[ntp:hackers] Protocol specification modification for MS-SNTP

Andrew Bartlett abartlet at samba.org
Mon Jul 13 01:19:26 UTC 2009


On Sun, 2009-07-12 at 19:42 +0000, Dave Hart wrote:
> On Sun, Jul 12, 2009 at 7:31 PM, Danny Mayer wrote:
> > Andrew Bartlett wrote:
> >>
> >> mssntp allows certain networks to use the NTP server as the time source
> >> in an Active Directory-like domain.  (A member of an AD domain will
> >> contact it's domain controller to obtain authenticated time).  Used in
> >> conjunction with Samba4 as an AD domain controller, when domain members
> >> attempt to obtain authenticated time from the NTP server, the Samba4
> >> instance on the same host is contacted to provide a signature for the
> >> reply.
> >
> > So why not try and contact the domain controller instead of involving Samba?
> 
> Samba4 is the domain controller in this case.  Someone could
> theoretically write similar code to run on Windows domain controllers,
> but it hasn't happened yet.  Keep in mind that Windows domain members
> looking for domain-signed time are asking only their own domain
> controllers for such signed NTP replies.  When that domain controller
> is Samba4 operating as a DC, ntpd integrates with Samba to accomplish
> the [MS-SNTP] style of signed NTP replies to unsigned requests, using
> a secret shared between the DC(s) and the member machine.

Indeed.  This code path only happens on a machine that is already
running Samba4 as an Active Directory Domain Controller, and only (as I
understand it) only when a network is specifically blessed by the
administrator (the mssntp restrict bit) as containing such clients.   

> >> See ntpd_signd_socket to set the location of the unix domain socket over
> >> which NTPd and Samba4 communicate.
> >
> > The code should not be using Unix domain sockets. It needs to use either
> > AF_INET or AF_INET6.
> 
> The communication is with other software running on the same host, why
> tie up UDP or TCP ports and involve the stack in purely local
> interprocess communication?

It is actually more important than that, and the decision was more
deliberate.  The use of a unix domain socket allows the use of file
system access control to strictly ensure that only NTPd can sign
authenticated time requests.  

Samba creates the ntp_signd_socket directory with strict permissions to
ensure this feature isn't abused by other users on the system. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ntp.org/pipermail/hackers/attachments/20090713/2b484a1e/attachment.bin 


More information about the hackers mailing list