Ntp Client

Bruce McDonald brucemcdonal at mindspring.com
Fri Feb 20 00:48:30 UTC 2004 

Hello Rick

On 19-Feb-04, you wrote:

> Bruce McDonald wrote:
>> Hello Rick
>> 
>> On 19-Feb-04, you wrote:
>> 
>> 
>>> Bruce McDonald wrote:

>> Hello Rick

>> On 19-Feb-04, you wrote:



>>> Bruce McDonald wrote:
>>> 
>>> 
>>>> Hello,


>>>> I appologise for the long post.


>>>> I have just spent a "fun" day yesterday trying to get ntpd to sync my
>>>> clock to a
>>>> timeserver, and have failed.


>>> The only time it did work was when I started X, went to Main Menu
>>> Button => System Settings => Date & Time and specified a timeserver
>>> there. Unfortunatly that only lets you use one server, I wanted to
>>> have several to keep my clock honest.


>>> A note to those who will suggest ntpdate and a cron job..... I really
>>> want to use ntpd as my clock gains ~20 seconds a day (rough
>>> estimate).


>>> I was unable to find any documentation that told me what to do
>>> properly. I think I figured out what to do with the ntp.conf file,
>>> but I don't see any traffic when I run tcpdump port ntp. Ntpq -p show
>>> my timeservers but none are marked.


>>>> Ntpq -p:
>>>>   remote refid st t when poll reach delay offset jitter
>>>> 


>>
==============================================================================


>>>>>> tick.usnogps.na 0.0.0.0         16 u    -   64    0    0.000    0.000
>>>>>> 4000.00
>>>>>> timekeeper.isi. 0.0.0.0         16 u    -   64    0    0.000    0.000
>>>>>> 4000.00
>>>>>> clock.redhat.co 0.0.0.0         16 u    -   64    0    0.000    0.000
>>>>>> 4000.00
>>>>>> clock2.redhat.c 0.0.0.0         16 u    -   64    0    0.000    0.000
>>>>>> 4000.00


>>>>>> This is what I have in my ntp.conf file:
>>>>>> (Is there anything wrong here?)


>>>>>> # Prohibit general access to this service.
>>>>>> restrict default ignore


>>>>>> # Permit all access over the loopback interface.  This could
>>>>>> # be tightened as well, but to do so would effect some of
>>>>>> # the administrative functions.
>>>>>> restrict 127.0.0.1 



>>>>>> # -- CLIENT NETWORK -------
>>>>>> # Permit systems on this network to synchronize with this
>>>>>> # time service.  Do not permit those systems to modify the
>>>>>> # configuration of this service.  Also, do not use those
>>>>>> # systems as peers for synchronization.
>>>>>> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap



>>>>>> # --- OUR TIMESERVERS ----- 
>>>>>> # or remove the default restrict line 
>>>>>> # Permit time synchronization with our time source, but do not
>>>>>> # permit the source to query or modify the service on this system.


>>>>>> # restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap
>>>>>> noquery
>>>>>> # server mytrustedtimeserverip




>>>>>> # --- NTP MULTICASTCLIENT ---
>>>>>> #multicastclient            # listen on default 224.0.1.1
>>>>>> # restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
>>>>>> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap




>>> # --- GENERAL CONFIGURATION --- # # Undisciplined Local Clock. This
>>> is a fake driver intended for backup # and when no outside source of
>>> synchronized time is available. The # default stratum is usually 3,
>>> but in this case we elect to use stratum # 0. Since the server line
>>> does not have the prefer keyword, this driver # is never used for
>>> synchronization, unless no other other # synchronization source is
>>> available. In case the local host is # controlled by some external
>>> source, such as an external oscillator or # another protocol, the
>>> prefer keyword would cause the local host to # disregard all other
>>> synchronization sources, unless the kernel # modifications are in use
>>> and declare an unsynchronized condition. # # server 127.127.1.0 #
>>> local clock server navobs1.usnogps.navy.mil server timekeeper.isi.edu
>>> server clock.redhat.com server clock2.redhat.com server
>>> ntp1.linuxmedialabs.com


>>>>>> fudge   127.127.1.0 stratum 10



>>>>>> #
>>>>>> # Log file (added Feb 18, 2004)
>>>>>> #
>>>>>> logconfig    all
>>>>>> logfile        /var/log/xntpd


>>> #
>>> # Drift file. Put this in a directory which the daemon can write to.
>>> # No symbolic links allowed, either, since the daemon updates the
>>> file # by creating a temporary in the same directory and then
>>> rename()'ing # it to the file.
>>> #
>>> driftfile /etc/ntp/drift broadcastdelay 0.008


>>> #
>>> # Authentication delay. If you use, or plan to use someday, the #
>>> authentication facility you should make the programs in the
>>> auth_stuff # directory and figure out what this number should be on
>>> your machine. #
>>> authenticate yes


>>>>>> #
>>>>>> # Keys file.  If you want to diddle your server at run time, make a
>>>>>> # keys file (mode 600 for sure) and define the key number to be
>>>>>> # used for making requests.
>>>>>> #
>>>>>> # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
>>>>>> # systems might be able to reset your clock at will. Note also that
>>>>>> # ntpd is started with a -A flag, disabling authentication, that
>>>>>> # will have to be removed as well.
>>>>>> #
>>>>>> keys        /etc/ntp/keys




>>> In case the firewall was blocking communication I added lines to
>>> allow ntp to pass.


>>>>>> #Deny TCP and UDP packets to privileged ports
>>>>>> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 123 -j ACCEPT
>>>>>> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 123 -j ACCEPT
>>>>>> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP
>>>>>> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP


>>> Still no communication. Can anyone shed any light on how to get ntpd
>>> to work properly as a client?


>> Ah, um, are you on a cable or DSL router and is its firewall
>> configured to allow incoming TCP/UDP port 123? I don't see anything
>> evil in your ntp.conf or iptables.
>> 
>> 
>> 
>>>> I am connected via a DSL modem with the linux box being the network
>>>> router.
>> 
>> 
>>> Ok, let's try something simple.  Try:
>> 
>> 
>>>    tcpdump port 123
>> 
>> 
>>> in one window, then stop and restart xntpd.  Verify that you actually
>>> see traffic.  If not, you might try turning off iptables and trying
>>> again.  If it works the second time, look higher up in your iptables
>>> to see if you have a block before your "--dport 123 -j ACCEPT" lines.


>> Due to the way PPPoE works with DSL, I needed to type tcpdump -i PPP0
>> port 123

> Didn't realize you were on a DSL line, Bruce.  Sorry about that.

>> Thanks Rick, you once again caused me to think in the right direction to
>> find where a problem lies.

>> Now I can see traffic. And the clock is correct, so I guess I will let it
>> run and see if it drifts by a significant amount in the next couple of
>> days. Interestingly, the drift file says 0.00; I find that hard to
>> believe. I think I'll have to delete it and restart ntpd to recalculate
>> the drift.

> Ok, so what was the problem?  Inquiring minds want to know! :-)

I still am not sure about why the problem (or if there was one) existed,
maybe I was just missing something (like a working mind).  The problem
solution that I found was the  tcpdump issue.  I'm still waiting to see if
the clock stays correct over a day or two.

Regards,
Bruce McDonald

More information about the Redhat-install-list mailing list