[ntp:questions] Re: Connect problem 4.1.2-4 redhat server

Steve Kostecke kostecke at ntp.isc.org
Tue Aug 16 04:33:51 UTC 2005


On 2005-08-15, t_pascal at my-deja.com <t_pascal at my-deja.com> wrote:

> >Please see http://ntp.isc.org/Support/AccessRestrictions for information
> >about how to control access to your ntpd.
>
> This was a good resource, and I was hopeful it would fix a strange
> problem I have.
>
> Server:  RedHat ES3, ntp 4.1.2-4, address 192.168.100.a
> Per the suggestion in the document, I tried this "restrict 192.168.0.0
> mask 255.255.0.0 nomodify"

Why do you feel that you need this restriction?

> Client1:  RedHat 7.3 kernel 2.4.30, ntp 4.1.1-2 address 192.168.100.b
> Client2:  RedHat ES3, ntp 4.1.2-4, address 192.168.101.c
> Client3:  RedHat 7.3 kernel 2.4.30, ntp 4.1.1-2 address 192.168.101.d
>
> Server connects to external (internet) servers and synchs well via
> firewall.
> Client1 connects to Server perfectly and syncs well, with or without
> "notrust" option.

The meaning of "notrust" has changed. Please see
http://ntp.isc.org/bin/view/Support/AccessRestrictions#Section_6.4.3.1.

> Client2 cannot connect to Server at all, tried every number of options
> and settings.  NOT A ROUTING or FIREWALL ISSUE, believe me.  Packets
> are received on Server, but nothing happens.
> Client3 can sync the time with ntpdate, but not with ntpd.  This is
> some further proof that there is no routing or firewall issue, but
> makes the problem extremely strange.
>
> Sorry to self-followup, but I reversed Client2 and Client3.  Basically,
> the two versions cooperate fully on the same subnet.  The 4.1.2 server
> will reply to a 4.1.2 client via ntpdate ONLY (across a different
> subnet).  The 4.1.1 clients are totally ignored across subnets (but
> work fine on the same subnet as noted).

It is possible that ntpdate is being invoked with '-u', for "use an
unprivileged source port. That would explain why ntpdate works even
though port 123/UDP is not completely open between the two sub-nets.

>> Any help, other the version numbers?  I am using standard RedHat issued
>> software for the ES servers, but I suppose I can downgrade to 4.1.1 (if
>> that will help?)  Or do I upgrade?  Note that upgrading to 4.1.2-4 on
>> the 7.3 servers would break them.  :(
>>
> I wasn't clear enough here.  Downgrading my clients to 4.1.1 would only
> work on the same subnet.  Upgrading clients to 4.1.2 on different
> subnets only gets a reply to ntpdate and would prefer to use ntpd to
> discipline the clocks.

It would be helpful to see the ntp.conf files for all 4 systems.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list