Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i feel the need to setup an ntp server in my office, so that all the workstations and servers will display the same time.
im not able to connect to any external ntp servers as my firewall is locked down very tight & i therefore cannot open the required ports.
i have a sun ultra60 workstation, with a basic installation of ubuntu fiesty on it. currently its also running bind for name serving to the local network, although this is not yet configured.
i thought i had it right, but it doesnt seem to work.
the ntp.conf file from /etc reads:
(where my two local ip ranges where workstations reside are: xxx.xxx.88.0 & xxx.xxx.128.0)
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server localhost
# By default, exchange time with everybody, but don't allow configuration.
# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 nomodify
# Clients from this (example!) subnet have unlimited access,
# but only if cryptographically authenticated
restrict xxx.xxx.88.0 mask 255.255.255.0
restrict xxx.xxx.128.0 mask 255.255.255.0
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet,
# de-comment the next lines. Please do this only if you trust everybody
# on the network!
#disable auth
#broadcastclient
all that happens when i run
ntpdate ultra60.exampledomain.com
on one of the other computers on the network is i get told no servers could be used.
now i know it resolves correctly, because i can ping the server from the other computers, but i have never managed a functioning ntp setup before so i dont know what could be wrong with it.
thanks for any help
m
Last edited by coal-fire-ice; 07-03-2007 at 06:28 PM.
as i mentioned at the start of the thread, i cannot open any other firewall ports.
this is why i am trying setup a ntp server within the firewall, so all the servers inside the firewall will have a synchronized time source, even if that cant be synchronized with the outside world. it just means they would all be synced with others.
as i mentioned at the start of the thread, i cannot open any other firewall ports.
this is why i am trying setup a ntp server within the firewall, so all the servers inside the firewall will have a synchronized time source, even if that cant be synchronized with the outside world. it just means they would all be synced with others.
If the boxes exist within the firewall then the firewall is irrelevant. This means that you have not configured the broadcast section of ntp correctly.
I think you need to give more detail about your network configuration relative to the box that is acting as the time server.
the box to be acting as ntp server is an oldish sun ultra60 with nothing much else to do.
it has ubuntu 7.04 installed on it
it is configured (to the best of my knowledge - as in i didnt configure anything, so whatever is default) without any firewall enabled
the ntp.conf is:
Code:
/etc/ntp.conf, configuration for ntpd
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server localhost
# By default, exchange time with everybody, but don't allow configuration.
# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 nomodify
# Clients from this (example!) subnet have unlimited access,
restrict 200.38.88.0 mask 255.255.255.0
restrict 100.176.128.0 mask 255.255.255.0
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 200.38.88.0
broadcast 100.176.128.0
# If you want to listen to time broadcasts on your local subnet,
# de-comment the next lines. Please do this only if you trust everybody
# on the network!
#disable auth
#broadcastclient
if i run pgrep ntpd
i get a process number, so i presume its running,
i have done /etc/init.d/ntp restart every time i have made a change to the ntp.conf
although the network adapter only has an ip address in one of the ip ranges, i have ensured it has a route to the other range.
if theres any other information you may need.
thanks for your help
(btw the ip addresses arent the actual ones being used but similar examples)
Check that boxes on the networks can ping the ntp box. In the ntp client configs of other boxes on the network(s) use the ip address of the ntp box. If you want to use the domain name then you would need to specify the host name and ip address of the ntp box in the hosts file of each box. It is probably easier to setup the main ntp box to query a source ntp server like uk.pool.ntp.org and then setup ntp servers on each box which would then send requests to your local ntp server. I do this with my own network. The whole thing becomes automated with no need of human intervention.
all the boxes i want ntp to run on can ping thru to the server, on both its ip and its fqdn.
