[ntp:questions] Reference clock all messed up?

Danny Mayer mayer at ntp.isc.org
Sun Nov 11 02:54:02 UTC 2007


Adam Bolte wrote:
> Howdy all,
> 
> I've got a problem that has been driving me nuts. Hopefully, somebody can
> give me a clue.
> 
> I've been requested to configure an NTP server (192.168.2.1) for the local
> subnets that I'm responsible for. Unfortunately, firewall rules prevent me
> from accessing 123/UDP on the Internet, however there is a machine that
> appears to be running NTP on 192.168.1.1 (outside subnets I administer but
> internal to the company and accessible) which I would like to sync my server to.
> 
> On 192.168.2.1 I'm running FreeBSD 5.4-STABLE with ntpd "4.2.0-a Thu Jan 19
> 11:02:17 EST 2006". According to nmap, 192.168.1.1 might be FreeBSD 6.1 (86%
> sure).
> 
> Note that we don't want all client NTP machines to access 192.168.1.1 -
> otherwise, things would have been much easier.
> 
> --- /etc/ntp.conf on 192.168.2.1 ---
> # /etc/ntp.conf
> 
> server 192.168.1.1
> 

Add iburst to this line for faster synchronization

> driftfile /var/db/ntpd.drift
> 
> # by default ignore all ntp packets
> restrict default ignore
> 

Why would you want to ignore all packets?

> # allow localhost
> restrict 127.0.0.1 mask 255.255.255.255

If you don't have the previous line you don't need this line and the
netmask is redundant here.

> 
> # accept packets from...
> restrict 192.168.2.0 mask 255.255.255.0 nomodify notrap
> restrict 192.168.3.0 mask 255.255.255.0 nomodify notrap
> restrict 192.168.4.0 mask 255.255.255.0 nomodify notrap
> restrict 192.168.5.0 mask 255.255.255.0 nomodify notrap

I assume all of these subnets are what you want to control. Where is the
line to allow 192.168.1.1 to send packets and modify the clock. Your
restrict statements are what's killing you.

> --- end /etc/ntp.conf on 192.168.2.1 ---
> 
> So I run the daemon:
> $ /usr/sbin/ntpd -p /var/run/ntpd.pid -c /etc/ntp.conf
> 

Add -g to the command line to get it to initially no panic and to set
the clock.

> 192.168.2.1: Server dropped: strata too high
> server 192.168.2.1, port 123
> stratum 16, precision -19, leap 11, trust 000

stratum 16 means that it's not synchronized and so it not allowing any
client to get synchronization from it.

> refid [192.168.2.1], delay 0.02597, dispersion 0.00000
> transmitted 4, in filter 4
> reference time:    00000000.00000000  Thu, Feb  7 2036 17:28:16.000
> originate timestamp: cad947a4.ebce9575  Mon, Nov  5 2007 18:41:24.921
> transmit timestamp:  cad947a4.f189ce4a  Mon, Nov  5 2007 18:41:24.943
> filter delay:  0.02609  0.02597  0.02600  0.02600
>          0.00000  0.00000  0.00000  0.00000
> filter offset: -0.02255 -0.02258 -0.02260 -0.02260
>          0.000000 0.000000 0.000000 0.000000
> delay 0.02597, dispersion 0.00000
> offset -0.022588
> 
>  5 Nov 18:41:24 ntpdate[21447]: no server suitable for synchronization found
> 
> 
> I believe "leap 11" is key, possibly indicating that there is a time
> difference too great between the server and client.

leap 11 makes no difference since the clock is not synchronized to anything.

> Again on an NTP client box:
> $ sudo ntpdate -d 192.168.1.1
>  5 Nov 18:28:39 ntpdate[20392]: ntpdate 4.2.4p0 at 1.1472-o Thu Oct  4 22:22:32
> stratum 4, precision -19, leap 00, trust 000

This system is synchronized as a stratum 4 box.

You should use ntpq to look at your servers and not ntpdate.

Danny



More information about the questions mailing list