I've been reading NTP documentation for hours and I still don't get it

[Buddha Bart]

I currently have this network setup, and would like to setup "moosehead" as an NTP server, and all the others as clients to it.

I've installed the RPM, and edited the ntp.conf to include "sundial.columbia.edu" and "ntp0.cornell.edu", performed an ntpdate sync.

Here's my remaining questions
1.) do i nead ntpd to sync, or just to offer the service? AKA do I need UDP port 123 open for incoming connections on moosehead?
1a) if not, how do I sync? is there a way to start ntp, without it acting as a network daemon? Basically a glorified cron job.

2.) How/should I setup the "keys" file and authentication. I'm not sure what good this would do me, since i'm connecting to a public server anyway.

any help would be appreciated
bart

 

[n0cmonkey]

What ntp server are you using (if there is more than one )?

 

[Buddha Bart]

"the one" from the guy at udel.

 

[n0cmonkey]

OpenBSD doesnt seem to be installing the man pages for this. Ill see if I can find more information :/

 

[Buddha Bart]

yea they didn't come with the rpm either

i've been using the stuff that it threw in /usr/share/doc/ntp-blahversionblah

the default config seems to run the daemon, but not allow any connections.
grrr a simple 1 page explanation of this would be perfect, and is probably what 99.999999% of ntp users need.

bart

 

[n0cmonkey]

ntpdate can be used to update the machine it is run on. You could probably stick that in a cronfile to update the external machine there.

http://www.eecis.udel.edu/~ntp/ntpfaq/NTP-a-faq.htm is a FAQ for this.

As for why having keys, if they are for authentication, it helps you know when people are doing a man in the middle.

 

[Buddha Bart]

yea i've read through that (and again now) but it sill doesnt help me.

doesnt tell me anything about all the "restrict blahblahblahblah" lines in the config file, and what they do/mean

on the one hand you'd think with the word "restrict" that they'd be blocking something. On the other hand, if you read the comments, it seems to be that they restrict acces to only whats specified after the restrict word. A man page would really help here.

yea, i could just take the easy way out and use a cronjob/ntpdate... i was just hoping to do it right

bart

 

[n0cmonkey]

default noserve # default deny
127.0.0.1 # allow local host
128.4.0.0 mask 255.255.0.0 # allow DCnet clients
128.175.0.0 mask 255.255.0.0 # allow UDel clients
140.173.0.0 mask 255.255.0.0 # allow DARTnet/CAIRN clients

Im thinking, if you enter soemthing like this (changing ip addresses to your ip addresses) it should work. But I didnt get much sleep and Ive been trying to get some other things working today so I think I fried my brain

 

[Buddha Bart]

Here's what i figure is the relevant section of the config file....

***************** BEGINS HERE *********************

# Prohibit general access to this service.
restrict default ignore

# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1


# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 10.0.0.0 mask 255.255.255.0 notrust nomodify notrap


# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip

server sundial.columbia.edu
server ntp0.cornell.edu

************* ENDS HERE ***************************

I've tried a dozen combinations of commenting things out, but nothing. Any ideas?
[edit] BTW: even with this config, i cannot connect from localhost (read second stanza to see why this seems odd to me)[/edit]

bart

 

[Nothinman]

ntpdate on the client syncs it with the specified ntp server, I don't believe there's a way to have the server update the client's time.

NTP transactions always happen on port 123, it's the source port and destination port so you'll need both open for UDP.

I just installed ntpdate and ntp and with the Debian defaults it 'just works' =)

 

[SUOrangeman]

If I understand ntpd correctly, and you specify at least two NTP servers "above" your server, then your machine becomes a "Stratum-2" (is that the correct term?) server. Your server will maintain a continuous connection to the two servers above and will then serve any clients pointed to your server.

I think there is an ntpq utility that verifies the connection to the two servers above you.

I have about 30 machines, one of which is an NTP server for the others. I didn't configure it myself, but that's what I understand to be going on.

-SUO

 

[Buddha Bart]

nothingman: ntpdate is also a client, but you're 'supposed' to use ntpd

SUO: yeah ntpq -p shows the two connections, so the client portion appears to be working, but if I "ntpdate 10.0.0.12" from another machine on my netowrk i get
"28 Jul 20:53:08 ntpdate[20537]: bind() fails: Permission denied"

So the server side seems to be locked down in the config file... i just cant figure out how to unlock it.

anyone just happen to have a working redhat/mandrage/suse config file i can look at? heck, i'll try your debian one nothingman.

bart

 

[Nothinman]

bind is probably failing because either something else already bound the address/port or it's not running as root.

 

[Buddha Bart]

yea sorry, i tried that command again as root, and got this error instead (this is client side)

28 Jul 21:22:21 ntpdate[20578]: no server suitable for synchronization found

 

[knappster]

Originally posted by: Buddha Bart
yea sorry, i tried that command again as root, and got this error instead (this is client side)

28 Jul 21:22:21 ntpdate[20578]: no server suitable for synchronization found

yah...i get that error sometimes too...i update all my freebsd boxes around 4 or 5 in the morning using ntpdate, and probably once a week i get that message...i just think there is too much traffic going to the ntp server at that time, although, like always, i could be wrong

 

[Buddha Bart]

fine, i quit, ntpdate is now in a cron job.

someday i'll have the money to leave this open-source farce behind.

bart

 

[Nothinman]

fine, i quit, ntpdate is now in a cron job.

Why do you act like that's a bad thing? It's obviously a lot simpler and you get basically the same results.

someday i'll have the money to leave this open-source farce behind.

Right, like money makes software work better...