[ntp:hackers] Protocol specification modification for MS-SNTP
Danny Mayer
mayer at ntp.org
Sun Jul 12 19:31:51 UTC 2009
Andrew Bartlett wrote:
> On Thu, 2009-07-09 at 17:17 +0000, David Mills wrote:
>> Dave
>>
>> It actually does no harm to reply to a symmetric active packet without
>> mobilizing an association and in fact is consistent with the spec in the
>> finest Jon Postel tradition. There needs to be no option to disable it.
>>
>> The code now has a new restrict bit mssntp that enables MS-SNTP
>> processing. It is compatible with Autokey and interleaved modes. I have
>> tested it here with both while enabling mssntp with no ill effects
>> without compiling the optional code.
>>
>> Can you or Andrew send me a few grafs for the Authentication Options
>> page? I can edit the other pages that need it.
>
> Something like (please check the technical details, and provide a
> pointer to the patched source so I can verify)
>
> mssntp allows certain networks to use the NTP server as the time source
> in an Active Directory-like domain. (A member of an AD domain will
> contact it's domain controller to obtain authenticated time). Used in
> conjunction with Samba4 as an AD domain controller, when domain members
> attempt to obtain authenticated time from the NTP server, the Samba4
> instance on the same host is contacted to provide a signature for the
> reply.
So why not try and contact the domain controller instead of involving Samba?
>
> See ntpd_signd_socket to set the location of the unix domain socket over
> which NTPd and Samba4 communicate.
>
The code should not be using Unix domain sockets. It needs to use either
AF_INET or AF_INET6.
Danny
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the hackers
mailing list