Setting up an NTP server on Ubuntu Fiesty
 

i feel the need to setup an ntp server in my office, so that all the workstations and servers will display the same time.
im not able to connect to any external ntp servers as my firewall is locked down very tight & i therefore cannot open the required ports.
i have a sun ultra60 workstation, with a basic installation of ubuntu fiesty on it. currently its also running bind for name serving to the local network, although this is not yet configured.

i thought i had it right, but it doesnt seem to work.

the ntp.conf file from /etc reads:
(where my two local ip ranges where workstations reside are: xxx.xxx.88.0 & xxx.xxx.128.0)

all that happens when i run

ntpdate ultra60.exampledomain.com

on one of the other computers on the network is i get told no servers could be used.

now i know it resolves correctly, because i can ping the server from the other computers, but i have never managed a functioning ntp setup before so i dont know what could be wrong with it.

thanks for any help

m

Try uncommenting the line allowing broadcast and change it to match your subnet

just tried that,
no joy
the exact response i get from the other server is:
that happens when i put in ntpdate ultra60.exampledomain.com

when i put in just ntpdate (with the server configured in the local /etc/ntp.conf
it tells me:

Time servers conventionally use port 123 and if this is closed on your firewall it will drop requests. You need to open the port to allow requests.

as i mentioned at the start of the thread, i cannot open any other firewall ports.
this is why i am trying setup a ntp server within the firewall, so all the servers inside the firewall will have a synchronized time source, even if that cant be synchronized with the outside world. it just means they would all be synced with others.

If the boxes exist within the firewall then the firewall is irrelevant. This means that you have not configured the broadcast section of ntp correctly.

I think you need to give more detail about your network configuration relative to the box that is acting as the time server.

Right:

in that case

the box to be acting as ntp server is an oldish sun ultra60 with nothing much else to do.

it has ubuntu 7.04 installed on it

it is configured (to the best of my knowledge - as in i didnt configure anything, so whatever is default) without any firewall enabled

the ntp.conf is:

if i run pgrep ntpd

i get a process number, so i presume its running,

i have done /etc/init.d/ntp restart every time i have made a change to the ntp.conf

although the network adapter only has an ip address in one of the ip ranges, i have ensured it has a route to the other range.

if theres any other information you may need.

thanks for your help

(btw the ip addresses arent the actual ones being used but similar examples)

Check that boxes on the networks can ping the ntp box. In the ntp client configs of other boxes on the network(s) use the ip address of the ntp box. If you want to use the domain name then you would need to specify the host name and ip address of the ntp box in the hosts file of each box. It is probably easier to setup the main ntp box to query a source ntp server like uk.pool.ntp.org and then setup ntp servers on each box which would then send requests to your local ntp server. I do this with my own network. The whole thing becomes automated with no need of human intervention.

all the boxes i want ntp to run on can ping thru to the server, on both its ip and its fqdn.

ive configured one of them with its ntp.conf as below:

where the ip address of the server ntp server is 200.38.88.253 and its fqdn is kingpin.mydomain.co.uk

and unfortunately i can't specifiy an external ntp server in the configuration, ntp requests are not allowed past the office firewall. what im attempting to do is keep all the servers within the firewall sync'd

i just added kingpin.mydomain.co.uk to the hosts on the first machine im using to try and access the ntp server.
just to confirm the ip address of the machine im trying to access it from is 200.38.88.243

The ip address you have used ( 200.38.88.243) is a public domain address (registered in Mexico);
inetnum: 200.38.88/24
status: reassigned
owner: SIXSIGMA NETWORKS MEXICO SA DE CV
ownerid: MX-SNMS-LACNIC
address: PASEO DE LA REFORMA 5287
address: CIUDAD DE MEXICO, DF 05000
country: MX
owner-c: JM3007-ARIN
created: 20011113
changed: 20011113
inetnum-up: 200.38.64/19
inetnum-up: 200.38/15
source: ARIN-HISTORIC

Your systems would send requests to that address and the firewall should then drop them and you would then not resolve the address. Your addresses should be restricted to those for privates use;

Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

This kind of error can cause havoc. I used an arbitrary domain name on my son's system which happened to be registered and had endless problems till I found the cause.

sorry, i was out of the country for a week.

i can confirm that the ip addresses i am using are public ip addresses. however the ones i am using are not the ones given in my post, i just used those ones because they are similar and as an example so people would understand what i was after.
the company i work for actually does own all of the public ip addresses that i am using, and if you were to type in the aforementioned ip addresses on an interenter browser you would get our website.

Thanks

If you are using public ip addresses (I am assuming that the server is firewalled) then you need open and forward ntp requests on port 123 which is the standard protocol port. Within a private network this would not usually be required because firewalls would allow connections on most ports.

Firewall should not be an issue. i do not wish to allow ntp outside of my firewall, only within. all the computers that are intended to have access to the ntp service are connected directly by a switch within the firewall. they all share the same ip address range and the same subnet masks.

I am a bit confused why you are referencing public domain boxes in the config then.

If you are referencing boxes on the lan using their local domain names then these must be specified in the relevant /etc/hosts files to be able to resolve. You shouldn't have any problems running ntp services within the lan providing boxes within the lan which are firewalled have statements in the iptables firewall allowing connections from boxes within the lan or have the relevant port open.

