[ntp:hackers] Samba4 and NTP integration
Luke Howard
lukeh at padl.com
Mon Mar 31 20:51:31 UTC 2008
On 01/04/2008, at 4:18 AM, Danny Mayer wrote:
> Luke Howard wrote:
>>> Well there is one thing that you should consider: Unix boxes
>>> should be
>>> running ntpd anyway and just about all of the O/S's supply a copy
>>> of ntp
>>> for use. If you are running Kerberos you need good time anyway and I
>>> would expect that the Kerberos controller would be running ntpd
>>> also. I
>>> do not believe that Windows clients running w32time actually require
>>> that the server be authenticated but you may know better.
>> WIndows clients that belong to a domain require the server be
>> authenticated, unless a NTP server is explicitly configured on the
>> client. The latter is impractical in large deployments.
>
> Are you saying that w32time clients require authentication unless
> you tell it where an NTP server is?
Yes.
> Also it it's going to do authentication, why not just have it use
> its Kerberos ticket in the packet since it has to have one in order
> to be part of the Windows domain?
Because Kerberos is sensitive to time synchronization, this would
present a chicken and egg problem.
(The latter assertion is not entirely true; if you turn off the KDC,
Windows clients will fall back to NTLM. And NetLogon authentication is
used regardless.)
-- Luke
More information about the hackers
mailing list