[ntp:bugs] [Bug 1242] --enable-wintime should be enabled by default on all target systems

Dave Hart via the NTP Bugzilla bugzilla at ntp.org
Mon Jul 6 12:03:23 UTC 2009 

http://bugs.ntp.org/1242



----------------------------------------------------------------------------
Additional Comments From hart at ntp.org (Dave Hart)
Submitted on 2009-07-06 12:03

(In reply to Martin's comment #27)
> (In reply to Dave Hart's comment #17)
> > (In reply to Martin's comment #16)
> > > (In reply to Dave Mills' comment #14)
> > > > Then, the Samba folks hijacked the ifdef, but I didn't 
> > > > notice it.  If I had, I would have squawked. The two uses of WINTIME 
> > > > should be separated;
> > > 
> > > I absolutely agree. A different symbol should be used to control support
> > > for MS authentication.
> > 
> > Dave & Martin:  It's not fair to describe the interaction of WINTIME and the 
> > Samba "signd" extension to implement the Microsoft-style signed NTP
> > documented in [MS-SNTP] as hijacking WINTIME.
> [...]
> 
> I think the meaning of this is that WINTIME has originally been used to 
control 
> the workaround for w32time peer packets.
> 
> Later WINTIME started to be used also to control whether MS style 
> authentication shall be supported, or not.

No, WINTIME alone controls only whether ntpd drops or replies to unauthenticated 
symmetric mode requests from a non-configured peer.

> Basically these are 2 different things, so they should be controlled by 
> different symbols. I.e. it should be *possible* to enable the peer workaround 
> without enabling support for MS authentication. Using HAVE_NTP_SIGND for this, 
> as Dave Mills has suggested, sounds good to me.

This is what we have today.  If you compile with WINTIME alone, ntpd works for 
the simple Windows "Internet Time" case, but does not reply to requests from 
domain members for Windows-style authenticated time.

> If support for MS authentication also *requires* the peer workaround then this 
> should be reflected in a dependency of the settings, i.e. WINTIME should be 
> forced to be defined if HAVE_NTP_SIGND has been defined, but the other way 
> round HAVE_NTP_SIGND must not necessarily be defined just because WINTIME has 
> been.

Both macros are set up by configure/configure.ac, which does not currently 
enforce the dependency, but it does default WINTIME to on if HAVE_NTP_SIGND is 
enabled.  That is, configure --enable-ntp-signd --disable-wintime is currently 
accepted by configure and will result in a broken signd configuration as the 
necessary code to set FLAG_ADKEY is omitted.  I agree the dependency should be 
enforced, either with .c/.h code to force on WINTIME if HAVE_NTP_SIGND is set, 
or by configure.ac.

-- 
Dave Hart <hart at ntp.org>



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the bugs mailing list