[chrony-users] Problem with windows domain time syncing (Debian bookworm)

[Virgo Pärna <virgo.parna@xxxxxxx>]

I have chrony (4.3) running in Samba AD domain controller.
Chrony is configured with
ntpsigndsocket /var/lib/samba/ntp_signd/
And _chrony group has read and execute permissions to that directory.

there are not errors or warning in journal for chrony.

But Windows domain members stopped syncing time few days after samba 
upgrade to newest version.

Using Wireshark I could see, that when running
w32tm /resync
there were packets going to time server but not response. Requests had 
Key ID and 68 byte Message Authentication Code (with one byte set to 01, 
according to WireShark).
w32tm /monitor would send requests not from 123 port and without Key ID 
and Message Authentication Code. And that would receive response.

After changing in Windows registry under 
HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient
value of SignatureAuthAllowed from 1 to 0 and restarting w32time service 
w32tm /resync would work and there would be responses and time would 
sync. And Wireshark shows, that requests are sent with same Key ID 
value, but Message Authentication Code is instead 16 bytes all zeros. 
And it does receive responses.

But why it stopped working without that registry change?

--
Virgo Pärna
virgo.parna@xxxxxxx


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.