Ntp Client

Bruce McDonald brucemcdonal at mindspring.com
Thu Feb 19 19:00:47 UTC 2004 

Hello Rick

On 19-Feb-04, you wrote:

> Bruce McDonald wrote:
>> Hello,

>> I appologise for the long post.

>> I have just spent a "fun" day yesterday trying to get ntpd to sync my
>> clock to a
>> timeserver, and have failed.

>> The only time it did work was when I started X, went to Main Menu Button
>> => System Settings => Date & Time and specified a timeserver there.
>> Unfortunatly that only lets you use one server, I wanted to have several
>> to keep my clock honest.

>> A note to those who will suggest ntpdate and a cron job..... I really
>> want to use ntpd as my clock gains ~20 seconds a day (rough estimate).

>> I was unable to find any documentation that told me what to do properly.
>> I think I figured out what to do with the ntp.conf file, but I don't see
>> any traffic when I run tcpdump port ntp. Ntpq -p show my timeservers but
>> none are marked.

>> Ntpq -p:
>>     remote refid st t when poll reach delay offset jitter
>>
==============================================================================
>> tick.usnogps.na 0.0.0.0         16 u    -   64    0    0.000    0.000
>> 4000.00
>> timekeeper.isi. 0.0.0.0         16 u    -   64    0    0.000    0.000
>> 4000.00
>> clock.redhat.co 0.0.0.0         16 u    -   64    0    0.000    0.000
>> 4000.00
>> clock2.redhat.c 0.0.0.0         16 u    -   64    0    0.000    0.000
>> 4000.00

>> This is what I have in my ntp.conf file:
>> (Is there anything wrong here?)

>> # Prohibit general access to this service.
>> restrict default ignore

>> # Permit all access over the loopback interface.  This could
>> # be tightened as well, but to do so would effect some of
>> # the administrative functions.
>> restrict 127.0.0.1 


>> # -- CLIENT NETWORK -------
>> # Permit systems on this network to synchronize with this
>> # time service.  Do not permit those systems to modify the
>> # configuration of this service.  Also, do not use those
>> # systems as peers for synchronization.
>> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap


>> # --- OUR TIMESERVERS ----- 
>> # or remove the default restrict line 
>> # Permit time synchronization with our time source, but do not
>> # permit the source to query or modify the service on this system.

>> # restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap
>> noquery
>> # server mytrustedtimeserverip



>> # --- NTP MULTICASTCLIENT ---
>> #multicastclient            # listen on default 224.0.1.1
>> # restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
>> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap



>> # --- GENERAL CONFIGURATION ---
>> #
>> # Undisciplined Local Clock. This is a fake driver intended for backup
>> # and when no outside source of synchronized time is available. The
>> # default stratum is usually 3, but in this case we elect to use stratum
>> # 0. Since the server line does not have the prefer keyword, this driver
>> # is never used for synchronization, unless no other other
>> # synchronization source is available. In case the local host is
>> # controlled by some external source, such as an external oscillator or
>> # another protocol, the prefer keyword would cause the local host to
>> # disregard all other synchronization sources, unless the kernel
>> # modifications are in use and declare an unsynchronized condition.
>> #
>> # server    127.127.1.0    # local clock
>> server navobs1.usnogps.navy.mil 
>> server timekeeper.isi.edu 
>> server clock.redhat.com
>> server clock2.redhat.com 
>> server ntp1.linuxmedialabs.com 

>> fudge   127.127.1.0 stratum 10


>> #
>> # Log file (added Feb 18, 2004)
>> #
>> logconfig    all
>> logfile        /var/log/xntpd

>> #
>> # Drift file.  Put this in a directory which the daemon can write to.
>> # No symbolic links allowed, either, since the daemon updates the file
>> # by creating a temporary in the same directory and then rename()'ing
>> # it to the file.
>> #
>> driftfile /etc/ntp/drift
>> broadcastdelay    0.008

>> #
>> # Authentication delay.  If you use, or plan to use someday, the
>> # authentication facility you should make the programs in the auth_stuff
>> # directory and figure out what this number should be on your machine.
>> #
>> authenticate yes

>> #
>> # Keys file.  If you want to diddle your server at run time, make a
>> # keys file (mode 600 for sure) and define the key number to be
>> # used for making requests.
>> #
>> # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
>> # systems might be able to reset your clock at will. Note also that
>> # ntpd is started with a -A flag, disabling authentication, that
>> # will have to be removed as well.
>> #
>> keys        /etc/ntp/keys



>> In case the firewall was blocking communication I added lines to allow
>> ntp to pass.

>> #Deny TCP and UDP packets to privileged ports
>> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 123 -j ACCEPT
>> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 123 -j ACCEPT
>> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP
>> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP

>> Still no communication.  Can anyone shed any light on how to get ntpd to
>> work properly as a client?

> Ah, um, are you on a cable or DSL router and is its firewall configured
> to allow incoming TCP/UDP port 123?  I don't see anything evil in
> your ntp.conf or iptables.

I am connected via a DSL modem with the linux box being the network router.

Regards,
Bruce McDonald

More information about the Redhat-install-list mailing list