[ntp:questions] phantom server with MacOSX

Chuck Swiger cswiger at mac.com
Wed Aug 18 18:43:14 UTC 2010

Hi, RFC-1035--

On Aug 17, 2010, at 4:32 AM, ntpquestions at rfc1035.com wrote:
> I've stumbled on a weird problem with NTP 4.2.6 on MacOSX. I compiled
> and installed the code myself. The box is not running whatever NTP code
> is shipped with the OS. All is well (sort of). The server is chiming
> away quite happily.

You didn't mention which version of MacOS X you were running (uname -a or sw_vers).  The default config under 10.6 looks something like:

% ps auxww | grep ntpd | grep -v grep
root        55   0.0  0.0  2435208   1144   ??  Ss    5Aug10   0:52.39 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /var/db/ntp.drift

% cat /private/etc/ntp-restrict.conf
# Access restrictions documented in ntp.conf(5) and
# http://support.ntp.org/bin/view/Support/AccessRestrictions
# Limit network machines to time queries only

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# localhost is unrestricted
restrict -6 ::1

includefile /private/etc/ntp.conf

% cat /private/etc/ntp.conf
server time.apple.com

> However it's peering with an Apple NTP server that I didn't configure.
> Can anyone suggest what's caused that or how to fix it? This phantom NTP
> server persists across restarts of ntpd and reboots, even though it's
> not listed in /etc/ntp.conf. I have no idea where it's picking up the
> name of this server from => how to get rid of it.

Pay attention to the launch arguments of ntpd; make sure you are running the binary you expect and pointing to the config file you expect.  If need be, run "ntpd -d", make sure it returns your 4.2.6 version rather than something like "ntpd 4.2.4p4 at 1.1520-o" which would be the base OS binary; and pay attention to newpeer events.

If that's still not enough, "dtruss /usr/sbin/ntpd -n -d" (or whatever the path to your binary is) should return output like:

write_nocancel(0x1, "addto_syslog: Listening on routing socket on fd #27 for interface updates\n\0", 0x4A) = 74 0
write_nocancel(0x1, "local_clock: time 0 offset 0.000000 freq 0.000 state 0\n\0", 0x37) = 55 0
open_nocancel("/etc/ntp.conf\0", 0x0, 0x1B6) = 3 0
fstat64(0x3, 0x7FFF5FBFED60, 0x7FFF5FBFEE2C) = 0 0
read_nocancel(0x3, "server time.apple.com\n\0", 0x1000) = 22 0

...and that will show you exactly which config file is being opened and what was read from it.

> Although this is no big deal, I am puzzled and a bit annoyed that Apple
> appear to be stamping over my NTP setup and not explaining how or why
> they do that. It's the thin edge of the wedge. If His Steveness doesn't
> like my NTP configuration, what else might he take exception to?

I admire the humor behind the notion that Steve would care about your NTP configuration; if the issue comes down to a user configuration issue, you'll hopefully retain this sense of humor.  :-)


More information about the questions mailing list