Ntp Client

Bruce McDonald brucemcdonal at mindspring.com
Thu Feb 19 23:51:17 UTC 2004 

Hello Rick

On 19-Feb-04, you wrote:

> Bruce McDonald wrote:
>> Hello Rick
>> 
>> On 19-Feb-04, you wrote:
>> 
>> 
>>> Bruce McDonald wrote:
>>> 
>>>> Hello,
>> 
>> 
>>>> I appologise for the long post.
>> 
>> 
>>>> I have just spent a "fun" day yesterday trying to get ntpd to sync my
>>>> clock to a
>>>> timeserver, and have failed.
>> 
>> 
>>>> The only time it did work was when I started X, went to Main Menu
>>>> Button => System Settings => Date & Time and specified a timeserver
>>>> there. Unfortunatly that only lets you use one server, I wanted to have
>>>> several to keep my clock honest.
>> 
>> 
>>>> A note to those who will suggest ntpdate and a cron job..... I really
>>>> want to use ntpd as my clock gains ~20 seconds a day (rough estimate).
>> 
>> 
>>>> I was unable to find any documentation that told me what to do
>>>> properly. I think I figured out what to do with the ntp.conf file, but
>>>> I don't see any traffic when I run tcpdump port ntp. Ntpq -p show my
>>>> timeservers but none are marked.
>> 
>> 
>>>> Ntpq -p:
>>>>    remote refid st t when poll reach delay offset jitter
>>>> 

>>
==============================================================================

>>>> tick.usnogps.na 0.0.0.0         16 u    -   64    0    0.000    0.000
>>>> 4000.00
>>>> timekeeper.isi. 0.0.0.0         16 u    -   64    0    0.000    0.000
>>>> 4000.00
>>>> clock.redhat.co 0.0.0.0         16 u    -   64    0    0.000    0.000
>>>> 4000.00
>>>> clock2.redhat.c 0.0.0.0         16 u    -   64    0    0.000    0.000
>>>> 4000.00
>> 
>> 
>>>> This is what I have in my ntp.conf file:
>>>> (Is there anything wrong here?)
>> 
>> 
>>>> # Prohibit general access to this service.
>>>> restrict default ignore
>> 
>> 
>>>> # Permit all access over the loopback interface.  This could
>>>> # be tightened as well, but to do so would effect some of
>>>> # the administrative functions.
>>>> restrict 127.0.0.1 
>> 
>> 
>> 
>>>> # -- CLIENT NETWORK -------
>>>> # Permit systems on this network to synchronize with this
>>>> # time service.  Do not permit those systems to modify the
>>>> # configuration of this service.  Also, do not use those
>>>> # systems as peers for synchronization.
>>>> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
>> 
>> 
>> 
>>>> # --- OUR TIMESERVERS ----- 
>>>> # or remove the default restrict line 
>>>> # Permit time synchronization with our time source, but do not
>>>> # permit the source to query or modify the service on this system.
>> 
>> 
>>>> # restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap
>>>> noquery
>>>> # server mytrustedtimeserverip
>> 
>> 
>> 
>> 
>>>> # --- NTP MULTICASTCLIENT ---
>>>> #multicastclient            # listen on default 224.0.1.1
>>>> # restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
>>>> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
>> 
>> 
>> 
>> 
>>>> # --- GENERAL CONFIGURATION --- #
>>>> # Undisciplined Local Clock. This is a fake driver intended for backup
>>>> # and when no outside source of synchronized time is available. The #
>>>> default stratum is usually 3, but in this case we elect to use stratum
>>>> # 0. Since the server line does not have the prefer keyword, this
>>>> driver # is never used for synchronization, unless no other other #
>>>> synchronization source is available. In case the local host is #
>>>> controlled by some external source, such as an external oscillator or #
>>>> another protocol, the prefer keyword would cause the local host to #
>>>> disregard all other synchronization sources, unless the kernel #
>>>> modifications are in use and declare an unsynchronized condition. #
>>>> # server 127.127.1.0 # local clock server navobs1.usnogps.navy.mil
>>>> server timekeeper.isi.edu server clock.redhat.com server
>>>> clock2.redhat.com server ntp1.linuxmedialabs.com
>> 
>> 
>>>> fudge   127.127.1.0 stratum 10
>> 
>> 
>> 
>>>> #
>>>> # Log file (added Feb 18, 2004)
>>>> #
>>>> logconfig    all
>>>> logfile        /var/log/xntpd
>> 
>> 
>>>> #
>>>> # Drift file.  Put this in a directory which the daemon can write to.
>>>> # No symbolic links allowed, either, since the daemon updates the file
>>>> # by creating a temporary in the same directory and then rename()'ing
>>>> # it to the file.
>>>> #
>>>> driftfile /etc/ntp/drift
>>>> broadcastdelay    0.008
>> 
>> 
>>>> #
>>>> # Authentication delay. If you use, or plan to use someday, the #
>>>> authentication facility you should make the programs in the auth_stuff
>>>> # directory and figure out what this number should be on your machine.
>>>> #
>>>> authenticate yes
>> 
>> 
>>>> #
>>>> # Keys file.  If you want to diddle your server at run time, make a
>>>> # keys file (mode 600 for sure) and define the key number to be
>>>> # used for making requests.
>>>> #
>>>> # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
>>>> # systems might be able to reset your clock at will. Note also that
>>>> # ntpd is started with a -A flag, disabling authentication, that
>>>> # will have to be removed as well.
>>>> #
>>>> keys        /etc/ntp/keys
>> 
>> 
>> 
>> 
>>>> In case the firewall was blocking communication I added lines to allow
>>>> ntp to pass.
>> 
>> 
>>>> #Deny TCP and UDP packets to privileged ports
>>>> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 123 -j ACCEPT
>>>> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 123 -j ACCEPT
>>>> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP
>>>> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP
>> 
>> 
>>>> Still no communication. Can anyone shed any light on how to get ntpd to
>>>> work properly as a client?
>> 
>> 
>>> Ah, um, are you on a cable or DSL router and is its firewall configured
>>> to allow incoming TCP/UDP port 123?  I don't see anything evil in
>>> your ntp.conf or iptables.


>> I am connected via a DSL modem with the linux box being the network
>> router.

> Ok, let's try something simple.  Try:

>     tcpdump port 123

> in one window, then stop and restart xntpd.  Verify that you actually
> see traffic.  If not, you might try turning off iptables and trying
> again.  If it works the second time, look higher up in your iptables
> to see if you have a block before your "--dport 123 -j ACCEPT" lines.

Due to the way PPPoE works with DSL, I needed to type tcpdump -i PPP0 port
123

Thanks Rick, you once again caused me to think in the right direction to
find where a problem lies.

Now I can see traffic.  And the clock is correct, so I guess I will let it
run and see if it drifts by a significant amount in the next couple of
days.  Interestingly, the drift file says 0.00; I find that hard to
believe.  I think I'll have to delete it and restart ntpd to recalculate
the drift.

Thanks again.

Cheers,
Bruce McDonald

More information about the Redhat-install-list mailing list