samba - Sep 2024 - The care and feeding of the signing socket; also NTPsec

On 9/19/24 09:23, Rowland Penny via samba wrote:
> On Thu, 19 Sep 2024 06:44:13 -0700 (PDT)
> James Browning via samba <samba at lists.samba.org> wrote:
>
>> TLDW: I have a Samba install, and I can use help getting the signing
>> socket to return a signature with either Chrony or NTPsec; I would
>> appreciate some guidance on what I am doing incorrectly. I partially
>> followed the instructions at [1]; after checking and revising, I saw
>> that adding a line to start signd appeared to have broken everything
>> else. I have attached a  list of most of the steps I have taken.
>> After I get my web host back up tomorrow it will be mirrored at
>> https://dell-2018.jamesb192.com/j/ [1]
>> https://fedoramagazine.org/samba-as-ad-and-domain-controller/
> First (I have to point this out, fedora doesn't), the default Samba
> packages to create An AD domain on fedora use the MIT kdc, this is
> still classed as experimental, so they shouldn't be used in production.
>
> You seem to have created an AD domain, but then went on to use tools to
> create users, groups and computers from an NT4-style domain, why did you
> not use samba-tool as shown on the fedora page you linked to ?
>
> Unless ntpsec has fixed its NTP server (and I haven't heard if they
> have), it doesn't work with a Samba DC, so I would suggest only using
> Chrony.
As of 03/10/24, ntpsec (version 1.2.3+dfsg1-1) is fixed in Debian 
Trixie; I can't speak for Fedora.

https://metadata.ftp-master.debian.org/changelogs//main/n/ntpsec/ntpsec_1.2.3+dfsg1-3_changelog

Dale
>
> Now we come to the 'biggy', do you know by having this line in your
> smb.conf:
>
> server services = ntp_signd
>
> You have turned everything else off ?
>
> I would remove it and restart Samba.
>
> I would also remove the spurious machines you have added to
> /etc/passwd, that is not where they live and how you join them.
>
> Rowland
>

On Thu, 19 Sep 2024 17:29:49 -0500
samba via samba <samba at lists.samba.org> wrote:
> > Unless ntpsec has fixed its NTP server (and I haven't heard if
they
> > have), it doesn't work with a Samba DC, so I would suggest only
> > using Chrony.
> As of 03/10/24, ntpsec (version 1.2.3+dfsg1-1) is fixed in Debian 
> Trixie; I can't speak for Fedora.
> 
>
https://metadata.ftp-master.debian.org/changelogs//main/n/ntpsec/ntpsec_1.2.3+dfsg1-3_changelog
> 
Thanks for that, I wonder if Debian could backport that fix ?

Rowland

On Thursday, September 19, 2024 3:29:49?PM PDT samba via samba
wrote:
> On 9/19/24 09:23, Rowland Penny via samba wrote:
> As of 03/10/24, ntpsec (version 1.2.3+dfsg1-1) is fixed in Debian
> Trixie; I can't speak for Fedora.
> 
>
https://metadata.ftp-master.debian.org/changelogs//main/n/ntpsec/ntpsec_1.2.
> 3+dfsg1-3_changelog
> 
> Dale
Yes, I listed it fixed; I have no news about it actually working though; I 
don't see any news about it still being broken either. If only  had asked
for
someone to test it a year ago...

/me exhibiting the reflexes of roadkill.