[ntp:hackers] Protocol specification modification for MS-SNTP

Andrew Bartlett abartlet at samba.org
Fri Jul 10 08:20:39 UTC 2009


On Thu, 2009-07-09 at 17:17 +0000, David Mills wrote:
> Dave
> 
> It actually does no harm to reply to a symmetric active packet without 
> mobilizing an association and in fact is consistent with the spec in the 
> finest Jon Postel tradition. There needs to be no option to disable it.
> 
> The code now has a new restrict bit mssntp that enables MS-SNTP 
> processing. It is compatible with Autokey and interleaved modes. I have 
> tested it here with both while enabling mssntp with no ill effects 
> without compiling the optional code.
> 
> Can you or Andrew send me a few grafs for the Authentication Options 
> page? I can edit the other pages that need it.

Something like (please check the technical details, and provide a
pointer to the patched source so I can verify)

mssntp allows certain networks to use the NTP server as the time source
in an Active Directory-like domain.  (A member of an AD domain will
contact it's domain controller to obtain authenticated time).  Used in
conjunction with Samba4 as an AD domain controller, when domain members
attempt to obtain authenticated time from the NTP server, the Samba4
instance on the same host is contacted to provide a signature for the
reply.

See ntpd_signd_socket to set the location of the unix domain socket over
which NTPd and Samba4 communicate.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ntp.org/pipermail/hackers/attachments/20090710/6b6485ca/attachment.bin 


More information about the hackers mailing list