-style domain, why did you > not use samba-tool as shown on the fedora page you linked to ? > > Unless ntpsec has fixed its NTP server (and I haven't heard if they > have), it doesn't work with a Samba DC, so I would suggest only using > Chrony.As of 03/10/24, ntpsec (version 1.2.3+dfsg1-1) is fixed in Debian Trixie; I can't speak for Fedora. https://metadata.ftp-master.debian.org/changelogs//main/n/ntpsec/ntpsec_1.2.3+dfsg1-3_changelog Dale> > Now we come to the 'biggy', do you know by having this line in your > smb.conf: > > server services = ntp_signd > > You have turned everything else off ? > > I would remove it and restart Samba. > > I would also remove the spurious machines you have added to > /etc/passwd, that is not where they live and how you join them. > > Rowland >