[ntp:questions] Windows Time with NTPv4

Danny Mayer mayer at ntp.isc.org
Sun Mar 16 18:00:20 UTC 2008


Martin Burnicki wrote:
> Evandro,
> 
> Evandro Menezes wrote:
>> But doesn't symmetric association require authorization or is it only
>> true when there's a keys file?
> 
> AFAIK peer associations do require authentication configured correctly.
>  

No, that's not required. It should be required and you can specify key 
on the peer directive line.

>> Luckily, their 
>> jitter sucked and being themselves synchronized to the NAS they were
>> never selected as references.  Anyways, I removed the line disabling
>> authorization and NTP didn't accept those systems as peers anymore,
>> even though they still connect to the NAS using mode 1.
> 
> This seems to indicate that ntpd is running on the XP machines and has been
> configured correctly with authentication.
> 

No, it sounds like 3w32time is being run on these machines otherwise the 
jitter would not be so bad.

> Setting up peers requires that the admins of the involved machines are
> willing to do so, since peers can ask the other peers to change their time.
> 
> Of course the admin of a NTP server does not want his NTP server's time be
> changed just because some dumb client sends some packet asking to do so.
> 

Set up restrict with notrust on the LAN network addresses.

> This is what happens with w32time which under certain conditions sends
> "peer" requests instead of "client" requests. Since those w32time clients
> have neither been configured nor authenticated as peers, the question is
> how they should be handled by ntpd.
> 
> The default was that ntpd just dropped those requests, i.e. didn't send a
> response at all, in which case the w32time clients were unable to
> synchronize to the NTP server, unless they were reconfigured correctly to
> send "client" requests.
> 

I think that this is what Dave was talking about where the NTP code was 
allowing it to set the clock.

> The workaround in ntpd was to send normal "server" responses as it would do
> for normal "client" requests, so those w32time clients are happy.
> 

Yes, but the challenge is to identify those systems as sending the wrong 
NTP packet mode.

Danny
> 
> Martin




More information about the questions mailing list