[ntp:hackers] Protocol specification modification for MS-SNTP

Danny Mayer mayer at ntp.org
Sun Jul 12 19:31:51 UTC 2009


Andrew Bartlett wrote:
> On Thu, 2009-07-09 at 17:17 +0000, David Mills wrote:
>> Dave
>>
>> It actually does no harm to reply to a symmetric active packet without 
>> mobilizing an association and in fact is consistent with the spec in the 
>> finest Jon Postel tradition. There needs to be no option to disable it.
>>
>> The code now has a new restrict bit mssntp that enables MS-SNTP 
>> processing. It is compatible with Autokey and interleaved modes. I have 
>> tested it here with both while enabling mssntp with no ill effects 
>> without compiling the optional code.
>>
>> Can you or Andrew send me a few grafs for the Authentication Options 
>> page? I can edit the other pages that need it.
> 
> Something like (please check the technical details, and provide a
> pointer to the patched source so I can verify)
> 
> mssntp allows certain networks to use the NTP server as the time source
> in an Active Directory-like domain.  (A member of an AD domain will
> contact it's domain controller to obtain authenticated time).  Used in
> conjunction with Samba4 as an AD domain controller, when domain members
> attempt to obtain authenticated time from the NTP server, the Samba4
> instance on the same host is contacted to provide a signature for the
> reply.

So why not try and contact the domain controller instead of involving Samba?

> 
> See ntpd_signd_socket to set the location of the unix domain socket over
> which NTPd and Samba4 communicate.
> 

The code should not be using Unix domain sockets. It needs to use either
AF_INET or AF_INET6.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the hackers mailing list