So you have a server providing time which you want all other boxes to synchronise with. The reference box config must be configured for fudge (local hardware clock). The other boxes on the lan must have their configuration files set so that they send requests to the reference box ip address or domain name (which is stated in the /etc/hosts file).

basically all the servers are publicly available for for http service and a couple of others, but other than that the firewall to the external world doesnt let anything in or out. all the servers respond on their public ip addresses. all the servers internal firewalls (iptables) are not set to block anything at this time. i am 100% confident that there is no firewall issue.
my problem is i cant use external ntp servers because the firewall betweeen all the servers and the external world will not let ntp through, and i dont intend to let it. i just want to synchronize all the servers within my firewall so that the logs on the servers can be compared accurately, because its awkward when one has lost 20 minutes and im getting confused over what happened when.

i have a spare server which isnt doing a lot, so i installed the ntp server on it, and am trying to configure it to provide time which the other servers can use.

i think what i might need is that local hadware time configuration thing fudge that u mentioned.

thankyou

I just don't understand why you don't want to sync with time servers. If you are running commercial servers and allowing connections on port 80 why not add udp connections on port 123. I run http, email and a time server for uk.pool.ntp.org and have done so for a couple of years and never had a problem with port 123. If you are going to have security problems then they are likely on port 80 where crackers can get at the system via the tcp stack.

As regards your current problem - there is something more fundamentally wrong with your network comms than the config of the time server. The time server will provide some kind of time whether it is incorrect or not. Your problem seems to be that the other systems are unable to get responses to requests. This can be due to the following causes;

1. the time server is not running and therefore not responding;
2. your time server is not allowing incoming requests;
3. the requesting systems are not configured to request time from the correct server.

I am sure you have a network communication problem and without full details of how the network is configured and how the boxes communicate with each other it is difficult to help. To summarise what I have said before; If the boxes are on the same lan and inside a designated firewall which allows communications (all ports open) between the boxes then you should have no problems. If this is not the case and there are firewalls in place that exclude port 123 then the boxes will not be able to get responses to requests and the system will not work.

the only reason i am not using external ntp servers is because i am not allowed to open any ports in our external firewall. i cannot change any configuration settings on the external firewall at all.

internally, between the servers themselves there are no firewalls at all.

its like:

........... firewall
.............. |
............. hub -----------------------------------------
.............. | ......... | ......... | ............ |
........ ntp server .. server 1 .. server 2 ........ etc


(using . for spacing)

I have re-read your posts and the only thing I can see that might cause a problem was the broadcast address that you used in the ntp server config file. The broadcast address should end with 255. If you have no reference time server then read up the ntp documentation on using fudge. From the network setup you have in the diagram there is no reason why this should not work.

ok, changed the broadcast numbers to see if that helped, and didnt seem to.
i presume this fudge thing will stop it working at all unless its set right, is that so?

thanks

I've now tried this in the conf file on my ntp server:


i also tried setting both stratums to 1 and 10 aswell as 14, but each time i get a response of:


i can only presume from this that i am doing the fudge thing wrong. cos it still says stratum 16.

i shall continue to read about it, but if you spot a silly error, please let me know.

thanks

right

have updated my configuration file on my server like so:

still says its a stratum 16 server from the ntpdate - whatever it was command

thanks again

That is correct. Stratum relates to the time source. A primary time server eg an device like an atomic clock or radio frequency clock is a stratum 1. If your system was using a stratum 1 server as a time source it would register as a stratum 2. Since you are using your local (fudge) system clock it registers as a stratum 16 because the clock is not a reliable source. In my ntp server I have 7 different time servers listed as source servers and if one is unreachable it defines it as stratum 16.

To check your local server use the command;
ntpq -p

what im after tho is a way of tricking the clients into thinking the ntp server is a lower stratum, even though it still running of the more unreliable hardware clock. either that or forcing the clients to sync with it even though its at stratum 16

heres another example of what i'm trying to achieve.

say i have 3 computers,
all running different flavours of linux.

they are all connected via an ethernet connection to a hub

the hub is not connected to anything else

no computer has internet access.

but i want one of the computers to keep the time, and the other two to follow suit.

so if the time on that one computer is adjusted forward 10 minutes, the time on the other two servers automatically adjusts forward 10 minutes (doesnt have to be simultaneous tho - within 4 or 5 hours for example)

----------------------

now i assumed that the ntpd could be used to achieve this, maybe i was wrong, but thats the general idea of what im trying to achieve, without all the complicated bits which i dont need to worry about.

You cannot trick ntp. ntp rates the source based on certain parameters,such as offset, jitter etc. The ntp servers are not interested in how accurate the source time is. What ntp will do is calculate the drift of each system and then correct the system time for that drift and this can be as accurate as 1ms. Initially ntp sends requests every 64s then as ntp sets the drift it will stabilise at a request every 1024s. The clocks on all the systems should be within 100ms of each other if each is running ntp servers.

i think theres something im not getting here.

do all the computers need to be running an ntp server?

i thought i could run one ntp server and have all the rest being clients thereof