Ntp Client
Bruce McDonald
brucemcdonal at mindspring.com
Fri Feb 20 00:48:30 UTC 2004
Hello Rick
On 19-Feb-04, you wrote:
> Bruce McDonald wrote:
>> Hello Rick
>>
>> On 19-Feb-04, you wrote:
>>
>>
>>> Bruce McDonald wrote:
>> Hello Rick
>> On 19-Feb-04, you wrote:
>>> Bruce McDonald wrote:
>>>
>>>
>>>> Hello,
>>>> I appologise for the long post.
>>>> I have just spent a "fun" day yesterday trying to get ntpd to sync my
>>>> clock to a
>>>> timeserver, and have failed.
>>> The only time it did work was when I started X, went to Main Menu
>>> Button => System Settings => Date & Time and specified a timeserver
>>> there. Unfortunatly that only lets you use one server, I wanted to
>>> have several to keep my clock honest.
>>> A note to those who will suggest ntpdate and a cron job..... I really
>>> want to use ntpd as my clock gains ~20 seconds a day (rough
>>> estimate).
>>> I was unable to find any documentation that told me what to do
>>> properly. I think I figured out what to do with the ntp.conf file,
>>> but I don't see any traffic when I run tcpdump port ntp. Ntpq -p show
>>> my timeservers but none are marked.
>>>> Ntpq -p:
>>>> remote refid st t when poll reach delay offset jitter
>>>>
>>
==============================================================================
>>>>>> tick.usnogps.na 0.0.0.0 16 u - 64 0 0.000 0.000
>>>>>> 4000.00
>>>>>> timekeeper.isi. 0.0.0.0 16 u - 64 0 0.000 0.000
>>>>>> 4000.00
>>>>>> clock.redhat.co 0.0.0.0 16 u - 64 0 0.000 0.000
>>>>>> 4000.00
>>>>>> clock2.redhat.c 0.0.0.0 16 u - 64 0 0.000 0.000
>>>>>> 4000.00
>>>>>> This is what I have in my ntp.conf file:
>>>>>> (Is there anything wrong here?)
>>>>>> # Prohibit general access to this service.
>>>>>> restrict default ignore
>>>>>> # Permit all access over the loopback interface. This could
>>>>>> # be tightened as well, but to do so would effect some of
>>>>>> # the administrative functions.
>>>>>> restrict 127.0.0.1
>>>>>> # -- CLIENT NETWORK -------
>>>>>> # Permit systems on this network to synchronize with this
>>>>>> # time service. Do not permit those systems to modify the
>>>>>> # configuration of this service. Also, do not use those
>>>>>> # systems as peers for synchronization.
>>>>>> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
>>>>>> # --- OUR TIMESERVERS -----
>>>>>> # or remove the default restrict line
>>>>>> # Permit time synchronization with our time source, but do not
>>>>>> # permit the source to query or modify the service on this system.
>>>>>> # restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap
>>>>>> noquery
>>>>>> # server mytrustedtimeserverip
>>>>>> # --- NTP MULTICASTCLIENT ---
>>>>>> #multicastclient # listen on default 224.0.1.1
>>>>>> # restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
>>>>>> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
>>> # --- GENERAL CONFIGURATION --- # # Undisciplined Local Clock. This
>>> is a fake driver intended for backup # and when no outside source of
>>> synchronized time is available. The # default stratum is usually 3,
>>> but in this case we elect to use stratum # 0. Since the server line
>>> does not have the prefer keyword, this driver # is never used for
>>> synchronization, unless no other other # synchronization source is
>>> available. In case the local host is # controlled by some external
>>> source, such as an external oscillator or # another protocol, the
>>> prefer keyword would cause the local host to # disregard all other
>>> synchronization sources, unless the kernel # modifications are in use
>>> and declare an unsynchronized condition. # # server 127.127.1.0 #
>>> local clock server navobs1.usnogps.navy.mil server timekeeper.isi.edu
>>> server clock.redhat.com server clock2.redhat.com server
>>> ntp1.linuxmedialabs.com
>>>>>> fudge 127.127.1.0 stratum 10
>>>>>> #
>>>>>> # Log file (added Feb 18, 2004)
>>>>>> #
>>>>>> logconfig all
>>>>>> logfile /var/log/xntpd
>>> #
>>> # Drift file. Put this in a directory which the daemon can write to.
>>> # No symbolic links allowed, either, since the daemon updates the
>>> file # by creating a temporary in the same directory and then
>>> rename()'ing # it to the file.
>>> #
>>> driftfile /etc/ntp/drift broadcastdelay 0.008
>>> #
>>> # Authentication delay. If you use, or plan to use someday, the #
>>> authentication facility you should make the programs in the
>>> auth_stuff # directory and figure out what this number should be on
>>> your machine. #
>>> authenticate yes
>>>>>> #
>>>>>> # Keys file. If you want to diddle your server at run time, make a
>>>>>> # keys file (mode 600 for sure) and define the key number to be
>>>>>> # used for making requests.
>>>>>> #
>>>>>> # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
>>>>>> # systems might be able to reset your clock at will. Note also that
>>>>>> # ntpd is started with a -A flag, disabling authentication, that
>>>>>> # will have to be removed as well.
>>>>>> #
>>>>>> keys /etc/ntp/keys
>>> In case the firewall was blocking communication I added lines to
>>> allow ntp to pass.
>>>>>> #Deny TCP and UDP packets to privileged ports
>>>>>> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 123 -j ACCEPT
>>>>>> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 123 -j ACCEPT
>>>>>> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP
>>>>>> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP
>>> Still no communication. Can anyone shed any light on how to get ntpd
>>> to work properly as a client?
>> Ah, um, are you on a cable or DSL router and is its firewall
>> configured to allow incoming TCP/UDP port 123? I don't see anything
>> evil in your ntp.conf or iptables.
>>
>>
>>
>>>> I am connected via a DSL modem with the linux box being the network
>>>> router.
>>
>>
>>> Ok, let's try something simple. Try:
>>
>>
>>> tcpdump port 123
>>
>>
>>> in one window, then stop and restart xntpd. Verify that you actually
>>> see traffic. If not, you might try turning off iptables and trying
>>> again. If it works the second time, look higher up in your iptables
>>> to see if you have a block before your "--dport 123 -j ACCEPT" lines.
>> Due to the way PPPoE works with DSL, I needed to type tcpdump -i PPP0
>> port 123
> Didn't realize you were on a DSL line, Bruce. Sorry about that.
>> Thanks Rick, you once again caused me to think in the right direction to
>> find where a problem lies.
>> Now I can see traffic. And the clock is correct, so I guess I will let it
>> run and see if it drifts by a significant amount in the next couple of
>> days. Interestingly, the drift file says 0.00; I find that hard to
>> believe. I think I'll have to delete it and restart ntpd to recalculate
>> the drift.
> Ok, so what was the problem? Inquiring minds want to know! :-)
I still am not sure about why the problem (or if there was one) existed,
maybe I was just missing something (like a working mind). The problem
solution that I found was the tcpdump issue. I'm still waiting to see if
the clock stays correct over a day or two.
Regards,
Bruce McDonald
More information about the Redhat-install-list
mailing list