[ntp:questions] Can't get time to sync with local time server

Arty arty-nospam at domain.tld
Fri Dec 15 01:07:29 UTC 2006


Steve Kostecke wrote:
> On 2006-12-14, Arty <arty-nospam at domain.tld> wrote:
> 
>> Why can't I set my time???
>>
>> server ntp.conf-------------
>> server time.nist.gov prefer
>> server pool.ntp.org
>> server clock.isc.org
>>
>> driftfile /var/db/ntp.drift
>> restrict default ignore
> 
> You've told ntpd to ignore all NTP packets form all addresses. Then you
> neglected to tell ntpd that it is OK to accept NTP packets from your
> time servers.
> 
> You may want to review the Restrictions HOWTO at
> http://ntp.isc.org/Support/AccessRestrictions.
> 
> BTW: You're not going to be able to use 'restrict default ignore'
> with a host name, such as pool.ntp.org, which resolves to multiple IP
> addresses.
> 
> Here's what your ntp.conf could look like:
> 
> | # server ntp.conf
> | driftfile /var/db/ntp.drift
> | 
> | # Allow only time service by default
> | restrict default noquery nomodify notrap nopeer
> | restrict 127.0.0.1 nomodify
> | 
> | # Remote time servers
> | server time.nist.gov iburst
> | server pool.ntp.org  iburst
> | server clock.isc.org iburst
> | 
> | # Authorized clients
> | # They are allowed time service and may query ntpd
> | restrict 192.168.1.0 mask 255.255.255.0 notrap nopeer nomodify
> 
> A couple of notes (that have no bearing on your current synchronization
> problem):
> 
> 1. You ought to use pool servers from your geographical area;
> pool.ntp.org can resolve to any one of larger number of time servers
> workd wide. See http://ntp.isc.org/pool or http://www.pool.ntp.org for
> more information.
> 
> 2. According to the Rules of Engagement (http://ntp.isc.org/rules) you
> should not be directly using Stratum-1 time servers unless you meet
> certain criteria (such as serving time a large number of clients). You
> really ought to choose from the Public Stratum-2 server list (at
> http://www.ntp.org/s2 or http://ntp.isc.org/s2) or just use the pool.
> 
> 3. Using only 3 remote time servers doesn't leave you with any back up
> if one of them "goes bad". You ought to consider using 4 or 5 remote
> time servers.
> 
>> # client ntp.conf-----------------------
>> server 192.168.1.1 prefer
> 
> Using 'prefer' here is of no benefit.
> 
>> driftfile /var/db/ntp.drift
> 

Thank you all (especially kostecke and rgilbert)!!!!
It was a combo of things.
1. My config wasn't right. I misunderstood the use of restrict.
Actually i'm still a bit confused.

It seems as ntp makes a request to a time server, to have the time
server set my time.  (as opposed to me requesting the time, and i'll set
it myself).
To sync my time, i have to set my restrict options to allow a remote ip
to set my time?
I'm still working on my ntp.conf files.  What is the absolute minimum
access needed to sync my time?


Here is what I want to do.
On my ntp server:
1. sync my time from a public server
2. allow a subnet on my lan to sync from this server.
3. allow another subnet on my lan to to make sure i'm still in sync.
4. deny everything else from every one.

On my hosts:
1. sync my time with from ntp server.
2. allow a subnet on my vlan check to make sure i'm in sync.
3. deny everything else from every one



As far as monitoring goes, i think i can just check to make sure my
stratum is not < 16 right ?

to find my own statum: ntpdc -c sysinfo |grep stratum
to find my ntp servers stratum: ntpdc -c "showpeer admin1-nj" | grep stratum



Thanks again!






More information about the questions mailing list