[ntp:hackers] Samba4 and NTP integration

Luke Howard lukeh at padl.com
Mon Mar 31 20:51:31 UTC 2008


On 01/04/2008, at 4:18 AM, Danny Mayer wrote:
> Luke Howard wrote:
>>> Well there is one thing that you should consider: Unix boxes  
>>> should be
>>> running ntpd anyway and just about all of the O/S's supply a copy  
>>> of  ntp
>>> for use. If you are running Kerberos you need good time anyway and I
>>> would expect that the Kerberos controller would be running ntpd   
>>> also. I
>>> do not believe that Windows clients running w32time actually require
>>> that the server be authenticated but you may know better.
>> WIndows clients that belong to a domain require the server be   
>> authenticated, unless a NTP server is explicitly configured on the   
>> client. The latter is impractical in large deployments.
>
> Are you saying that w32time clients require authentication unless  
> you tell it where an NTP server is?

Yes.

> Also it it's going to do authentication, why not just have it use  
> its Kerberos ticket in the packet since it has to have one in order  
> to be part of the Windows domain?

Because Kerberos is sensitive to time synchronization, this would  
present a chicken and egg problem.

(The latter assertion is not entirely true; if you turn off the KDC,  
Windows clients will fall back to NTLM. And NetLogon authentication is  
used regardless.)

-- Luke


More information about the hackers mailing list