Re: [Ntp] SNTP, Old crufty software
Martin Burnicki <martin.burnicki@meinberg.de> Wed, 17 August 2022 16:43 UTC
Return-Path: <martin.burnicki@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1223CC1524A0 for <ntp@ietfa.amsl.com>; Wed, 17 Aug 2022 09:43:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGz7XC1oPJfx for <ntp@ietfa.amsl.com>; Wed, 17 Aug 2022 09:43:08 -0700 (PDT)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 072BBC14F6E7 for <ntp@ietf.org>; Wed, 17 Aug 2022 09:43:07 -0700 (PDT)
Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id CB90971C0204; Wed, 17 Aug 2022 18:43:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=d2021; t=1660754583; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=4/dka6kGmTZVHSiEV+8mlJiuD80RDG3mIVNPDjpbD6U=; b=CDAE8X71Rg2+ARn4r/62TQE1JMCAzynkRbbh6MM+yN7M4Xd5qSrd3zEq+GXtj+hT2uyt5r gKH4lx5wLoWZHWNKKH13XrHifBiaz5T0EnQ1KK6m6wU0P1dB9giQ4//iiI9h4S6fEffHPa XrTTFCAZjj6FPp+0RiU8Ryk7EdBP532D2x2ZVkx5QNj3CUZZMfQnK+QSQPM9DsLpycvLK5 OvDjY7VI0mrRGGINUYEXf3gsVQUldvH0kLvZNz6xE7f8K2/yKCYgNMYL5/E6Q39bMXL4+T K609apkr4ZZQRZg64jQ60F9JAnDCTrFjL6Oj7wztC5YvCw3lfo36mRrnLlReBQ==
Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Wed, 17 Aug 2022 18:43:03 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
Received: from localhost ([127.0.0.1]) by srv-kerioconnect.py.meinberg.de with ESMTPSA (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)); Wed, 17 Aug 2022 18:43:01 +0200
Message-ID: <d4d4dd83-9a18-63b4-947e-7edd7a10358f@meinberg.de>
Date: Wed, 17 Aug 2022 18:43:00 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0
Content-Language: en-US
To: Harlan Stenn <stenn@nwtime.org>, Greg.Dowd=40microchip.com@dmarc.ietf.org, ntp@ietf.org
References: <20220813080730.3FAC728C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <BYAPR11MB276076FDFF94749FE9B96A70FC6B9@BYAPR11MB2760.namprd11.prod.outlook.com> <a71a120f-2af7-67ac-4d48-1d343e8b6d68@nwtime.org>
From: Martin Burnicki <martin.burnicki@meinberg.de>
Organization: Meinberg Funkuhren GmbH & Co. KG, Bad Pyrmont, Germany
In-Reply-To: <a71a120f-2af7-67ac-4d48-1d343e8b6d68@nwtime.org>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------f0yjHoiOSS4CQ7HWolU3GED0"
X-SM-outgoing: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/MZcrK5FINRpwb_u-7otYTYd16yA>
Subject: Re: [Ntp] SNTP, Old crufty software
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2022 16:43:13 -0000
Harlan Stenn wrote: > On 8/16/2022 10:51 AM, Greg.Dowd=40microchip.com@dmarc.ietf.org wrote: >> Wasn't there an "undocumented" authentication mechanism in windows >> using ntp with symm active or symm passive request? A different way >> of parsing the MAC? If I remember correctly, w32time could use a Microsoft-specific crypto hash appended to the NTP base packet instead of the common extensions used e.g. for symmetric keys. However, I've never seen that in the wild, maybe because it was only used inside a Windows AD domain. I remember that ntpd had some code (that could be conditionally compiled in) that would pass packets to a Samba server for signing, when the Samba server was configured as Domain Controller. I also remember that there was a big, fat warning to use this feature because the call to the Samba server could have blocked, which would have caused a terrible timing in regard too timekeeping. I also remember that this worked *only* with Samba servers which provided an appropriate interface for such calls, which real Windows Domain Controllers didn't have. I "think" just sending back server worked for >> unauthenticated but honestly, it's been so long I could be wrong. > > The issue is that windows clients (I don't recall if or how > authentication plays in to this) by default send a symmetric active > request instead of sending a client request. When we see this, we > simply send back a MODE_PASSIVE response, without mobilizing an > association. > > The fix for this problem looks like it was committed on 12 Sep 2018, but > for some reason I think this happened before that. > > See Microsoft KB 875242 for the preferred work-around. > > The "accommodation" for the broken windows clients was included in > 4.2.8p13, unless it happened before that. That was initially introduced in 2002. Later the workaround was "fixed", probably unintentionally, and was re-enabled in 2018 with ntpd v.2.18p12, if my former investigations are correct. I've put a summary on on of our knowledge base pages: https://kb.meinbergglobal.com/kb/time_sync/timekeeping_on_windows/configuring_w32time_as_ntp_client That page also contains links to the Google groups archive with the announcements by Dave Mills. Martin -- Martin Burnicki Senior Software Engineer MEINBERG Funkuhren GmbH & Co. KG Email: martin.burnicki@meinberg.de Phone: +49 5281 9309-414 Linkedin: https://www.linkedin.com/in/martinburnicki/ Lange Wand 9, 31812 Bad Pyrmont, Germany Amtsgericht Hannover 17HRA 100322 Geschäftsführer/Managing Directors: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung Websites: https://www.meinberg.de https://www.meinbergglobal.com
- [Ntp] SNTP, Old crufty software Hal Murray
- Re: [Ntp] SNTP, Old crufty software Martin Burnicki
- [Ntp] Antw: [EXT] Re: SNTP, Old crufty software Ulrich Windl
- Re: [Ntp] SNTP, Old crufty software James
- Re: [Ntp] SNTP, Old crufty software James Browning
- Re: [Ntp] SNTP, Old crufty software Doug Arnold
- Re: [Ntp] SNTP, Old crufty software Harlan Stenn
- Re: [Ntp] SNTP, Old crufty software Hal Murray
- Re: [Ntp] SNTP, Old crufty software Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: SNTP, Old crufty software Ulrich Windl
- Re: [Ntp] SNTP, Old crufty software Greg.Dowd
- Re: [Ntp] SNTP, Old crufty software Harlan Stenn
- Re: [Ntp] SNTP, Old crufty software Greg.Dowd
- Re: [Ntp] SNTP, Old crufty software Martin Burnicki
- Re: [Ntp] SNTP, Old crufty software Martin Burnicki
- Re: [Ntp] SNTP, Old crufty software Harlan Stenn