[chrony-users] Problem with windows domain time syncing (Debian bookworm)

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


I have chrony (4.3) running in Samba AD domain controller.
Chrony is configured with
ntpsigndsocket /var/lib/samba/ntp_signd/
And _chrony group has read and execute permissions to that directory.

there are not errors or warning in journal for chrony.

But Windows domain members stopped syncing time few days after samba upgrade to newest version.

Using Wireshark I could see, that when running
w32tm /resync
there were packets going to time server but not response. Requests had Key ID and 68 byte Message Authentication Code (with one byte set to 01, according to WireShark). w32tm /monitor would send requests not from 123 port and without Key ID and Message Authentication Code. And that would receive response.

After changing in Windows registry under HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient value of SignatureAuthAllowed from 1 to 0 and restarting w32time service w32tm /resync would work and there would be responses and time would sync. And Wireshark shows, that requests are sent with same Key ID value, but Message Authentication Code is instead 16 bytes all zeros. And it does receive responses.

But why it stopped working without that registry change?

--
Virgo Pärna
virgo.parna@xxxxxxx


--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject. For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/