Ntp Client

Rick Stevens rstevens at vitalstream.com
Thu Feb 19 18:54:23 UTC 2004 

Bruce McDonald wrote:
> Hello,
> 
> I appologise for the long post.
> 
> I have just spent a "fun" day yesterday trying to get ntpd to sync my clock
> to a
> timeserver, and have failed.
> 
> The only time it did work was when I started X, went to Main Menu Button =>
> System Settings => Date & Time and specified a timeserver there. 
> Unfortunatly that only lets you use one server, I wanted to have several to
> keep my clock honest.
> 
> A note to those who will suggest ntpdate and a cron job..... I really want
> to use ntpd as my clock gains ~20 seconds a day (rough estimate).
> 
> I was unable to find any documentation that told me what to do properly.  I
> think I figured out what to do with the ntp.conf file, but I don't see any
> traffic when I run tcpdump port ntp.  Ntpq -p show my timeservers but none
> are marked.  
> 
> Ntpq -p:
>      remote           refid      st t when poll reach   delay   offset 
> jitter
> ==============================================================================
>  tick.usnogps.na 0.0.0.0         16 u    -   64    0    0.000    0.000
> 4000.00
>  timekeeper.isi. 0.0.0.0         16 u    -   64    0    0.000    0.000
> 4000.00
>  clock.redhat.co 0.0.0.0         16 u    -   64    0    0.000    0.000
> 4000.00
>  clock2.redhat.c 0.0.0.0         16 u    -   64    0    0.000    0.000
> 4000.00
> 
> This is what I have in my ntp.conf file:
> (Is there anything wrong here?)
> 
> # Prohibit general access to this service.
> restrict default ignore
> 
> # Permit all access over the loopback interface.  This could
> # be tightened as well, but to do so would effect some of
> # the administrative functions.
> restrict 127.0.0.1 
> 
> 
> # -- CLIENT NETWORK -------
> # Permit systems on this network to synchronize with this
> # time service.  Do not permit those systems to modify the
> # configuration of this service.  Also, do not use those
> # systems as peers for synchronization.
> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
> 
> 
> # --- OUR TIMESERVERS ----- 
> # or remove the default restrict line 
> # Permit time synchronization with our time source, but do not
> # permit the source to query or modify the service on this system.
> 
> # restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap
> noquery
> # server mytrustedtimeserverip
> 
> 
> 
> # --- NTP MULTICASTCLIENT ---
> #multicastclient            # listen on default 224.0.1.1
> # restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
> # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
> 
> 
> 
> # --- GENERAL CONFIGURATION ---
> #
> # Undisciplined Local Clock. This is a fake driver intended for backup
> # and when no outside source of synchronized time is available. The
> # default stratum is usually 3, but in this case we elect to use stratum
> # 0. Since the server line does not have the prefer keyword, this driver
> # is never used for synchronization, unless no other other
> # synchronization source is available. In case the local host is
> # controlled by some external source, such as an external oscillator or
> # another protocol, the prefer keyword would cause the local host to
> # disregard all other synchronization sources, unless the kernel
> # modifications are in use and declare an unsynchronized condition.
> #
> # server    127.127.1.0    # local clock
> server navobs1.usnogps.navy.mil 
> server timekeeper.isi.edu 
> server clock.redhat.com
> server clock2.redhat.com 
> server ntp1.linuxmedialabs.com 
> 
> fudge   127.127.1.0 stratum 10
> 
> 
> #
> # Log file (added Feb 18, 2004)
> #
> logconfig    all
> logfile        /var/log/xntpd
> 
> #
> # Drift file.  Put this in a directory which the daemon can write to.
> # No symbolic links allowed, either, since the daemon updates the file
> # by creating a temporary in the same directory and then rename()'ing
> # it to the file.
> #
> driftfile /etc/ntp/drift
> broadcastdelay    0.008
> 
> #
> # Authentication delay.  If you use, or plan to use someday, the
> # authentication facility you should make the programs in the auth_stuff
> # directory and figure out what this number should be on your machine.
> #
> authenticate yes
> 
> #
> # Keys file.  If you want to diddle your server at run time, make a
> # keys file (mode 600 for sure) and define the key number to be
> # used for making requests.
> #
> # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
> # systems might be able to reset your clock at will. Note also that
> # ntpd is started with a -A flag, disabling authentication, that
> # will have to be removed as well.
> #
> keys        /etc/ntp/keys
> 
> 
> 
> In case the firewall was blocking communication I added lines to allow ntp
> to pass.
> 
> #Deny TCP and UDP packets to privileged ports
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 123 -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 123 -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP
> 
> Still no communication.  Can anyone shed any light on how to get ntpd to
> work properly as a client?

Ah, um, are you on a cable or DSL router and is its firewall configured
to allow incoming TCP/UDP port 123?  I don't see anything evil in
your ntp.conf or iptables.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-      We are born naked, wet and hungry. Then things get worse.     -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list