LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-03-2007, 06:24 PM   #1
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Rep: Reputation: 15
Setting up an NTP server on Ubuntu Fiesty


i feel the need to setup an ntp server in my office, so that all the workstations and servers will display the same time.
im not able to connect to any external ntp servers as my firewall is locked down very tight & i therefore cannot open the required ports.
i have a sun ultra60 workstation, with a basic installation of ubuntu fiesty on it. currently its also running bind for name serving to the local network, although this is not yet configured.

i thought i had it right, but it doesnt seem to work.

the ntp.conf file from /etc reads:
(where my two local ip ranges where workstations reside are: xxx.xxx.88.0 & xxx.xxx.128.0)

Quote:
# /etc/ntp.conf, configuration for ntpd

driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).

server localhost


# By default, exchange time with everybody, but don't allow configuration.
# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 nomodify

# Clients from this (example!) subnet have unlimited access,
# but only if cryptographically authenticated
restrict xxx.xxx.88.0 mask 255.255.255.0
restrict xxx.xxx.128.0 mask 255.255.255.0

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet,
# de-comment the next lines. Please do this only if you trust everybody
# on the network!
#disable auth
#broadcastclient
all that happens when i run

ntpdate ultra60.exampledomain.com

on one of the other computers on the network is i get told no servers could be used.

now i know it resolves correctly, because i can ping the server from the other computers, but i have never managed a functioning ntp setup before so i dont know what could be wrong with it.

thanks for any help

m

Last edited by coal-fire-ice; 07-03-2007 at 06:28 PM.
 
Old 07-03-2007, 06:35 PM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 272Reputation: 272Reputation: 272
Try uncommenting the line allowing broadcast and change it to match your subnet
Code:
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 192.168.123.255
 
Old 07-03-2007, 06:42 PM   #3
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Original Poster
Rep: Reputation: 15
just tried that,
no joy
the exact response i get from the other server is:
Quote:
4 Jul 00:37:00 ntpdate[10543]: no server suitable for synchronization found
that happens when i put in ntpdate ultra60.exampledomain.com

when i put in just ntpdate (with the server configured in the local /etc/ntp.conf
it tells me:

Quote:
4 Jul 00:36:52 ntpdate[10535]: no servers can be used, exiting
 
Old 07-05-2007, 03:07 AM   #4
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Time servers conventionally use port 123 and if this is closed on your firewall it will drop requests. You need to open the port to allow requests.
 
Old 07-05-2007, 03:41 AM   #5
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Original Poster
Rep: Reputation: 15
as i mentioned at the start of the thread, i cannot open any other firewall ports.
this is why i am trying setup a ntp server within the firewall, so all the servers inside the firewall will have a synchronized time source, even if that cant be synchronized with the outside world. it just means they would all be synced with others.
 
Old 07-05-2007, 04:28 AM   #6
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Quote:
Originally Posted by coal-fire-ice
as i mentioned at the start of the thread, i cannot open any other firewall ports.
this is why i am trying setup a ntp server within the firewall, so all the servers inside the firewall will have a synchronized time source, even if that cant be synchronized with the outside world. it just means they would all be synced with others.
If the boxes exist within the firewall then the firewall is irrelevant. This means that you have not configured the broadcast section of ntp correctly.

I think you need to give more detail about your network configuration relative to the box that is acting as the time server.
 
Old 07-05-2007, 05:09 AM   #7
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Original Poster
Rep: Reputation: 15
Right:

in that case

the box to be acting as ntp server is an oldish sun ultra60 with nothing much else to do.

it has ubuntu 7.04 installed on it

it is configured (to the best of my knowledge - as in i didnt configure anything, so whatever is default) without any firewall enabled

the ntp.conf is:

Code:
 
/etc/ntp.conf, configuration for ntpd
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).
server localhost

# By default, exchange time with everybody, but don't allow configuration.
# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 nomodify
# Clients from this (example!) subnet have unlimited access,
restrict 200.38.88.0  mask  255.255.255.0
restrict 100.176.128.0  mask  255.255.255.0
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 200.38.88.0
broadcast 100.176.128.0
# If you want to listen to time broadcasts on your local subnet,
# de-comment the next lines. Please do this only if you trust everybody
# on the network!
#disable auth
#broadcastclient
if i run pgrep ntpd

i get a process number, so i presume its running,

i have done /etc/init.d/ntp restart every time i have made a change to the ntp.conf

although the network adapter only has an ip address in one of the ip ranges, i have ensured it has a route to the other range.

if theres any other information you may need.

thanks for your help

(btw the ip addresses arent the actual ones being used but similar examples)
 
Old 07-05-2007, 07:31 AM   #8
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Check that boxes on the networks can ping the ntp box. In the ntp client configs of other boxes on the network(s) use the ip address of the ntp box. If you want to use the domain name then you would need to specify the host name and ip address of the ntp box in the hosts file of each box. It is probably easier to setup the main ntp box to query a source ntp server like uk.pool.ntp.org and then setup ntp servers on each box which would then send requests to your local ntp server. I do this with my own network. The whole thing becomes automated with no need of human intervention.
 
