[ntp:hackers] Protocol specification modification for MS-SNTP

tglassey tglassey at glassey.com
Mon Jul 13 16:03:00 UTC 2009


Danny Mayer wrote:
> Andrew Bartlett wrote:
>   
>> On Sun, 2009-07-12 at 22:47 -0400, Danny Mayer wrote:
>>     
>>> Harlan Stenn wrote:
>>>       
>>>> Danny wrote:
>>>>
>>>>         
>>>>> The code should not be using Unix domain sockets. It needs to use either
>>>>> AF_INET or AF_INET6.
>>>>>           
>>>> Why?  What's the problem you are trying to solve?
>>>>
>>>> H
>>>>         
>>> That's a point solution. The server can be anywhere.
>>>       
>> We (the Samba Team) have no need for a broader solution.  We are very
>> happy with the solution as proposed and implemented.  Our users are also
>> very happy with the solution.  
>>     
Actually NO they are not. The issue is that they are for the most part 
commercial users, and they now need good-quality digital evidence of 
samba shared file services because of the legal implications. Who are 
happy are the people who dont realize how important this evidence issue 
is, or too stupid to see what the impact of making the evidence models 
around the use of something unprovable.

>>
>> Please read MS-SNTP.  In particular, please pay careful attention to:
>>
>>     
>>> 1.5.1    Time Source Discovery and Selection
>>>   The client must have a way of locating a time source that is a
>>> domain controller and that can establish a secure connection with the
>>> client.
>>>   As specified in [MS-NRPC] section 3.5.4.2, Windows clients use the
>>> DsrGetDcName method in the Netlogon domain controller locator service
>>> to find their time sources. Each Windows domain controller configured
>>> to be a time source must set its domain control information flags with
>>> the appropriate time service flags, as specified in [MS-NRPC] section
>>> 3.5.4.2.
>>>       
>> As such, the NTP server and the domain controller are strictly required
>> to be the same host.  There is no flexibility in real world operation to
>> be be gained in any generalisation here.  
>>     
>
> Except if I want to run NTP on a Microsoft Domain Controller which is
> what I do at home. 
OK is this W32TIME or a fuller NTP implementation you want to run. It 
makes a difference because the use of SNTP on open Internet connections 
is iffy at best.
> The point is that this is implemented strictly for
> Samba and nothing else but we should not ignore either Microsoft's ADS
> or Kerberos's servers which this code does not implement. We can extend
> this but Samba is not the only possibility.
>
> Danny
>
>   
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.5.375 / Virus Database: 270.13.12/2234 - Release Date: 07/12/09 17:56:00
>
>   



More information about the hackers mailing list