[ntp:questions] Can't get time to sync with local time server

Steve Kostecke kostecke at ntp.isc.org
Fri Dec 15 03:58:00 UTC 2006

On 2006-12-15, Arty <arty-nospam at domain.tld> wrote:

> 1. My config wasn't right. I misunderstood the use of restrict.
> Actually i'm still a bit confused.
> It seems as ntp makes a request to a time server, to have the time
> server set my time. (as opposed to me requesting the time, and i'll
> set it myself).

Your ntpd polls a number of time sources (in your cases remote time
servers) and determines which sources are believable and then which on
is the current best source. Once ntpd has collected enough data is
starts to continually discipline your system clock.

> To sync my time, i have to set my restrict options to allow a remote
> ip to set my time?

It's not really a matter of "allowing a remote ip to set your time".

You have to allow your ntpd to exchange NTP packets with the remote time
servers you have chosen to use. ntpd uses the data collected from the
remote time servers to determine which time source to believe.

If you're _really_ that concerned and don't think that you can find a
group of time sources that you can trust then you should get a ref-clock
(e.g. a GPS time source) and use it. Of course, then you'll have to
trust the GPS constellation.

> I'm still working on my ntp.conf
> files. What is the absolute minimum access needed to sync my time?

The following allows only time service:

restrict some.time.server nomodify nopeer notrap noquery

> Here is what I want to do. On my ntp server:
> 1. sync my time from a public server
> 2. allow a subnet on my lan to sync from this server.
> 3. allow another subnet on my lan to to make sure i'm still in sync.
> 4. deny everything else from every one.

You need to review http://ntp.isc.org/Support/AccessRestrictions and pay
attention to the decision tree that guides you through the process of
setting your default restriction.

In short ... If your ntpd is behind a stateful firewall or NAT _and_ you
are not forwarding the ntp port _then_ your ntpd is invisible to the
outside world.

The example file I sent to you in a previous message will work (with the
addition of a restrict line for the "monitor-only" subnet.

> On my hosts:
> 1. sync my time with from ntp server.
> 2. allow a subnet on my vlan check to make sure i'm in sync.
> 3. deny everything else from every one

driftfile /path/to/drift/file
restrict default ignore
restrict nomodify
server your.local.server iburst
restrict your.local.server's.ip nomodify notrap nopeer
restrict trusted.monitor.subnet mask AAA.BBB.CCC.DDD noserve

> As far as monitoring goes, i think i can just check to make sure my
> stratum is not < 16 right ?

You want to use 'ntpq -p your_time_server' to view your ntpd peer
billboard. This will tell you if you're synced to one of your time
source and will show you how ntpd sees those sources.

> to find my own statum: ntpdc -c sysinfo | ntp servers     grep stratum
> to find my stratum: ntpdc -c "showpeer admin1-nj" |       grep stratum

ntpq -c"rv 0 stratum" your_time_server

Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

More information about the questions mailing list