[ntp:questions] ntpd just not working

David Woolley david at ex.djwhome.demon.co.uk.invalid
Sun Oct 7 17:15:22 UTC 2007

In article <20071007115739.00185a93.ioplex at gmail.com>,
Michael B Allen <ioplex at gmail.com> wrote:

> No firewalls. From the capture I can clearly see only a request and
> reply. There's no attempt to communicate with the time server at all.

The last two sentences contradict each other.  A request is an attempt to
communicate.  In addition, a reply means that the other side also 
cooperated in the communication.  A firewall might eliminate either the
request or reply, but this might be downstream of where you are 
capturing them.

If you have captured the attempt and the response, could we please see
copies of them?

If you are running a Red Hat derived Linux distribution, and probably several
others that are not on a direct line from Red Hat, you will have a firewall and it will be active.

> Sounds to me like the config is simply blocking things. I tried reading
> the man page but why does this have to be so hard? I just want to

There is no official man page for ntpd; the official documentation is in 

> setup a simple ntpd for the local machine.

It is not hard to set up a simple configuration; a file just consisting
of one server line will work.  Most newbie problems are the result of:

- a firewall that they never even realised was there;
- trying to use restrict before they have the basic service working
  (including using restrict with domain names on multi-homed servers);
- using a Windows w32tm machine as a time server;
- unnecessary use of the local clock driver; or
- not having any reference clocks in the system at all.

However, if you have correctly described your setup, I'm a little concerned
that there are no associations shown.  I'm fairly sure that associations are
set up when the outbound request is made.  As you've used an IP address, so
there should be no issue to do with name resolution, the only reasons I can
think of for not seeing any associations are:

- the configuration file you are editing is not the one it is using (but
  then relaxing the restricts wouldn't work either);
- you are failing to bind a socket to the server address because there is
  no route to the server;
- maybe the association is built after sending and the firewall is failing the 
  send, but I'm not at all sure that Linux or ntpd work that way.

If you are failing to bind sockets or send, I would expect there to be 
syslog messages relating to those problems.

> Is there a tutorial out there with some example configs for standard
> setups?

A leaf node needs one, basic, server line and nothing else.  However, there are 
advantages in having four independent servers and a drift file, and there
is also an advantage in having iburst on the server lines.  A leaf node 
never needs the local clock.  Restricting diagnostic is arguably desirable.

More information about the questions mailing list