[ntp:questions] Re: Connect problem 4.1.2-4 redhat server

t_pascal at my-deja.com t_pascal at my-deja.com
Tue Aug 16 14:51:37 UTC 2005


Steve Kostecke wrote:
> On 2005-08-15, t_pascal at my-deja.com <t_pascal at my-deja.com> wrote:
>
> > >Please see http://ntp.isc.org/Support/AccessRestrictions for information
> > >about how to control access to your ntpd.
> >
> > This was a good resource, and I was hopeful it would fix a strange
> > problem I have.
> >
> > Server:  RedHat ES3, ntp 4.1.2-4, address 192.168.100.a
> > Per the suggestion in the document, I tried this "restrict 192.168.0.0
> > mask 255.255.0.0 nomodify"
>
> Why do you feel that you need this restriction?
>
I was following the suggestions of the last section of the document.  I
even tried "restrict 192.168.0.0 mask 255.255.0.0" to allow all (the
"restrict default ignore" is in place)  Also, see this web page (a
little further down) on "Linux NTP clients can't connect" refers to
Fedora Core 2, but might be a proxy for ES 3:

http://www.linuxhomenetworking.com/linux-hn/ntp.htm#_Toc91350038

I'm pretty sure the RedHat distributions are broken.  I'm going to find
the latest package and see if it works.  Sorry to bother y'all with
these minor problems.

> > Client1:  RedHat 7.3 kernel 2.4.30, ntp 4.1.1-2 address 192.168.100.b
> > Client2:  RedHat ES3, ntp 4.1.2-4, address 192.168.101.c
> > Client3:  RedHat 7.3 kernel 2.4.30, ntp 4.1.1-2 address 192.168.101.d
> >
> > Server connects to external (internet) servers and synchs well via
> > firewall.
> > Client1 connects to Server perfectly and syncs well, with or without
> > "notrust" option.
>
> The meaning of "notrust" has changed. Please see
> http://ntp.isc.org/bin/view/Support/AccessRestrictions#Section_6.4.3.1.
>
I'm using 4.1 on all systems, not 4.2.

> > Sorry to self-followup, but I reversed Client2 and Client3.  Basically,
> > the two versions cooperate fully on the same subnet.  The 4.1.2 server
> > will reply to a 4.1.2 client via ntpdate ONLY (across a different
> > subnet).  The 4.1.1 clients are totally ignored across subnets (but
> > work fine on the same subnet as noted).
>
> It is possible that ntpdate is being invoked with '-u', for "use an
> unprivileged source port. That would explain why ntpdate works even
> though port 123/UDP is not completely open between the two sub-nets.
>
No, I'm not using the -u option.

> It would be helpful to see the ntp.conf files for all 4 systems.
>
I will post if I can't get 4.2 working.  They are all standard, vanilla
conf files, the client files are exactly the same; the only difference
is the "server" definitions and the "restrict" lines I mentioned above
on the server.




More information about the questions mailing list