[ntp:hackers] Protocol specification modification for MS-SNTP
tglassey at glassey.com
Mon Jul 13 16:03:00 UTC 2009
Danny Mayer wrote:
> Andrew Bartlett wrote:
>> On Sun, 2009-07-12 at 22:47 -0400, Danny Mayer wrote:
>>> Harlan Stenn wrote:
>>>> Danny wrote:
>>>>> The code should not be using Unix domain sockets. It needs to use either
>>>>> AF_INET or AF_INET6.
>>>> Why? What's the problem you are trying to solve?
>>> That's a point solution. The server can be anywhere.
>> We (the Samba Team) have no need for a broader solution. We are very
>> happy with the solution as proposed and implemented. Our users are also
>> very happy with the solution.
Actually NO they are not. The issue is that they are for the most part
commercial users, and they now need good-quality digital evidence of
samba shared file services because of the legal implications. Who are
happy are the people who dont realize how important this evidence issue
is, or too stupid to see what the impact of making the evidence models
around the use of something unprovable.
>> Please read MS-SNTP. In particular, please pay careful attention to:
>>> 1.5.1 Time Source Discovery and Selection
>>> The client must have a way of locating a time source that is a
>>> domain controller and that can establish a secure connection with the
>>> As specified in [MS-NRPC] section 220.127.116.11, Windows clients use the
>>> DsrGetDcName method in the Netlogon domain controller locator service
>>> to find their time sources. Each Windows domain controller configured
>>> to be a time source must set its domain control information flags with
>>> the appropriate time service flags, as specified in [MS-NRPC] section
>> As such, the NTP server and the domain controller are strictly required
>> to be the same host. There is no flexibility in real world operation to
>> be be gained in any generalisation here.
> Except if I want to run NTP on a Microsoft Domain Controller which is
> what I do at home.
OK is this W32TIME or a fuller NTP implementation you want to run. It
makes a difference because the use of SNTP on open Internet connections
is iffy at best.
> The point is that this is implemented strictly for
> Samba and nothing else but we should not ignore either Microsoft's ADS
> or Kerberos's servers which this code does not implement. We can extend
> this but Samba is not the only possibility.
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.375 / Virus Database: 270.13.12/2234 - Release Date: 07/12/09 17:56:00
More information about the hackers