4.0.98m on Win NT 4.0 SP5: Permission denied

4.0.98m on Win NT 4.0 SP5: Permission denied

Post by Ulrich Wind » Fri, 28 Jan 2000 04:00:00



Hello I installed the precompiled ntp-4.0.98m on Windows/NT server 4.0
SP5.  In the event log I saw a lot of "Permission denied" messages,
and ntpq showed "No associations". I used symbolic host names. When
using "ntpdate -v ntp-1-a", I only saw the version line. Then it
seemed to hang.

(I run 4.0.92h with success however)

Any ideas?

Regards,
Ulrich

 
 
 

4.0.98m on Win NT 4.0 SP5: Permission denied

Post by Andrej Borsenko » Fri, 28 Jan 2000 04:00:00



Quote:> Hello I installed the precompiled ntp-4.0.98m on Windows/NT server 4.0
> SP5.  In the event log I saw a lot of "Permission denied" messages,
> and ntpq showed "No associations". I used symbolic host names. When
> using "ntpdate -v ntp-1-a", I only saw the version line. Then it
> seemed to hang.

Yes, I got the same with 4.0.98f. It does not work with names - only with
dotted IP addresses. Do not remember if it worked before - have tried for
the first time (after complete reinstall).

/andrej

 
 
 

4.0.98m on Win NT 4.0 SP5: Permission denied

Post by Terje Mathise » Fri, 28 Jan 2000 04:00:00





> > Hello I installed the precompiled ntp-4.0.98m on Windows/NT server 4.0
> > SP5.  In the event log I saw a lot of "Permission denied" messages,
> > and ntpq showed "No associations". I used symbolic host names. When
> > using "ntpdate -v ntp-1-a", I only saw the version line. Then it
> > seemed to hang.

> Yes, I got the same with 4.0.98f. It does not work with names - only with
> dotted IP addresses. Do not remember if it worked before - have tried for
> the first time (after complete reinstall).

I've never had ntp working with anything by ip addresses, so during the
last few couple of years I haven't even tried it. :-(

Terje

--

Using self-discipline, see http://www.eiffel.com/discipline
"almost all programming can be viewed as an exercise in caching"

 
 
 

4.0.98m on Win NT 4.0 SP5: Permission denied

Post by Carl Byingt » Fri, 28 Jan 2000 04:00:00


-----BEGIN PGP SIGNED MESSAGE-----

I have been building the recent versions of NTP with MD5 enabled.  There
is a bug (not located so far as I know) that causes this to require the
use of IP addresses rather than DNS names in the ntp.conf file.

NTP contains an internal DNS resolver thread.  When DNS names are found
in the ntp.conf file on startup, a list of those names is passed to this
resolver thread.  The resolver thread then uses DNS to resolve the names
and then essentially simulates ntpdc commands to reconfigure the NTP
server.

ntpdc normally requires the use of some authentication, and it appears
that this port, when compiled with MD5, does require the resolver thread
to have access to the same authentication token as the main NTP process.

You can use DNS names in your ntp.conf file if you add:

keys        %windir%\ntp.keys
enable      auth
trustedkey  1
requestkey  1
controlkey  1

and put something like:

1 M hex-digits

in your %windir%\ntp.keys file.

The same code base compiled on Linux does not have this requirement,
although using MD5 authentication is a good thing anyway.  I believe
that it is actually a bug on the Linux/Unix side to NOT require
authentication, since otherwise anyone that can forge packets with a
source ip address of your machine can reconfigure your NTP server.

- --
PGP key available from the key servers.
Key fingerprint 95 F4 D3 94 66 BA 92 4E  06 1E 95 F8 74 A8 2F A0

-----BEGIN PGP SIGNATURE-----
Version: 4.5

iQCVAgUBOJC5W9ZjPoeWO7BhAQFb5QQAkLxho+hehajwaWjeuzVq5NGt4KUPEMqS
rB3RGomZUD641sQMbe4lew/EhokWHABcDpA3yM4pxhgbVm3GPVxkBvW9tAI7cYqr
CLboi54XDq5ZDgtSpSrBl2RWP0fk6Ki3nQuERjQQR+Z4cjgjI8EEAyc9IGW/dp0N
2dpVgA4rtks=
=5p0c
-----END PGP SIGNATURE-----

 
 
 

4.0.98m on Win NT 4.0 SP5: Permission denied

Post by Per Hedela » Mon, 31 Jan 2000 04:00:00



Quote:(Carl Byington) writes:
>The same code base compiled on Linux does not have this requirement,
>although using MD5 authentication is a good thing anyway.  I believe
>that it is actually a bug on the Linux/Unix side to NOT require
>authentication, since otherwise anyone that can forge packets with a
>source ip address of your machine can reconfigure your NTP server.