Old 07-05-2007, 08:47 AM   #9
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Original Poster
Rep: Reputation: 15
all the boxes i want ntp to run on can ping thru to the server, on both its ip and its fqdn.

ive configured one of them with its ntp.conf as below:

Quote:
/etc/ntp.conf, configuration for ntpd
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).
server kingpin.mydomain.co.uk
server 200.38.88.253

# By default, exchange time with everybody, but don't allow configuration.
# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 nomodify
# Clients from this (example!) subnet have unlimited access,
# but only if cryptographically authenticated
restrict 200.38.88.0 mask 255.255.255.0
restrict 100.176.128.0 mask 255.255.255.0
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet,
# de-comment the next lines. Please do this only if you trust everybody
# on the network!
disable auth
broadcastclient
where the ip address of the server ntp server is 200.38.88.253 and its fqdn is kingpin.mydomain.co.uk

and unfortunately i can't specifiy an external ntp server in the configuration, ntp requests are not allowed past the office firewall. what im attempting to do is keep all the servers within the firewall sync'd

i just added kingpin.mydomain.co.uk to the hosts on the first machine im using to try and access the ntp server.
just to confirm the ip address of the machine im trying to access it from is 200.38.88.243

Last edited by coal-fire-ice; 07-05-2007 at 08:50 AM.
 
Old 07-06-2007, 06:13 AM   #10
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
The ip address you have used ( 200.38.88.243) is a public domain address (registered in Mexico);
inetnum: 200.38.88/24
status: reassigned
owner: SIXSIGMA NETWORKS MEXICO SA DE CV
ownerid: MX-SNMS-LACNIC
address: PASEO DE LA REFORMA 5287
address: CIUDAD DE MEXICO, DF 05000
country: MX
owner-c: JM3007-ARIN
created: 20011113
changed: 20011113
inetnum-up: 200.38.64/19
inetnum-up: 200.38/15
source: ARIN-HISTORIC

Your systems would send requests to that address and the firewall should then drop them and you would then not resolve the address. Your addresses should be restricted to those for privates use;

Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

This kind of error can cause havoc. I used an arbitrary domain name on my son's system which happened to be registered and had endless problems till I found the cause.
 
Old 07-14-2007, 07:02 AM   #11
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Original Poster
Rep: Reputation: 15
sorry, i was out of the country for a week.

i can confirm that the ip addresses i am using are public ip addresses. however the ones i am using are not the ones given in my post, i just used those ones because they are similar and as an example so people would understand what i was after.
the company i work for actually does own all of the public ip addresses that i am using, and if you were to type in the aforementioned ip addresses on an interenter browser you would get our website.

Thanks
 
Old 07-14-2007, 07:19 AM   #12
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
If you are using public ip addresses (I am assuming that the server is firewalled) then you need open and forward ntp requests on port 123 which is the standard protocol port. Within a private network this would not usually be required because firewalls would allow connections on most ports.
 
Old 07-14-2007, 03:50 PM   #13
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Original Poster
Rep: Reputation: 15
Firewall should not be an issue. i do not wish to allow ntp outside of my firewall, only within. all the computers that are intended to have access to the ntp service are connected directly by a switch within the firewall. they all share the same ip address range and the same subnet masks.
 
Old 07-15-2007, 03:08 AM   #14
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Quote:
Originally Posted by coal-fire-ice
Firewall should not be an issue. i do not wish to allow ntp outside of my firewall, only within. all the computers that are intended to have access to the ntp service are connected directly by a switch within the firewall. they all share the same ip address range and the same subnet masks.
I am a bit confused why you are referencing public domain boxes in the config then.

If you are referencing boxes on the lan using their local domain names then these must be specified in the relevant /etc/hosts files to be able to resolve. You shouldn't have any problems running ntp services within the lan providing boxes within the lan which are firewalled have statements in the iptables firewall allowing connections from boxes within the lan or have the relevant port open.

So you have a server providing time which you want all other boxes to synchronise with. The reference box config must be configured for fudge (local hardware clock). The other boxes on the lan must have their configuration files set so that they send requests to the reference box ip address or domain name (which is stated in the /etc/hosts file).
 
Old 07-15-2007, 03:47 AM   #15
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Original Poster
Rep: Reputation: 15
basically all the servers are publicly available for for http service and a couple of others, but other than that the firewall to the external world doesnt let anything in or out. all the servers respond on their public ip addresses. all the servers internal firewalls (iptables) are not set to block anything at this time. i am 100% confident that there is no firewall issue.
my problem is i cant use external ntp servers because the firewall betweeen all the servers and the external world will not let ntp through, and i dont intend to let it. i just want to synchronize all the servers within my firewall so that the logs on the servers can be compared accurately, because its awkward when one has lost 20 minutes and im getting confused over what happened when.

i have a spare server which isnt doing a lot, so i installed the ntp server on it, and am trying to configure it to provide time which the other servers can use.

i think what i might need is that local hadware time configuration thing fudge that u mentioned.

thankyou
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Gnomad hangs in Ubuntu Fiesty lunarmelody Linux - Hardware 0 05-09-2007 09:15 PM
i cant install ubuntu fiesty fawn 7.04 beta umerkool Ubuntu 1 03-28-2007 06:25 PM
Setting Up NTP Client/Server kaplan71 SUSE / openSUSE 2 05-31-2006 04:38 PM
Setting up ntp server triley Linux - Networking 0 01-28-2004 01:06 PM
setting my time server (ntp) Moses420ca Linux - Newbie 9 08-28-2003 03:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration