LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-14-2009, 06:47 PM   #1
molybtek
LQ Newbie
 
Registered: Oct 2008
Posts: 8

Rep: Reputation: 0
ntp reachable but rejected


I have a NTP server running in my local network with access to the internet. the local network is divided into two subnet, the main subnet where the NTP server is running, and a second subnet. Computers on both subnets sync with the same NTP server. Computers on the second subnet are able to sync without any problem, however, computers in the first subnet aren't/

Results from a computer on the second subnet:
ntpq> as

ind assID status conf reach auth condition last_event cnt
===========================================================
1 21580 96f4 yes yes none sys.peer reachable 15
ntpq> rv 21580
assID=21580 status=96f4 reach, conf, sel_sys.peer, 15 events, event_reach,
srcadr=172.23.68.1, srcport=123, dstadr=172.23.24.4, dstport=123,
leap=00, stratum=2, precision=-20, rootdelay=744.110,
rootdispersion=45.410, refid=150.101.254.110, reach=377, unreach=0,
hmode=3, pmode=4, hpoll=10, ppoll=10, flash=00 ok, keyid=0, ttl=0,
offset=-11.957, delay=3.699, dispersion=0.121, jitter=0.266,
reftime=ced14637.b8280503 Tue, Dec 15 2009 9:18:15.719,
org=ced146de.d2201214 Tue, Dec 15 2009 9:21:02.820,
rec=ced146de.d5bed30f Tue, Dec 15 2009 9:21:02.834,
xmt=ced146de.d4c0ce91 Tue, Dec 15 2009 9:21:02.831,
filtdelay= 3.85 4.17 4.49 4.02 6.84 3.88 3.70 4.37,
filtoffset= -12.22 -12.24 -11.77 -11.95 -11.48 -11.93 -11.96 -11.66,
filtdisp= 0.00 0.03 0.06 0.09 0.12 0.15 0.18 0.21


Results from a compuer on the first subnet:
ntpq> as

ind assID status conf reach auth condition last_event cnt
===========================================================
1 24754 9014 yes yes none reject reachable 1
ntpq> rv 24754
assID=24754 status=9014 reach, conf, 1 event, event_reach,
srcadr=172.23.68.1, srcport=123, dstadr=172.23.68.121, dstport=123,
leap=00, stratum=2, precision=-20, rootdelay=713.562,
rootdispersion=74.646, refid=128.250.33.242, reach=001, unreach=1,
hmode=3, pmode=4, hpoll=6, ppoll=6, flash=400 peer_dist, keyid=0, ttl=0,
offset=47.597, delay=0.199, dispersion=937.522, jitter=0.401,
reftime=ced148b7.91cc707e Tue, Dec 15 2009 9:28:55.569,
org=ced1493c.eeca2f8b Tue, Dec 15 2009 9:31:08.932,
rec=ced1493c.e2a15d5d Tue, Dec 15 2009 9:31:08.885,
xmt=ced1493c.e292c36b Tue, Dec 15 2009 9:31:08.885,
filtdelay= 0.20 0.16 0.17 0.21 0.00 0.00 0.00 0.00,
filtoffset= 47.60 47.40 47.22 47.05 0.00 0.00 0.00 0.00,
filtdisp= 0.00 0.03 0.06 0.09 16000.0 16000.0 16000.0 16000.0


The main difference I can see is for the one rejected, it has a flash=400 peer_dist instead of flash=00 ok

Are there anything I could do to fix that? Thanks.
 
Old 12-14-2009, 07:47 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
You'll need to check the ntp server config - /etc/ntp.conf, you're probably missing a line for one of the subnets

eg.

Code:
restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap
cheers
 
Old 12-15-2009, 12:45 AM   #3
molybtek
LQ Newbie
 
Registered: Oct 2008
Posts: 8

Original Poster
Rep: Reputation: 0
I even allowed full access from one of the client to test and make sure the server is not rejected due to restriction.
Code:
restrict 172.23.68.121
The full ntp.conf on the server is

Code:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1

restrict 172.23.68.0 mask 255.255.255.0 nomodify notrap 
restrict 172.23.68.121

server ntp.tbpl.com.au iburst
server ntp1.cs.mu.OZ.AU iburst
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst

driftfile /var/lib/ntp/drift

keys /etc/ntp/keys
On the client:
Code:
driftfile /var/lib/ntp/ntp.drift

statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

logconfig =syncstatus +allevents +allinfo +allstatus
logfile /var/log/ntpd

server 172.23.68.1 iburst
restrict 172.23.68.1

restrict 127.0.0.1
From the client within the same subnet, I can use ntpdate to sync the clock, but ntpd doesn't - it rejects the reply...

