[ntp:hackers] Samba4 and NTP integration

Andrew Bartlett abartlet at samba.org
Thu Mar 27 05:15:14 UTC 2008


I think I perhaps need to start from the top, and describe what I'm
hoping we (the Samba team and NTP hackers) would be able to achieve.

The background to this is that Samba4 implements something that looks
very much like an Active Directory Domain Controller, but running on
Linux and other similar operating systems.  

This implementation is going along pretty well, and we provide LDAP,
Kerberos, SMB, RPC and NBT services to windows clients pretty happily. 

We also pre-configure BIND, to provide DNS services.  

As we move on with Samba4 development and deployment, we have found that
a significant problem is lack of time synchronisation between clients
and servers.  As such, we need to add SNTP to that list of protocols, by
some means or other.  

Because time synchronisation is an important part of a secure network,
Microsoft added SNTP to their servers, but sadly they extended the
protocol with a custom authentication scheme, based on the RID (a 32 bit
number) of the client (member server), and a digest using it's long term
kerberos key.  

The method by which this authentication is performed is described in the
public document http://msdn2.microsoft.com/en-us/library/cc212930.aspx 

This document describes things from the perspective of an implementation
on windows, but this is not my aim - I hope only to match the NTP wire
protocol.  (So you may disregard the 'windows implementation' details,
except as clarification).

I would like to construct, by some means or other, a link between NTPd
and Samba4, so it may perform the authentication of NTP packets for
NTPd.  I would propose that this IPC mechanism be a simple
request/response protocol over a unix domain socket, allowing Samba4 to
perform the database lookups required, and validate the response.  

I do not see any reason for this IPC to leave the machine (it would just
add complexity, security considerations and delay). 

While it would be technically possible to construct a shared memory
access to the keys (the database we typically use, ldb, is very good at
this), it would import a very large Samba plugin, which may end up
talking to a remote LDAP server anyway.  

If this all goes well, then Samba4 users can avoid regularly re-syncing
their machines, and I can avoid re-implementing NTP.  

This all said, patches speak louder than words, and I hope to return
with a patch, either by myself or another Samba developer. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ntp.org/pipermail/hackers/attachments/20080327/61082d22/attachment.bin 


More information about the hackers mailing list