Re: [chrony-users] Problem with windows domain time syncing (Debian bookworm)

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Wed, Feb 19, 2025 at 01:49:16PM +0200, Virgo Pärna wrote:
> Using Wireshark I could see, that when running
> w32tm /resync
> there were packets going to time server but not response. Requests had Key
> ID and 68 byte Message Authentication Code (with one byte set to 01,
> according to WireShark).

That would be the extended MS-SNTP authenticator field, which AFAIK is
not supported by the samba signd protocol yet.

> After changing in Windows registry under
> HKLM\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient
> value of SignatureAuthAllowed from 1 to 0 and restarting w32time service
> w32tm /resync would work and there would be responses and time would sync.
> And Wireshark shows, that requests are sent with same Key ID value, but
> Message Authentication Code is instead 16 bytes all zeros. And it does
> receive responses.

That's the classic MS-SNTP authenticator field.

> But why it stopped working without that registry change?

Maybe some related feature provided by the updated samba enables the
use of extended authenticators? You should ask samba developers.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.