[ntp:questions] Windows Time with NTPv4
mayer at ntp.isc.org
Sun Mar 16 18:00:20 UTC 2008
Martin Burnicki wrote:
> Evandro Menezes wrote:
>> But doesn't symmetric association require authorization or is it only
>> true when there's a keys file?
> AFAIK peer associations do require authentication configured correctly.
No, that's not required. It should be required and you can specify key
on the peer directive line.
>> Luckily, their
>> jitter sucked and being themselves synchronized to the NAS they were
>> never selected as references. Anyways, I removed the line disabling
>> authorization and NTP didn't accept those systems as peers anymore,
>> even though they still connect to the NAS using mode 1.
> This seems to indicate that ntpd is running on the XP machines and has been
> configured correctly with authentication.
No, it sounds like 3w32time is being run on these machines otherwise the
jitter would not be so bad.
> Setting up peers requires that the admins of the involved machines are
> willing to do so, since peers can ask the other peers to change their time.
> Of course the admin of a NTP server does not want his NTP server's time be
> changed just because some dumb client sends some packet asking to do so.
Set up restrict with notrust on the LAN network addresses.
> This is what happens with w32time which under certain conditions sends
> "peer" requests instead of "client" requests. Since those w32time clients
> have neither been configured nor authenticated as peers, the question is
> how they should be handled by ntpd.
> The default was that ntpd just dropped those requests, i.e. didn't send a
> response at all, in which case the w32time clients were unable to
> synchronize to the NTP server, unless they were reconfigured correctly to
> send "client" requests.
I think that this is what Dave was talking about where the NTP code was
allowing it to set the clock.
> The workaround in ntpd was to send normal "server" responses as it would do
> for normal "client" requests, so those w32time clients are happy.
Yes, but the challenge is to identify those systems as sending the wrong
NTP packet mode.
More information about the questions