Jean-Francois Malouin wrote: > After a few days of reading all sort of doc (mainly > http://ntp.isc.org/bin/view/Support/ConfiguringAutokey) I have > convinced myself that I'm missing something crucial in my NTP > sub-domain setup but I can't put the finger on it... I'll be quite > happy to give further output/debug to anyone who can help and I > appologize if this is too long but it has been a few very frustating > days...
I've had mixed results with Authenticated peers. > a set of 3 trusted hosts running NTPV4 on Debian/Sarge and supposed to > peer between each other as stratum 3 servers using GQ scheme as the > Identity Scheme, Is there any particular reason why you need to use Authentication between your peers? You could use the 'nopeer' restriction to restrict peering to just your 3 hosts. Then the peer Authentication issue would be moot. | driftfile /path/to/your/drift.file | crypto pw my_server_secret | keysdir /etc/ntp | # Allow only time service (localhost is unrestricted) | | restrict default nomodify nopeer noquery notrap | restrict 127.0.0.1 | # remote time servers | | server one.time | server two.time | server three.time | | # peers w/ relaxed restrictions to allow peering | server four.time | peer ntp1.domain.org autokey | restrict <ntp1_ip_addr> | peer ntp2.domain.org autokey | restrict <ntp2_ip_addr> | peer ntp3.domain.org autokey | restrict <ntp3_ip_addr> | | broadcast xxx.yyy.zzz.255 autokey | broadcast 224.0.1.1 autokey > My problem: right now with only 2 servers and one client: the 'good' > server reports DROP as the peer kiss code of the 'bad' server, the > client refuses to associate with the 'bad' server and the 'bad' server > sees the 'good' server as a stratum 3 server but reports 'flash=200 > bad_autokey' in the ntpq association output. If seen this sort of "Auth confusion" when attempting to bring up some Authenticate/IFF peers. Have tried establishing a Authenticated/GQ unicast association between two of your servers? That would allow you to see if your GQ parameters work. -- Steve Kostecke <[EMAIL PROTECTED]> NTP Public Services Project - http://ntp.isc.org/ _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