*Of course* the Unix version requires authentication for
reconfiguration, it just cleverly avoids the hassle of setting up a key
file etc just to get names resolved to IP addresses - you actually
needed to do this in ancient times when the resolver was a separate
program ("xntpres"?), which caused most admins to use IP addresses
instead.:-)

If you don't have a key file and keys specified, ntpd simply fabricates
a key before forking the process that does the hostname lookups, and by
the magic of Unix fork() those two processes then share a secret key -
see ntpd/ntp_config.c/do_resolve_internal(). I can't see any obvious
reason why this couldn't work on NT with threads too, but considering
the level of my knowledge of NT internals that doesn't mean much.

It's a bit strange that enabling MD5 in the NT port breaks hostname
lookups though - how was it done without MD5, resolving in the main
thread or really without authentication?

--Per Hedeland

 
 
 

4.0.98m on Win NT 4.0 SP5: Permission denied

Post by Carl Byingt » Tue, 01 Feb 2000 04:00:00


-----BEGIN PGP SIGNED MESSAGE-----


says...

Quote:

>If you don't have a key file and keys specified, ntpd simply fabricates
>a key before forking the process that does the hostname lookups, and by
>the magic of Unix fork() those two processes then share a secret key -
>see ntpd/ntp_config.c/do_resolve_internal(). I can't see any obvious
>reason why this couldn't work on NT with threads too, but considering
>the level of my knowledge of NT internals that doesn't mean much.

Ah, thanks for the code pointers. Ok, that *should* work on NT, since
the thread will have access to the same global static variables as the
main process. I will try to look at this if I get some spare time.

Quote:>It's a bit strange that enabling MD5 in the NT port breaks hostname
>lookups though - how was it done without MD5, resolving in the main
>thread or really without authentication?

It was resolving in the thread without authentication. Without MD5
(or any other authentication mechanism) defined, NTP has no ability
to share a secret between the resolver thread and the main process.

- --
PGP key available from the key servers.
Key fingerprint 95 F4 D3 94 66 BA 92 4E  06 1E 95 F8 74 A8 2F A0

-----BEGIN PGP SIGNATURE-----
Version: 4.5

iQCVAgUBOJUaKNZjPoeWO7BhAQGHRQQAoyqF6V7pt9oD0jaqeyrSfZLSHNEirN4J
4Z7GtY8Rt/R+arDz/yYLzAjWCUBoHyBbbLN4O92qsDeKETgczJzwv8nu2TX6Xnqu
a8PjzpM/bg88OnXuOck+lmZbwrV4rOjjkGtSSYzmqoQOJ9jqkvCWndGEQ8Rj6B7H
78rYEmLQYrE=
=ptmx
-----END PGP SIGNATURE-----

 
 
 

1. FS: NEW Windows NT 4.0 & Win NT Workstation 4.0, both $755.00

FS: NEW Windows NT 4.0 & Win NT Workstation 4.0, both $755.00

Windows NT Server ver 4.0 and Windows NT Workstation 4.0 with 5 Client        
Access Licences (server).

Server and Workstation comes with all paperwork, documents, CD and diskettes.

Was bought through "College" and I have decided to quit the course and get
into something I enjoy rather than just work for big money as everyone else is
doing.

Price includes UPS ground.

Ron Hammer
(801) 561-7428 MST (Evenings please)

        >>>>Must stop the Junk Mail the best I can<<<<

2. Modem Sharing

3. Building NTP 4.0.* on Win NT 4.0 VC6.0

4. Getting file version info

5. NT 4.0 WS --> NT 4.0 Server

6. IIIxe vs Visor deluxe

7. SHSMODE and NT 4.0 SP5 serial.sys

8. NT 4.0 Server Share permissions for "Everyone"

9. Q:Sharing disks between Win 3.11 and Win NT 4.0

10. Help win 95 to win nt 4.0 remote dial up

11. Win 95 to Win NT 4.0 through internet

12. win nt 4.0 DHCP server with win 95 client problem