Hi guys,

I have 4 servers 2 domain controllers and 2 mail/proxy servers and a realy weird problem.

On the first servers eg: domainc01 and mailsrv01 my ntp works like a charm:

ntpq -p ->

root@mailsrv01:/etc# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
172.20.12.44 172.21.2.17 5 u 4 64 37 8.729 2805.14 0.352

root@domainc01:/etc# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
172.20.12.44 172.21.2.17 5 u 3 64 377 7.155 28.538 8.480
*LOCAL(0) .LOCL. 12 l 26 64 377 0.000 0.000 0.001

My ntp.conf files are identical, same network same configurations.

On the second servers ntpq -p says this:

root@mailsrv02:/etc# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
172.20.12.44 .INIT. 16 u - 64 0 0.000 0.000 0.000

Which is not good


tcpdump shows a weird thing:

14:39:29.111660 IP (tos 0xc0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76)
mailsrv02.zirc.tak.lan.ntp > 172.20.12.44.ntp: [bad udp cksum 0xd352 -> 0x6056!] NTPv4, length 48
Client, Leap indicator: clock unsynchronized (192), Stratum 0 (unspecified), poll 6s, precision -20
Root Delay: 0.000000, Root dispersion: 0.004821, Reference-ID: (unspec)
Reference Timestamp: 0.000000000
Originator Timestamp: 0.000000000
Receive Timestamp: 0.000000000
Transmit Timestamp: 3585472769.111639149 (2013/08/14 14:39:29)
Originator - Receive Timestamp: 0.000000000
Originator - Transmit Timestamp: 3585472769.111639149 (2013/08/14 14:39:29)

Instead of getting time from 172.20.12.44 as "first servers:

14:40:43.255954 IP (tos 0x0, ttl 124, id 27761, offset 0, flags [none], proto UDP (17), length 76)
172.20.12.44.ntp > mailsrv01.zirc.tak.lan.ntp: [udp sum ok] NTPv3, length 48
Server, Leap indicator: (0), Stratum 5 (secondary reference), poll 6s, precision -6
Root Delay: 0.000000, Root dispersion: 10.113723, Reference-ID: 172.21.2.17
Reference Timestamp: 3585464371.040125001 (2013/08/14 12:19:31)
Originator Timestamp: 3585472843.246003597 (2013/08/14 14:40:43)
Receive Timestamp: 3585472846.071125000 (2013/08/14 14:40:46)
Transmit Timestamp: 3585472846.071125000 (2013/08/14 14:40:46)
Originator - Receive Timestamp: +2.825121402
Originator - Transmit Timestamp: +2.825121402


My ntp.conf:

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

####SAMBA4 CONF###
ntpsigndsocket /opt/samba4/var/lib/ntp_signd/
restrict default mssntp
logfile /var/log/ntp.log


# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Specify one or more NTP servers.

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
server 172.20.12.44 iburst prefer
#server 0.ubuntu.pool.ntp.org
#server 1.ubuntu.pool.ntp.org
#server 2.ubuntu.pool.ntp.org
#server 3.ubuntu.pool.ntp.org

# Use Ubuntu's ntp server as a fallback.
#server ntp.ubuntu.com
#server time.takinfo.hu
server 127.127.1.0
fudge 127.127.1.0 stratum 12

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 10.48.0.0 mask 255.255.0.0

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient


ntpdate 172.20.12.44 is working perfectly on the "first" servers but on the second ones it couldnt syncronize the clock, just with the -u option.

Any idea, help would be nice, this driving me crazy...

Actually, ntp is not working at all. Neither domainc01 or mailsrv01 are using 172.20.12.44 as a time source. Not enough information to know why at the moment.

Has this worked in the past? Are these physical or VMs?
What is 172.20.12.44 using as a time source?

I would guess that eventually domainc01 and mailsrv02 reach value would get to 377 and like mailsrv01 would default back to using fudge which is the local clock. When ntp is actually synched to a time server a * is displayed as the first character in the line. Also mailsrv02 thinks 172.20.12.44 is a stratum 16 and it will never use it as a time source.

The servers are running on XEN.

I dont know what is the time source for 172.20.12.44, unfortunately this is the only available time server in my network, we are not allowed to reach any time server outside of the network.
domainc01 and mailsrv01 looks like is working, I have synced times.

According to peerstats domainc01 and mailsrv01 are syncing. When I run ntpdate to check sync is working or not the time is correct.

==> /var/NTP/peerstats.20130815 <==
56519 23349.341 172.20.12.44 901d 1.967557333 0.060639724 0.021410110 0.005546521
56519 23382.261 127.127.1.0 963a 0.000000000 0.000000000 0.000926725 0.000000477
56519 23416.342 172.20.12.44 901d 1.966716182 0.062342150 0.021442023 0.006170599
56519 23446.261 127.127.1.0 963a 0.000000000 0.000000000 0.000926725 0.000000477
56519 23481.350 172.20.12.44 901d 1.965029039 0.065708470 0.021446060 0.007103783
56519 23510.261 127.127.1.0 963a 0.000000000 0.000000000 0.000926725 0.000000477
56519 23546.351 172.20.12.44 901d 1.964749139 0.066266466 0.021439082 0.010362697
56519 23574.261 127.127.1.0 963a 0.000000000 0.000000000 0.000926725 0.000000477
56519 23613.355 172.20.12.44 901d 1.974173293 0.078658817 0.021469884 0.007978858
56519 23638.261 127.127.1.0 963a 0.000000000 0.000000000 0.000926725 0.000000477

I have no idea why mailsrv02 and domainc02 thinks the source time server has stratum 16 these servers are using the same configuration as dc01 and mailsrv01.

Robert

Here is some good info.
http://www.brookstevens.org/2010/06/...t-and-ntp.html

Thanks I will try that solution too, meantime I got fed up with the problem which took too much time and wrote a simple "script" and pat into cron.hourly.


#!/bin/bash

service ntp stop && ntpdate -v -u 172.20.12.44 >> /var/log/ntp.log && service ntp start #> /dev/null