[ntp:hackers] Protocol specification modification for MS-SNTP

Danny Mayer mayer at ntp.org
Sun Jul 12 19:31:51 UTC 2009

Andrew Bartlett wrote:
> On Thu, 2009-07-09 at 17:17 +0000, David Mills wrote:
>> Dave
>> It actually does no harm to reply to a symmetric active packet without 
>> mobilizing an association and in fact is consistent with the spec in the 
>> finest Jon Postel tradition. There needs to be no option to disable it.
>> The code now has a new restrict bit mssntp that enables MS-SNTP 
>> processing. It is compatible with Autokey and interleaved modes. I have 
>> tested it here with both while enabling mssntp with no ill effects 
>> without compiling the optional code.
>> Can you or Andrew send me a few grafs for the Authentication Options 
>> page? I can edit the other pages that need it.
> Something like (please check the technical details, and provide a
> pointer to the patched source so I can verify)
> mssntp allows certain networks to use the NTP server as the time source
> in an Active Directory-like domain.  (A member of an AD domain will
> contact it's domain controller to obtain authenticated time).  Used in
> conjunction with Samba4 as an AD domain controller, when domain members
> attempt to obtain authenticated time from the NTP server, the Samba4
> instance on the same host is contacted to provide a signature for the
> reply.

So why not try and contact the domain controller instead of involving Samba?

> See ntpd_signd_socket to set the location of the unix domain socket over
> which NTPd and Samba4 communicate.

The code should not be using Unix domain sockets. It needs to use either


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the hackers mailing list