Last edited by molybtek; 12-15-2009 at 12:49 AM.
 
Old 12-15-2009, 03:16 AM   #4
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Debian
Posts: 8,576
Blog Entries: 31

Rep: Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195Reputation: 1195
Unless there is a danger of NTP requests causing an excessive load on -- or interfering with -- your NTP server you could simply remove the restrict lines from the ntp.conf file.

I tried a variety of simple restricts and could not get any of them to work so commented them out. This ntp.conf works for me. KISS!
Code:
# Configuration file for ntpd.

# Time sources
server in.pool.ntp.org
server asia.pool.ntp.org
server 127.127.1.0
fudge 127.127.1.0 stratum 10

# Drift file
driftfile /etc/ntp/drift

# Access control
# First deny access to all
#restrict default ignore
# Then open up to LAN without allowing them to change time or be used as time sources
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Last edited by catkin; 12-15-2009 at 03:18 AM. Reason: Added "-- or interfering with --"
 
Old 12-15-2009, 03:50 PM   #5
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
You only have one subnet listed in your servers config -

Quote:
restrict 172.23.68.0 mask 255.255.255.0 nomodify notrap
.. but you said you had 2 subnets, if you duplicate the line above but change it to the subnet the ntp server is on all should be ok

.. and don't forget to restart ntp

cheers
 
Old 12-15-2009, 05:19 PM   #6
molybtek
LQ Newbie
 
Registered: Oct 2008
Posts: 8

Original Poster
Rep: Reputation: 0
The subnet listed is actually the one where the server is on, and it is clients within this subnet that is rejecting the ntp.

I've tried adding the other subnet as well, and also removing all the restrict lines, but again, the clients on the same subnet as the server is rejecting, whereas the other subnet syncs without a problem.

The weird thing is ntpdate works but not ntpd.
 
Old 12-15-2009, 07:04 PM   #7
molybtek
LQ Newbie
 
Registered: Oct 2008
Posts: 8

Original Poster
Rep: Reputation: 0
From the NTP documentation, the flash code of 400 indicates that "The autokey protocol has not verified the server or peer is proventic and has valid public key credentials. See the Authentication Options page."

However, I'm not sure what to do about it... are there a way to turn off authentication off?
 
Old 12-15-2009, 08:48 PM   #8
molybtek
LQ Newbie
 
Registered: Oct 2008
Posts: 8

Original Poster
Rep: Reputation: 0
OK - I think I've found the problem - the server is running ntpd 4.2.2p1@1.1570-o Sat Nov 10 12:33:50 UTC 2007 (1) (CentOS5)

All the clients in the other subnet are running ntpd: ntpd 4.2.0a@1.1190-r Sun Aug 13 01:49:12 CDT 2006 (1) (CentOS4)

I've found we have a client on the first subnet which I thought aren't syncing is actually able to sync, it is also a CentOS4 machine, whereas all the other machines are also CentOS5, and one Ubuntu 9.10, which is running Ver. 4.2.4p6

So it seems like ntp v4.2.0 are able to sync with 4.2.2, however 4.2.2 or 4.2.4 can't. Now to find out what's changed between these versions...
 
  


Reply

Tags
ntp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ntp drift file in /etc/ntp instead of /var/lib/ntp - suggestion for a patch in Slack niels.horn Slackware 16 05-07-2009 08:35 PM
One webserver reachable, the other is not hrpt_rnws Linux - Networking 2 11-21-2007 03:39 PM
Detect internet reachable kotao_78 Programming 1 07-17-2007 11:18 PM
Network was Reachable, But ..... _ AsiF Linux - Networking 1 06-26-2007 12:06 AM
NTP cannot work with timeserver, NTP-d can jerryvapps Linux - Networking 0 08-04-2004 03:04 PM


All times are GMT -5. The time now is 01:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration