[ntp:hackers] Protocol specification modification for MS-SNTP

Dave Hart davehart at gmail.com
Sun Jul 12 19:42:11 UTC 2009

On Sun, Jul 12, 2009 at 7:31 PM, Danny Mayer wrote:
> Andrew Bartlett wrote:
>> mssntp allows certain networks to use the NTP server as the time source
>> in an Active Directory-like domain.  (A member of an AD domain will
>> contact it's domain controller to obtain authenticated time).  Used in
>> conjunction with Samba4 as an AD domain controller, when domain members
>> attempt to obtain authenticated time from the NTP server, the Samba4
>> instance on the same host is contacted to provide a signature for the
>> reply.
> So why not try and contact the domain controller instead of involving Samba?

Samba4 is the domain controller in this case.  Someone could
theoretically write similar code to run on Windows domain controllers,
but it hasn't happened yet.  Keep in mind that Windows domain members
looking for domain-signed time are asking only their own domain
controllers for such signed NTP replies.  When that domain controller
is Samba4 operating as a DC, ntpd integrates with Samba to accomplish
the [MS-SNTP] style of signed NTP replies to unsigned requests, using
a secret shared between the DC(s) and the member machine.

>> See ntpd_signd_socket to set the location of the unix domain socket over
>> which NTPd and Samba4 communicate.
> The code should not be using Unix domain sockets. It needs to use either

The communication is with other software running on the same host, why
tie up UDP or TCP ports and involve the stack in purely local
interprocess communication?

Dave Hart

More information about the hackers mailing list