I am not 100% sure that ntpsec really understands security, 'ntp' was the recommended time server to use on a Samba AD DC, this was secure. However, ntpsec forked ntp and in their attempt to make it secure, they somehow removed the very secure Samba link. They 'think' they have fixed this, but whatever they did, it hasn't been backported to the version in Debian 12, so will not be really tested until Trixie comes out. This means that Chrony is now the recommended time server to use on a Samba AD DC and if it is good enough for Kerberos on a DC, then it must be good enough for a general time server.
You need to set-up the ntp security piece with ntpkeygen.
Statistics: Posted by hortimech — Mon Dec 23, 2024 2:22 pm