James Browning
2025-Jan-21 13:59 UTC
[Samba] The failure of that guy from NTPsec getting an RID / Key Identifier
I want to exchange information on how to get my MS-SNTP client working. Additionally, I am seeking guidance on how to program retrieving a valid 'Key Identifier'; that should be enough to get my MS-SNTP client working. Once accomplished, I can adequately test the ntp_signd code in NTPsec. Microsoft may have deprecated the implementation previously supported by Samba and third-party time servers. This change would be frustrating because it would require developers, including myself, to integrate support for the new 76-byte authenticator. I thank Peter Milesson for locating the relevant document[1] containing this information (sections 2.2.3 & 2.2.4, pages 15-16). I am attempting to prompt Samba to sign a response using a random RID(?) of 3,735,928,559. Despite my efforts, it has not been successful and always returns a signing error. The client sends a UDP datagram with the listed payload to my NTPsec server; however, the time server fails to persuade Samba to sign the response. Here is an information dump from the client. ---- ntpdig: querying ::1 (localhost) ntpdig: Sent to ::1: e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 eb 39 3c 2f 2f f6 e0 00 .........9<//... de ad be ef 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 .... ntpdig: querying 127.0.0.1 (localhost) ntpdig: Sent to 127.0.0.1: e3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 eb 39 3c 34 31 5d 48 00 .........9<41]H. de ad be ef 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 .... ntpdig: no eligible servers ---- Here are some NTPsec log lines (wrapped). ---- 2025-01-20T13:18:39 ntpd[102986]: SIGND: bad Samba repy op want 3, got 4. 2025-01-20T13:18:44 ntpd[102986]: SIGND: bad Samba repy op want 3, got 4. ---- [1] https://winprotocoldocs-bhdugrdyduf5h2e4.b02.azurefd.net/MS-SNTP/%5BMS-SNTP%5D.pdf Attached is a packet capture from: `tcpdump -i lo "udp port 123" -w mssntp.pcap` -30-
Douglas Bagnall
2025-Jan-21 23:48 UTC
[Samba] The failure of that guy from NTPsec getting an RID / Key Identifier
On 22/01/25 02:59, James Browning via samba wrote:> > Attached is a packet capture from: > `tcpdump -i lo "udp port 123" -w mssntp.pcap` >It seems not to be attached. Douglas