Arty wrote: > Steve Kostecke wrote: >> On 2006-12-14, Arty <[EMAIL PROTECTED]> wrote: >> >>> Why can't I set my time??? >>> >>> server ntp.conf------------- >>> server time.nist.gov prefer >>> server pool.ntp.org >>> server clock.isc.org >>> >>> driftfile /var/db/ntp.drift >>> restrict default ignore >> You've told ntpd to ignore all NTP packets form all addresses. Then you >> neglected to tell ntpd that it is OK to accept NTP packets from your >> time servers. >> >> You may want to review the Restrictions HOWTO at >> http://ntp.isc.org/Support/AccessRestrictions. >> >> BTW: You're not going to be able to use 'restrict default ignore' >> with a host name, such as pool.ntp.org, which resolves to multiple IP >> addresses. >> >> Here's what your ntp.conf could look like: >> >> | # server ntp.conf >> | driftfile /var/db/ntp.drift >> | >> | # Allow only time service by default >> | restrict default noquery nomodify notrap nopeer >> | restrict 127.0.0.1 nomodify >> | >> | # Remote time servers >> | server time.nist.gov iburst >> | server pool.ntp.org iburst >> | server clock.isc.org iburst >> | >> | # Authorized clients >> | # They are allowed time service and may query ntpd >> | restrict 192.168.1.0 mask 255.255.255.0 notrap nopeer nomodify >> >> A couple of notes (that have no bearing on your current synchronization >> problem): >> >> 1. You ought to use pool servers from your geographical area; >> pool.ntp.org can resolve to any one of larger number of time servers >> workd wide. See http://ntp.isc.org/pool or http://www.pool.ntp.org for >> more information. >> >> 2. According to the Rules of Engagement (http://ntp.isc.org/rules) you >> should not be directly using Stratum-1 time servers unless you meet >> certain criteria (such as serving time a large number of clients). You >> really ought to choose from the Public Stratum-2 server list (at >> http://www.ntp.org/s2 or http://ntp.isc.org/s2) or just use the pool. >> >> 3. Using only 3 remote time servers doesn't leave you with any back up >> if one of them "goes bad". You ought to consider using 4 or 5 remote >> time servers. >> >>> # client ntp.conf----------------------- >>> server 192.168.1.1 prefer >> Using 'prefer' here is of no benefit. >> >>> driftfile /var/db/ntp.drift > > Thank you all (especially kostecke and rgilbert)!!!! > It was a combo of things. > 1. My config wasn't right. I misunderstood the use of restrict. > Actually i'm still a bit confused. > > It seems as ntp makes a request to a time server, to have the time > server set my time. (as opposed to me requesting the time, and i'll set > it myself). > To sync my time, i have to set my restrict options to allow a remote ip > to set my time? > I'm still working on my ntp.conf files. What is the absolute minimum > access needed to sync my time? > > > Here is what I want to do. > On my ntp server: > 1. sync my time from a public server > 2. allow a subnet on my lan to sync from this server. > 3. allow another subnet on my lan to to make sure i'm still in sync. > 4. deny everything else from every one. > > On my hosts: > 1. sync my time with from ntp server. > 2. allow a subnet on my vlan check to make sure i'm in sync. > 3. deny everything else from every one > > > > As far as monitoring goes, i think i can just check to make sure my > stratum is not < 16 right ? > > to find my own statum: ntpdc -c sysinfo |grep stratum > to find my ntp servers stratum: ntpdc -c "showpeer admin1-nj" | grep stratum > > > > Thanks again! > > >
Also I see what you mean about using a pool with restrict all. I'm getting a random server, but I would need to specify access to specific servers. I was going to put: server north-america.pool.ntp.org iburst server clock.isc.org iburst server time.nist.gov iburst server ntp0.cornell.edu iburst server sundial.columbia.edu iburst but I need to pick individual ones like this instead (if i want to restrict default ignore): server clock.isc.org iburst server time.nist.gov iburst _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
