[ntp:questions] systems won't synchronize no matter what

Steve Kostecke kostecke at ntp.org
Wed Oct 27 00:47:56 UTC 2010


On 2010-10-22, Florin Andrei <florin at andrei.myip.org> wrote:

> Config file:

The real issue is the last line in your configuration file...

> server 10.10.16.65 iburst
> server 10.10.16.64 iburst
> server 127.127.1.0 # local clock
> fudge 127.127.1.0 stratum 10

The Undisciplined Local Clock driver (127.127.1.x) is not a backup. It
merely allows ntpd to claim to be synced to a time source when it is
actually free-wheeling.

In most cases the Undisciplined Local Clock should only be used by an
ntpd which must serve time to others even when no time sources are
reachable (or available).

> driftfile /etc/ntp/drift

It is usually considered bad form to allow daemons to write to the /etc
directory. A better place for the drift file is somewhere under /var.

> restrict 127.0.0.0 mask 255.0.0.0
> restrict 192.168.3.0 mask 255.255.255.0 nomodify notrap

nomodify == "Do not allow this host/subnet to modify the ntpd settings
even if they have the correct keys." By default ntpd requires
authentication with symmetric keys for modifications made with ntpdc. So
if you don't configure symmetric keys for your ntpd, or keep them
properly safeguarded, you don't need to use 'nomodify' unless you are
concerned that the NTP authentication scheme might be compromised or
that someone might start ntpd with -A."

notrap == "Do not allow this host/subnet to request a monitoring trap
(similar to an SNMP trap)."

> restrict default ignore

Your default restriction line is telling ntpd to ignore all NTP packets.
This includes your remote time servers. The only NTP packets which are
being allowed in/out are for 127.0.0.1 and 192.168.3.0/24. This is why
these three systems won't sync.

At a minimum you should add a restrict line for each of your time
servers which sets "relaxed" restrictions. e.g.

restrict 10.10.16.64 noquery
restrict 10.10.16.65 noquery

You could also set a reasonable default restriction which allows only
global time service. Then relax the restrictions for localhost and your
LAN.
 
You may wish to review
http://support.ntp.org/bin/view/Support/AccessRestrictions

-- 
Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/




More information about the questions mailing list