ive configured one of them with its ntp.conf as below:
Quote:
/etc/ntp.conf, configuration for ntpd
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server kingpin.mydomain.co.uk
server 200.38.88.253
# By default, exchange time with everybody, but don't allow configuration.
# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 nomodify
# Clients from this (example!) subnet have unlimited access,
# but only if cryptographically authenticated
restrict 200.38.88.0 mask 255.255.255.0
restrict 100.176.128.0 mask 255.255.255.0
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet,
# de-comment the next lines. Please do this only if you trust everybody
# on the network!
disable auth
broadcastclient
where the ip address of the server ntp server is 200.38.88.253 and its fqdn is kingpin.mydomain.co.uk
and unfortunately i can't specifiy an external ntp server in the configuration, ntp requests are not allowed past the office firewall. what im attempting to do is keep all the servers within the firewall sync'd
i just added kingpin.mydomain.co.uk to the hosts on the first machine im using to try and access the ntp server.
just to confirm the ip address of the machine im trying to access it from is 200.38.88.243
Last edited by coal-fire-ice; 07-05-2007 at 08:50 AM.
The ip address you have used ( 200.38.88.243) is a public domain address (registered in Mexico);
inetnum: 200.38.88/24
status: reassigned
owner: SIXSIGMA NETWORKS MEXICO SA DE CV
ownerid: MX-SNMS-LACNIC
address: PASEO DE LA REFORMA 5287
address: CIUDAD DE MEXICO, DF 05000
country: MX
owner-c: JM3007-ARIN
created: 20011113
changed: 20011113
inetnum-up: 200.38.64/19
inetnum-up: 200.38/15
source: ARIN-HISTORIC
Your systems would send requests to that address and the firewall should then drop them and you would then not resolve the address. Your addresses should be restricted to those for privates use;
Private Address Space
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:
This kind of error can cause havoc. I used an arbitrary domain name on my son's system which happened to be registered and had endless problems till I found the cause.
i can confirm that the ip addresses i am using are public ip addresses. however the ones i am using are not the ones given in my post, i just used those ones because they are similar and as an example so people would understand what i was after.
the company i work for actually does own all of the public ip addresses that i am using, and if you were to type in the aforementioned ip addresses on an interenter browser you would get our website.
If you are using public ip addresses (I am assuming that the server is firewalled) then you need open and forward ntp requests on port 123 which is the standard protocol port. Within a private network this would not usually be required because firewalls would allow connections on most ports.
Firewall should not be an issue. i do not wish to allow ntp outside of my firewall, only within. all the computers that are intended to have access to the ntp service are connected directly by a switch within the firewall. they all share the same ip address range and the same subnet masks.
Firewall should not be an issue. i do not wish to allow ntp outside of my firewall, only within. all the computers that are intended to have access to the ntp service are connected directly by a switch within the firewall. they all share the same ip address range and the same subnet masks.
I am a bit confused why you are referencing public domain boxes in the config then.
If you are referencing boxes on the lan using their local domain names then these must be specified in the relevant /etc/hosts files to be able to resolve. You shouldn't have any problems running ntp services within the lan providing boxes within the lan which are firewalled have statements in the iptables firewall allowing connections from boxes within the lan or have the relevant port open.
So you have a server providing time which you want all other boxes to synchronise with. The reference box config must be configured for fudge (local hardware clock). The other boxes on the lan must have their configuration files set so that they send requests to the reference box ip address or domain name (which is stated in the /etc/hosts file).
basically all the servers are publicly available for for http service and a couple of others, but other than that the firewall to the external world doesnt let anything in or out. all the servers respond on their public ip addresses. all the servers internal firewalls (iptables) are not set to block anything at this time. i am 100% confident that there is no firewall issue.
my problem is i cant use external ntp servers because the firewall betweeen all the servers and the external world will not let ntp through, and i dont intend to let it. i just want to synchronize all the servers within my firewall so that the logs on the servers can be compared accurately, because its awkward when one has lost 20 minutes and im getting confused over what happened when.
i have a spare server which isnt doing a lot, so i installed the ntp server on it, and am trying to configure it to provide time which the other servers can use.
i think what i might need is that local hadware time configuration thing fudge that u mentioned.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.