[ntpwg] [ntp:hackers] MS-SNTP

David L. Mills mills at udel.edu
Tue Apr 1 02:33:40 UTC 2008 

Andrew,

I hear you and don't want to leave Microsoft out in any case. As it 
stands, the MS-SNTP key ID scheme is incompatible with ordinary NTP 
users and the national laboratories. But, you have given me an idea.

You say Samba is to simulate an AD controller, which means it would be a 
MS-SNTP server for that domain. I wouldn't thnk the Samba AD would 
ordinarily be a MS-SNTP client of another MS-SNTP server in that 
domaing, but that might happen. On the other hand, the Samba 4 machine 
would very likely be a client of other NTP server(s). This is the case I 
am worried about. An even more perplexing case is when the Samba machine 
is a server for both NTP and MS-SNTP clients.

For grins, I propose a configuration command to set the default server 
key ID scheme (ntp/mssntp/...) plus an association configuration option 
to set the default client key ID scheme. Exceptions can be handled by 
the restrict mechanism by using the restrict bits to override the 
default server scheme. I assume an AD will not have addresses scattered 
all over the place and relatively few address/mask pairs would be 
necessary. If on the other hand only a few NTP clients are used, the 
mask can apply to them.

Does this work?

Dave

Andrew Bartlett wrote:

> On Sat, 2008-03-29 at 17:48 +0000, David L. Mills wrote:
>
>> Andrew,
>
>
>> This is quickly becoming a failed mission. If Microsoft insists on
>> propagating MS-SNTP, they should provide their own infrastructure
>> independent of the existing NTP infrastructure.
>
>
> This is not about what Microsoft wants. Microsoft does not want this to
> happen. Microsoft would be very happy if we get tied up in discussions
> like this one, unable to make forward progress.
>
> This is about the Samba team not wishing to re-implement (or
> fork-and-embed) ntpd. It looks like a simple enough protocol, it
> shouldn't be to hard, but I really don't want to do that.
>
> I agree, Microsoft has been bastards, and completely stomping on your
> protocol. I'll soon be giving a talk at SambaXP in 2 weeks time
> entitled 'the little barber shop of horrors', looking at what they did
> to LDAP.
>
> My concern is how to progress Samba4, and our effort to replace
> Microsoft's AD domain controller with one running on Linux, for existing
> clients, running unmodified client software. Microsoft's clients will
> not run unmodified without this authentication suite, when talking to
> what they think is an AD domain controller.
>
> As I see it, the more we can use existing open source software, and have
> our changes included upstream (preferably in a way that users can just
> enable a Samba4 quirks mode) the better is is for the open source
> software community.
>
> I realise this will not help a mission of leaving Microsoft out in the
> cold, but if we can't make this work, the only people it will hurt is
> the Samba team, and those trying to reduce their dependence on
> Micorsoft's software.
>
> Andrew Bartlett
>

More information about the ntpwg mailing list