Ntp Client
Rick Stevens
rstevens at vitalstream.com
Thu Feb 19 18:54:23 UTC 2004
Bruce McDonald wrote:
> Hello,
>
> I appologise for the long post.
>
> I have just spent a "fun" day yesterday trying to get ntpd to sync my clock
> to a
> timeserver, and have failed.
>
> The only time it did work was when I started X, went to Main Menu Button =>
> System Settings => Date & Time and specified a timeserver there.
> Unfortunatly that only lets you use one server, I wanted to have several to
> keep my clock honest.
>
> A note to those who will suggest ntpdate and a cron job..... I really want
> to use ntpd as my clock gains ~20 seconds a day (rough estimate).
>
> I was unable to find any documentation that told me what to do properly. I
> think I figured out what to do with the ntp.conf file, but I don't see any
> traffic when I run tcpdump port ntp. Ntpq -p show my timeservers but none
> are marked.
>
> Ntpq -p:
> remote refid st t when poll reach delay offset
> jitter
> ==============================================================================
> tick.usnogps.na 0.0.0.0 16 u - 64 0 0.000 0.000
> 4000.00
> timekeeper.isi. 0.0.0.0 16 u - 64 0 0.000 0.000
> 4000.00
> clock.redhat.co 0.0.0.0 16 u - 64 0 0.000 0.000
> 4000.00
> clock2.redhat.c 0.0.0.0 16 u - 64 0 0.000 0.000
> 4000.00
>
> This is what I have in my ntp.conf file:
> (Is there anything wrong here?)
>
> # Prohibit general access to this service.
> restrict default ignore
>
> # Permit all access over the loopback interface. This could
> # be tightened as well, but to do so would effect some of
> # the administrative functions.
> restrict 127.0.0.1
>
>
> # -- CLIENT NETWORK -------
> # Permit systems on this network to synchronize with this
> # time service. Do not permit those systems to modify the
> # configuration of this service. Also, do not use those
> # systems as peers for synchronization.
> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
>
>
> # --- OUR TIMESERVERS -----
> # or remove the default restrict line
> # Permit time synchronization with our time source, but do not
> # permit the source to query or modify the service on this system.
>
> # restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap
> noquery
> # server mytrustedtimeserverip
>
>
>
> # --- NTP MULTICASTCLIENT ---
> #multicastclient # listen on default 224.0.1.1
> # restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
>
>
>
> # --- GENERAL CONFIGURATION ---
> #
> # Undisciplined Local Clock. This is a fake driver intended for backup
> # and when no outside source of synchronized time is available. The
> # default stratum is usually 3, but in this case we elect to use stratum
> # 0. Since the server line does not have the prefer keyword, this driver
> # is never used for synchronization, unless no other other
> # synchronization source is available. In case the local host is
> # controlled by some external source, such as an external oscillator or
> # another protocol, the prefer keyword would cause the local host to
> # disregard all other synchronization sources, unless the kernel
> # modifications are in use and declare an unsynchronized condition.
> #
> # server 127.127.1.0 # local clock
> server navobs1.usnogps.navy.mil
> server timekeeper.isi.edu
> server clock.redhat.com
> server clock2.redhat.com
> server ntp1.linuxmedialabs.com
>
> fudge 127.127.1.0 stratum 10
>
>
> #
> # Log file (added Feb 18, 2004)
> #
> logconfig all
> logfile /var/log/xntpd
>
> #
> # Drift file. Put this in a directory which the daemon can write to.
> # No symbolic links allowed, either, since the daemon updates the file
> # by creating a temporary in the same directory and then rename()'ing
> # it to the file.
> #
> driftfile /etc/ntp/drift
> broadcastdelay 0.008
>
> #
> # Authentication delay. If you use, or plan to use someday, the
> # authentication facility you should make the programs in the auth_stuff
> # directory and figure out what this number should be on your machine.
> #
> authenticate yes
>
> #
> # Keys file. If you want to diddle your server at run time, make a
> # keys file (mode 600 for sure) and define the key number to be
> # used for making requests.
> #
> # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
> # systems might be able to reset your clock at will. Note also that
> # ntpd is started with a -A flag, disabling authentication, that
> # will have to be removed as well.
> #
> keys /etc/ntp/keys
>
>
>
> In case the firewall was blocking communication I added lines to allow ntp
> to pass.
>
> #Deny TCP and UDP packets to privileged ports
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 123 -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 123 -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP
>
> Still no communication. Can anyone shed any light on how to get ntpd to
> work properly as a client?
Ah, um, are you on a cable or DSL router and is its firewall configured
to allow incoming TCP/UDP port 123? I don't see anything evil in
your ntp.conf or iptables.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- We are born naked, wet and hungry. Then things get worse. -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list