[ntp:questions] New Windows NTP Installer available
Heiko Gerstung
heiko.gerstung at meinberg.de
Tue Jul 31 19:31:11 UTC 2007
Ulrich Windl schrieb:
> "David J Taylor" <david-taylor at blueyonder.not-this-bit.nor-this-bit.co.uk> writes:
>
>> Heiko Gerstung wrote:
>>> Hi Gurus of Time!
>>>
>>> I am very happy to announce that we just released a new stable
>>> version of our NTP Installer for Windows, including ntp-4.2.4p3 and
>>> openssl-0.9.8e.
>> []
>>> Best Regards,
>>> Heiko
>> Heiko,
>>
>> There /may/ be another issue with Windows 2000, in that NTP is producing
>> event-log messages about not being able to write ntp.drift.TEMP. I
>> checked the ntp.drift (actually in \WinNT\ in this installation) and it
>> didn't have a permissions entry for the ntp account, so I have now changed
>> the permissions to all-users, full control. It's about 30 minutes before
>> the next error message is due, so I'll try and check back then....
>
> Why not use %USERPROFILE% instead of "%SystemRoot% for state information?
> There may be also %TMP% or %TEMP% defined. UNIX users always make a
> difference between program directories (which may be shared read-only) and
> data directories which should be writable and private).
This is how it works with the installer per default. It creates an
account with which the service is running and uses %PROGRAM
FILES%\ntp\etc as its default location for the drift file. The service
account is granted read-write access to "his" directories and there is
no need to grant any rights to other directories.
Older versions of the NTP port for Windows did not honor all file
location statements in the config file (such as "driftfile") and ignored
the "-c configfile" commandline parameter, instead they searched for the
config file in three fixed locations (in the windir subtree) and used
hardcoded (AFAIK) locations for the driftfile.
I guess that David's system once ran such an old ntpd and the installer
now does not touch this existing setup, if you choose the "update
binaries only" approach.
>> No, it seems to still want to write to ntp.drift.TEMP rather than
>> ntp.drift, so I've started NTP after checking the permissions on
>> ntp.drift. Check back in just over an hour....
>
> AFAIK: if the temporary file is removed, so are your ACLs.
Correct. The biggest problem in terms of security was that using the
temporary file approach requires ntpd to have write access to the whole
directory.
>
>> Well, now it /is/ writing to ntp.drift.TEMP, but seem to have deleted the
>> file ntp.drift. I don't understand this behaviour.
>>
>> Version:
>> ntpd 4.2.4p3-RC1 at foehr-o Jun 29 13:52:39 (UTC+02:00) 2007 (10)
It writes to ntp.drift.TEMP, deletes ntp.drift and then renames
ntp.drift.TEMP back to ntp.drift ...
A 3 minute re-install would fix this, just backup your config file,
uninstall your old installation of ntp, reinstall ntpd using the new
foehr installer and copy your ntp.config file to the etc subdirectory of
your NTP installation.
Best Regards.
Heiko
>> Cheers,
>> David
More information about the questions
mailing list