[ntp:hackers] Protocol specification modification for MS-SNTP

Andrew Bartlett abartlet at samba.org
Mon Jul 13 02:05:11 UTC 2009

On Fri, 2009-07-10 at 18:20 +1000, Andrew Bartlett wrote:
> On Thu, 2009-07-09 at 17:17 +0000, David Mills wrote:
> > Dave
> > 
> > It actually does no harm to reply to a symmetric active packet without 
> > mobilizing an association and in fact is consistent with the spec in the 
> > finest Jon Postel tradition. There needs to be no option to disable it.
> > 
> > The code now has a new restrict bit mssntp that enables MS-SNTP 
> > processing. It is compatible with Autokey and interleaved modes. I have 
> > tested it here with both while enabling mssntp with no ill effects 
> > without compiling the optional code.
> > 
> > Can you or Andrew send me a few grafs for the Authentication Options 
> > page? I can edit the other pages that need it.
> Something like (please check the technical details, and provide a
> pointer to the patched source so I can verify)
> mssntp allows certain networks to use the NTP server as the time source
> in an Active Directory-like domain.  (A member of an AD domain will
> contact it's domain controller to obtain authenticated time).  Used in
> conjunction with Samba4 as an AD domain controller, when domain members
> attempt to obtain authenticated time from the NTP server, the Samba4
> instance on the same host is contacted to provide a signature for the
> reply.
> See ntpd_signd_socket to set the location of the unix domain socket over
> which NTPd and Samba4 communicate.

To deal with concerns that administrators might not understand the
implications of the IPC for jitter, you could also say:

Currently, the communication mechanism used between NTPd and Samba4
causes NTPd to block.  This may introduce jitter to other clients if the
Samba4 instance on the same host does not reply in a timely fashion.  

Use the 'mssntp' restrict option to ensure only internal networks may
trigger this authenticated time response, and use a independent
dedicated time server for non-Windows time critical clients. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ntp.org/pipermail/hackers/attachments/20090713/3edfda23/attachment-0001.bin 

More information about the hackers mailing list