[ntp:questions] Can't get time to sync with local time server

Arty arty-nospam at domain.tld
Fri Dec 15 01:11:23 UTC 2006


Arty wrote:
> Steve Kostecke wrote:
>> On 2006-12-14, Arty <arty-nospam at domain.tld> wrote:
>>
>>> Why can't I set my time???
>>>
>>> server ntp.conf-------------
>>> server time.nist.gov prefer
>>> server pool.ntp.org
>>> server clock.isc.org
>>>
>>> driftfile /var/db/ntp.drift
>>> restrict default ignore
>> You've told ntpd to ignore all NTP packets form all addresses. Then you
>> neglected to tell ntpd that it is OK to accept NTP packets from your
>> time servers.
>>
>> You may want to review the Restrictions HOWTO at
>> http://ntp.isc.org/Support/AccessRestrictions.
>>
>> BTW: You're not going to be able to use 'restrict default ignore'
>> with a host name, such as pool.ntp.org, which resolves to multiple IP
>> addresses.
>>
>> Here's what your ntp.conf could look like:
>>
>> | # server ntp.conf
>> | driftfile /var/db/ntp.drift
>> | 
>> | # Allow only time service by default
>> | restrict default noquery nomodify notrap nopeer
>> | restrict 127.0.0.1 nomodify
>> | 
>> | # Remote time servers
>> | server time.nist.gov iburst
>> | server pool.ntp.org  iburst
>> | server clock.isc.org iburst
>> | 
>> | # Authorized clients
>> | # They are allowed time service and may query ntpd
>> | restrict 192.168.1.0 mask 255.255.255.0 notrap nopeer nomodify
>>
>> A couple of notes (that have no bearing on your current synchronization
>> problem):
>>
>> 1. You ought to use pool servers from your geographical area;
>> pool.ntp.org can resolve to any one of larger number of time servers
>> workd wide. See http://ntp.isc.org/pool or http://www.pool.ntp.org for
>> more information.
>>
>> 2. According to the Rules of Engagement (http://ntp.isc.org/rules) you
>> should not be directly using Stratum-1 time servers unless you meet
>> certain criteria (such as serving time a large number of clients). You
>> really ought to choose from the Public Stratum-2 server list (at
>> http://www.ntp.org/s2 or http://ntp.isc.org/s2) or just use the pool.
>>
>> 3. Using only 3 remote time servers doesn't leave you with any back up
>> if one of them "goes bad". You ought to consider using 4 or 5 remote
>> time servers.
>>
>>> # client ntp.conf-----------------------
>>> server 192.168.1.1 prefer
>> Using 'prefer' here is of no benefit.
>>
>>> driftfile /var/db/ntp.drift
> 
> Thank you all (especially kostecke and rgilbert)!!!!
> It was a combo of things.
> 1. My config wasn't right. I misunderstood the use of restrict.
> Actually i'm still a bit confused.
> 
> It seems as ntp makes a request to a time server, to have the time
> server set my time.  (as opposed to me requesting the time, and i'll set
> it myself).
> To sync my time, i have to set my restrict options to allow a remote ip
> to set my time?
> I'm still working on my ntp.conf files.  What is the absolute minimum
> access needed to sync my time?
> 
> 
> Here is what I want to do.
> On my ntp server:
> 1. sync my time from a public server
> 2. allow a subnet on my lan to sync from this server.
> 3. allow another subnet on my lan to to make sure i'm still in sync.
> 4. deny everything else from every one.
> 
> On my hosts:
> 1. sync my time with from ntp server.
> 2. allow a subnet on my vlan check to make sure i'm in sync.
> 3. deny everything else from every one
> 
> 
> 
> As far as monitoring goes, i think i can just check to make sure my
> stratum is not < 16 right ?
> 
> to find my own statum: ntpdc -c sysinfo |grep stratum
> to find my ntp servers stratum: ntpdc -c "showpeer admin1-nj" | grep stratum
> 
> 
> 
> Thanks again!
> 
> 
> 


Also I see what you mean about using a pool with restrict all.  I'm
getting a random server, but I would need to specify access to specific
servers.

I was going to put:
server north-america.pool.ntp.org iburst
server clock.isc.org iburst
server time.nist.gov iburst
server ntp0.cornell.edu iburst
server sundial.columbia.edu iburst


but I need to pick individual ones like this instead (if i want to
restrict default ignore):
server clock.isc.org iburst
server time.nist.gov iburst






More information about the questions mailing list