[ntp:questions] New Windows NTP Installer available

Heiko Gerstung heiko.gerstung at meinberg.de
Wed Aug 1 06:09:35 UTC 2007

Danny Mayer schrieb:
> Heiko Gerstung wrote:
>> Ulrich Windl schrieb:
>>> "David J Taylor" <david-taylor at blueyonder.not-this-bit.nor-this-bit.co.uk> writes:
>>>> Heiko Gerstung wrote:
>>>>> Hi Gurus of Time!
>>>>> I am very happy to announce that we just released a new stable
>>>>> version of our NTP Installer for Windows, including ntp-4.2.4p3 and
>>>>> openssl-0.9.8e.
>>>> []
>>>>> Best Regards,
>>>>>  Heiko
>>>> Heiko,
>>>> There /may/ be another issue with Windows 2000, in that NTP is producing 
>>>> event-log messages about not being able to write ntp.drift.TEMP.  I 
>>>> checked the ntp.drift (actually in \WinNT\ in this installation) and it 
>>>> didn't have a permissions entry for the ntp account, so I have now changed 
>>>> the permissions to all-users, full control.  It's about 30 minutes before 
>>>> the next error message is due, so I'll try and check back then....
>>> Why not use %USERPROFILE% instead of "%SystemRoot% for state information?
>>> There may be also %TMP% or %TEMP% defined.  UNIX users always make a
>>> difference between program directories (which may be shared read-only) and
>>> data directories which should be writable and private).
>> This is how it works with the installer per default. It creates an 
>> account with which the service is running and uses %PROGRAM 
>> FILES%\ntp\etc as its default location for the drift file. The service 
>> account is granted read-write access to "his" directories and there is 
>> no need to grant any rights to other directories.
>> Older versions of the NTP port for Windows did not honor all file 
>> location statements in the config file (such as "driftfile") and ignored 
>> the "-c configfile" commandline parameter, instead they searched for the 
>> config file in three fixed locations (in the windir subtree) and used 
>> hardcoded (AFAIK) locations for the driftfile.
> I will be updating the code at some point to put default locations for
> the config file and drift file into NTP service location of the registry
> rather than using those fixed locations.

Adding the capability to use the registry would surely improve ntpd integration 
in Windows systems, but this is a low priority issue because current versions of 
ntpd are capable of writing to whatever location you specify and that works 
perfectly fine.

>> I guess that David's system once ran such an old ntpd and the installer 
>> now does not touch this existing setup, if you choose the "update 
>> binaries only" approach.
>>>> No, it seems to still want to write to ntp.drift.TEMP rather than 
>>>> ntp.drift, so I've started NTP after checking the permissions on 
>>>> ntp.drift.  Check back in just over an hour....
>>> AFAIK: if the temporary file is removed, so are your ACLs.
>> Correct. The biggest problem in terms of security was that using the 
>> temporary file approach requires ntpd to have write access to the whole 
>> directory.
> You need to have write access to write the drift file. We can do a
> better job of specifying ACL's.

The problem is that ntpd always creates a temporary file in the same directory 
where the driftfile is stored. That means that ntpd has to have write access to 
that directory.


> Danny


*MEINBERG Funkuhren GmbH & Co. KG*
Auf der Landwehr 22
D-31812 Bad Pyrmont, Germany
Tel.: ++49 (0)5281 9309-25
Fax: ++49 (0)5281 9309-30
eMail: heiko.gerstung at meinberg.de <mailto:heiko.gerstung at meinberg.de>
Internet: www.meinberg.de <http://www.meinberg.de/>


Meinberg radio clocks: 25 years of accurate time worldwide

More information about the questions mailing list