[ntp:questions] New Windows NTP Installer available

Heiko Gerstung heiko.gerstung at meinberg.de
Tue Jul 31 19:31:11 UTC 2007


Ulrich Windl schrieb:
> "David J Taylor" <david-taylor at blueyonder.not-this-bit.nor-this-bit.co.uk> writes:
> 
>> Heiko Gerstung wrote:
>>> Hi Gurus of Time!
>>>
>>> I am very happy to announce that we just released a new stable
>>> version of our NTP Installer for Windows, including ntp-4.2.4p3 and
>>> openssl-0.9.8e.
>> []
>>> Best Regards,
>>>  Heiko
>> Heiko,
>>
>> There /may/ be another issue with Windows 2000, in that NTP is producing 
>> event-log messages about not being able to write ntp.drift.TEMP.  I 
>> checked the ntp.drift (actually in \WinNT\ in this installation) and it 
>> didn't have a permissions entry for the ntp account, so I have now changed 
>> the permissions to all-users, full control.  It's about 30 minutes before 
>> the next error message is due, so I'll try and check back then....
> 
> Why not use %USERPROFILE% instead of "%SystemRoot% for state information?
> There may be also %TMP% or %TEMP% defined.  UNIX users always make a
> difference between program directories (which may be shared read-only) and
> data directories which should be writable and private).

This is how it works with the installer per default. It creates an 
account with which the service is running and uses %PROGRAM 
FILES%\ntp\etc as its default location for the drift file. The service 
account is granted read-write access to "his" directories and there is 
no need to grant any rights to other directories.

Older versions of the NTP port for Windows did not honor all file 
location statements in the config file (such as "driftfile") and ignored 
the "-c configfile" commandline parameter, instead they searched for the 
config file in three fixed locations (in the windir subtree) and used 
hardcoded (AFAIK) locations for the driftfile.

I guess that David's system once ran such an old ntpd and the installer 
now does not touch this existing setup, if you choose the "update 
binaries only" approach.

>> No, it seems to still want to write to ntp.drift.TEMP rather than 
>> ntp.drift, so I've started NTP after checking the permissions on 
>> ntp.drift.  Check back in just over an hour....
> 
> AFAIK: if the temporary file is removed, so are your ACLs.

Correct. The biggest problem in terms of security was that using the 
temporary file approach requires ntpd to have write access to the whole 
directory.

> 
>> Well, now it /is/ writing to ntp.drift.TEMP, but seem to have deleted the 
>> file ntp.drift.  I don't understand this behaviour.
>>
>> Version:
>>   ntpd 4.2.4p3-RC1 at foehr-o Jun 29 13:52:39 (UTC+02:00) 2007  (10)
It writes to ntp.drift.TEMP, deletes ntp.drift and then renames 
ntp.drift.TEMP back to ntp.drift ...

A 3 minute re-install would fix this, just backup your config file, 
uninstall your old installation of ntp, reinstall ntpd using the new 
foehr installer and copy your ntp.config file to the etc subdirectory of 
your NTP installation.

Best Regards.
Heiko


>> Cheers,
>> David 




More information about the questions mailing list