Hi Miguel. I can update the wiki (and my web page) if needs be. However , and I have tried a few times, I can not reproduce the problem and all my clientes sync up correctly without this key. Can you help me reproduce ? On 6 Mar 2025 at 16:02 +0000, miguel medalha via samba <samba at lists.samba.org>, wrote:> > > > And feedback from Chrony list was, that it seems, that Windows was > > > > using "extended MS-SNTP authenticator", that they think is not supported > > > > by samba... After registry change it used classic MS-SNTP authenticator > > > > requests. > > > I confirm that your tip does work and effectively solves the issue of > secure NTP. > > HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient/ > SignatureAuthAllowed > > Change from 1 to 0. > > After distributing this registry setting via GPO, the Windows clients are > synchronizing correctly. > > Can someone with the required access please update the Samba Wiki with this > information? > > https://wiki.samba.org/index.php/Time_Synchronisation > > This could prevent a lot of grief and head scratching to many sysadmins... > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
> I can update the wiki (and my web page) if needs be. However , > and I have tried a few times, I can not reproduce the problem > and all my clientes sync up correctly without this key.I understand that, but as you certainly know A LOT of people complained about not being able to get the thing to work... Maybe the registry tip could be presented as an additional helper to use if the configuration information presented doesn't work as expected?
On 06.03.2025 17:05, Luis Peromarta via samba wrote:> Hi Miguel. > > I can update the wiki (and my web page) if needs be. However , and I have tried a few times, I can not reproduce the problem and all my clientes sync up correctly without this key. > > Can you help me reproduce ? > On 6 Mar 2025 at 16:02 +0000, miguel medalha via samba <samba at lists.samba.org>, wrote: >>>>> And feedback from Chrony list was, that it seems, that Windows was >>>>> using "extended MS-SNTP authenticator", that they think is not supported >>>>> by samba... After registry change it used classic MS-SNTP authenticator >>>>> requests. >>> I confirm that your tip does work and effectively solves the issue of >> secure NTP. >>> HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient/ >> SignatureAuthAllowed >>> Change from 1 to 0. >>> After distributing this registry setting via GPO, the Windows clients are >> synchronizing correctly. >> >> Can someone with the required access please update the Samba Wiki with this >> information? >> >> https://wiki.samba.org/index.php/Time_Synchronisation >> >> This could prevent a lot of grief and head scratching to many sysadmins... >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/sambaHi folks, For me, time sync does not work without setting this registry entry since about Samba 4.17.something. Setting the registry value does not solve the basic problem, however. If the value is set to zero, the time sync is without signature. In small to medium size settings, where the sysadmins have got personal knowledge of every device, this is probably just annoying. In large to very large installations, it is definitely a security issue, albeit not a serious one. Just my buck... Best regards, Peter
> I can update the wiki (and my web page) if needs be. However , > and I have tried a few times, I can not reproduce the problem > and all my clientes sync up correctly without this key.In your case, is the registry key present with a value of 1, or not present at all? And are you sure that your clients are setting time from the domain controllers and not from the default "time.windows.com"?