[ntp:questions] Problem using ntp autokey with the trusted ce rtificate identity s cheme

Bartholome, Alain alain.bartholome at eads.com
Tue Feb 10 15:38:16 UTC 2009


I downloaded the development version of NTP (4.2.5p158), I installed it on
all the systems, I kept  the certificates and the same configuration (except
the logconfig line  of ntp.conf) especially one trusted system.
It works. 
The synchronization of server3 occurred quite quickly.
I am quite worried about the release version...
Thanks for your help.
 
Alain BARTHOLOMÉ



-----Message d'origine-----
De : questions-bounces+alain.bartholome=eads.com at lists.ntp.org
[mailto:questions-bounces+alain.bartholome=eads.com at lists.ntp.org] De la
part de Martin Burnicki
Envoyé : mardi 10 février 2009 10:17
À : questions at lists.ntp.org
Objet : Re: [ntp:questions] Problem using ntp autokey with the trusted
certificate identity scheme

Steve Kostecke wrote:
> On 2009-02-10, Danny Mayer <mayer at ntp.isc.org> wrote:
>> Steve Kostecke wrote:
>> [---=| Quote block shrinked by t-prot: 24 lines snipped |=---]
>>
>>>> server3 does not synchronize with server2
>>> 
>>> The problem here is that you want to operate _two_ trust groups:
>>> 
>>> server2 trusts serverT1
>>> server3 trusts server2
>>> 
>>> Server3 needs to be able to trust server2. Try regenerating the
>>> paramters on server2 using '-T'.
>>
>> My understanding from what Dave has said is that the newer versions of
>> the development branch supports multiple trust groups.
> 
> You missed the point. The OP has set up a _chain_ of two trust groups.
> This is not a problem with one ntpd serving multiple trust groups.
> 
> The server for the second trust group needs to have a trusted cert so
> that it will be trused by its client.

This is an interesting setup, but should not be very uncommon.

Has anyone *tried* to configure autokey so that a machine is a client which
uses one certificate for his upstream server, and additionally acts as a
server who provides its own certificate to its clients?

This setup should also be mentioned in 
http://support.ntp.org/Support/ConfiguringAutokey

Martin
-- 
Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont
Germany

_______________________________________________
questions mailing list
questions at lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions



More information about the questions mailing list