[ntp:questions] Reference clock all messed up?
mayer at ntp.isc.org
Sun Nov 11 02:54:02 UTC 2007
Adam Bolte wrote:
> Howdy all,
> I've got a problem that has been driving me nuts. Hopefully, somebody can
> give me a clue.
> I've been requested to configure an NTP server (192.168.2.1) for the local
> subnets that I'm responsible for. Unfortunately, firewall rules prevent me
> from accessing 123/UDP on the Internet, however there is a machine that
> appears to be running NTP on 192.168.1.1 (outside subnets I administer but
> internal to the company and accessible) which I would like to sync my server to.
> On 192.168.2.1 I'm running FreeBSD 5.4-STABLE with ntpd "4.2.0-a Thu Jan 19
> 11:02:17 EST 2006". According to nmap, 192.168.1.1 might be FreeBSD 6.1 (86%
> Note that we don't want all client NTP machines to access 192.168.1.1 -
> otherwise, things would have been much easier.
> --- /etc/ntp.conf on 192.168.2.1 ---
> # /etc/ntp.conf
> server 192.168.1.1
Add iburst to this line for faster synchronization
> driftfile /var/db/ntpd.drift
> # by default ignore all ntp packets
> restrict default ignore
Why would you want to ignore all packets?
> # allow localhost
> restrict 127.0.0.1 mask 255.255.255.255
If you don't have the previous line you don't need this line and the
netmask is redundant here.
> # accept packets from...
> restrict 192.168.2.0 mask 255.255.255.0 nomodify notrap
> restrict 192.168.3.0 mask 255.255.255.0 nomodify notrap
> restrict 192.168.4.0 mask 255.255.255.0 nomodify notrap
> restrict 192.168.5.0 mask 255.255.255.0 nomodify notrap
I assume all of these subnets are what you want to control. Where is the
line to allow 192.168.1.1 to send packets and modify the clock. Your
restrict statements are what's killing you.
> --- end /etc/ntp.conf on 192.168.2.1 ---
> So I run the daemon:
> $ /usr/sbin/ntpd -p /var/run/ntpd.pid -c /etc/ntp.conf
Add -g to the command line to get it to initially no panic and to set
> 192.168.2.1: Server dropped: strata too high
> server 192.168.2.1, port 123
> stratum 16, precision -19, leap 11, trust 000
stratum 16 means that it's not synchronized and so it not allowing any
client to get synchronization from it.
> refid [192.168.2.1], delay 0.02597, dispersion 0.00000
> transmitted 4, in filter 4
> reference time: 00000000.00000000 Thu, Feb 7 2036 17:28:16.000
> originate timestamp: cad947a4.ebce9575 Mon, Nov 5 2007 18:41:24.921
> transmit timestamp: cad947a4.f189ce4a Mon, Nov 5 2007 18:41:24.943
> filter delay: 0.02609 0.02597 0.02600 0.02600
> 0.00000 0.00000 0.00000 0.00000
> filter offset: -0.02255 -0.02258 -0.02260 -0.02260
> 0.000000 0.000000 0.000000 0.000000
> delay 0.02597, dispersion 0.00000
> offset -0.022588
> 5 Nov 18:41:24 ntpdate: no server suitable for synchronization found
> I believe "leap 11" is key, possibly indicating that there is a time
> difference too great between the server and client.
leap 11 makes no difference since the clock is not synchronized to anything.
> Again on an NTP client box:
> $ sudo ntpdate -d 192.168.1.1
> 5 Nov 18:28:39 ntpdate: ntpdate 4.2.4p0 at 1.1472-o Thu Oct 4 22:22:32
> stratum 4, precision -19, leap 00, trust 000
This system is synchronized as a stratum 4 box.
You should use ntpq to look at your servers and not ntpdate.
More information about the questions