[ntp:questions] Re: ntp authentication setup

Dave dmehler26 at woh.rr.com
Wed Nov 23 15:06:36 UTC 2005


Hi,
    Checked out the indicated page. I've included both my server and client 
configs below, for it is still not working. On both sides the key generation 
goes without error, i used GQ keys, not sure why they just looked right for 
my situation. To recap i've got a local ntp server that services my lan 
which is a mixture of unix and windows clients, the ntp server polls the 
internet and the lan syncs up to it. Right now i'm using only unix, i want 
to get this going before i add windows in to this. On the client, a freebsd6 
box i add the key with:

ntp-keygen -H -p clientpassword

Should i make the clientpassword the same as serverpassword?
In my client log i see:
Nov 21 20:17:07 zeus ntpd[92140]: ntpd 4.2.0-a Thu Nov 10 21:05:26 EST 2005 
(1)
Nov 21 20:17:07 zeus ntpd[92140]: bind() fd 11, family 2, port 123, addr 
192.168.0.3, in_classd=0 flags=8 fails: Address already in use

This is after a stop and start of ntpd. Checking with /etc/rc.d/ntpd i see 
that ntpd is indeed running with a new pid. An ntpq shows:

     remote           refid      st t when poll reach   delay   offset 
jitter
==============================================================================
 guardian.daveme .INIT.          16 u    -  512    0    0.000    0.000 
4000.00

Serverside everything seems fine, when i stop and start ntpd it doesn't have 
any trouble syncing up to the net, do i have an issue with clientside ntpd 
or is this a fluke error? Also, should i be doing keys or multicast/unicast 
autokeys? I'm not sure what those are.
Thanks.
Dave.

server ntp.conf:
#
# authentication key setup
crypto pw serverpassword
keysdir /etc/ntp
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server 127.127.1.0     # local clock
fudge  127.127.1.0 stratum 10

server time.cair.du.edu prefer
server time.nist.gov
server timekeeper.isi.edu
#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/ntp.drift
# first ignore all ntp packets from everywhere
restrict default ignore
# now prevent the public servers from querying me
restrict 130.253.1.169 mask 255.255.255.0 noquery # du
restrict 192.43.244.18 mask 255.255.255.0 noquery # time.nist.gov
restrict 128.9.176.30 mask 255.255.255.0 noquery # timekeeper.isi.edu
# Only our subnet can use us s a server.
# no peer associations between machines are made,
# notrust tells ntpd to serve time to machines that have a known key
restrict 192.168.0.0 mask 255.255.255.0 nopeer notrust nomodify
# Allow unrestricted access to the localhost
restrict 127.0.0.1

client ntp.conf:
#
# authentication key setup
crypto pw serverpassword
keysdir /etc/ntp
server guardian.xxx iburst
#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/ntp.drift
# ignore all packets from everywhere
restrict default ignore
# any ntp packets must be authenticated
restrict 192.168.0.254 notrust
# localhost ntp packets are accepted unconditionally
restrict 127.0.0.1


"Danny Mayer" <mayer at gis.net> wrote in message 
news:4380CC2B.4070307 at gis.net...
> Dave wrote:
>> Hello,
>>     I'm having an issue with authentication setup and would appreciate it 
>> if
>> anyone had a tutorial on this issue. I thought i had it when i updated, 
>> but
>> i just did an ntp install on windows xp, started the service without
>> thinking and it updated the clock. This box did not have any keys set up.
>> Obviously i'm doing something wrong. I'm also wondering the status of
>> ntpdate is it still recommended to use it? When my boxes start they sync 
>> up
>> with the local time server on my network, i'm wondering if using ntpdate 
>> or
>> the iburst option on the server line in ntp.conf which is the prefered
>> approach?
>> Thanks.
>> Dave.
>>
> ntpdate makes no sense on a Windows box. You should use the -g during
> startup and iburst on the server lines. Authentication needs to be set
> up and is never automatic. You need to generate the keys on the server
> and copy them over to the Windows client. Did you look at:
> http://ntp.isc.org/bin/view/Support/ConfiguringAutokey
> to see how to set up authentication?
>
> Danny
> _______________________________________________
> questions mailing list
> questions at lists.ntp.isc.org
> https://lists.ntp.isc.org/mailman/listinfo/questions
> 





More information about the questions mailing list