[ntp:questions] New Windows NTP Installer available
Heiko Gerstung
heiko.gerstung at meinberg.de
Wed Aug 1 06:09:35 UTC 2007
Danny Mayer schrieb:
> Heiko Gerstung wrote:
>> Ulrich Windl schrieb:
>>> "David J Taylor" <david-taylor at blueyonder.not-this-bit.nor-this-bit.co.uk> writes:
>>>
>>>> Heiko Gerstung wrote:
>>>>> Hi Gurus of Time!
>>>>>
>>>>> I am very happy to announce that we just released a new stable
>>>>> version of our NTP Installer for Windows, including ntp-4.2.4p3 and
>>>>> openssl-0.9.8e.
>>>> []
>>>>> Best Regards,
>>>>> Heiko
>>>> Heiko,
>>>>
>>>> There /may/ be another issue with Windows 2000, in that NTP is producing
>>>> event-log messages about not being able to write ntp.drift.TEMP. I
>>>> checked the ntp.drift (actually in \WinNT\ in this installation) and it
>>>> didn't have a permissions entry for the ntp account, so I have now changed
>>>> the permissions to all-users, full control. It's about 30 minutes before
>>>> the next error message is due, so I'll try and check back then....
>>> Why not use %USERPROFILE% instead of "%SystemRoot% for state information?
>>> There may be also %TMP% or %TEMP% defined. UNIX users always make a
>>> difference between program directories (which may be shared read-only) and
>>> data directories which should be writable and private).
>> This is how it works with the installer per default. It creates an
>> account with which the service is running and uses %PROGRAM
>> FILES%\ntp\etc as its default location for the drift file. The service
>> account is granted read-write access to "his" directories and there is
>> no need to grant any rights to other directories.
>>
>> Older versions of the NTP port for Windows did not honor all file
>> location statements in the config file (such as "driftfile") and ignored
>> the "-c configfile" commandline parameter, instead they searched for the
>> config file in three fixed locations (in the windir subtree) and used
>> hardcoded (AFAIK) locations for the driftfile.
>>
>
> I will be updating the code at some point to put default locations for
> the config file and drift file into NTP service location of the registry
> rather than using those fixed locations.
Adding the capability to use the registry would surely improve ntpd integration
in Windows systems, but this is a low priority issue because current versions of
ntpd are capable of writing to whatever location you specify and that works
perfectly fine.
>> I guess that David's system once ran such an old ntpd and the installer
>> now does not touch this existing setup, if you choose the "update
>> binaries only" approach.
>>
>>>> No, it seems to still want to write to ntp.drift.TEMP rather than
>>>> ntp.drift, so I've started NTP after checking the permissions on
>>>> ntp.drift. Check back in just over an hour....
>>> AFAIK: if the temporary file is removed, so are your ACLs.
>> Correct. The biggest problem in terms of security was that using the
>> temporary file approach requires ntpd to have write access to the whole
>> directory.
>
> You need to have write access to write the drift file. We can do a
> better job of specifying ACL's.
The problem is that ntpd always creates a temporary file in the same directory
where the driftfile is stored. That means that ntpd has to have write access to
that directory.
Cheers,
Heiko
>
> Danny
>
--
------------------------------------------------------------------------
*MEINBERG Funkuhren GmbH & Co. KG*
Auf der Landwehr 22
D-31812 Bad Pyrmont, Germany
Tel.: ++49 (0)5281 9309-25
Fax: ++49 (0)5281 9309-30
eMail: heiko.gerstung at meinberg.de <mailto:heiko.gerstung at meinberg.de>
Internet: www.meinberg.de <http://www.meinberg.de/>
------------------------------------------------------------------------
Meinberg radio clocks: 25 years of accurate time worldwide
More information about the questions
mailing list