Re: [ntp:questions] Stratum 1 servers in pools?!?

2009-06-15 Thread David J Taylor 
Richard B. Gilbert wrote:
[]
> For that matter, you could set up your own stratum one server!  All it
> takes is a GPS Timing Receiver and a PC running Solaris or Linux and
> NTPD.  Net investment is $100-$300 for the timing receiver, cable,
> connectors and a PC that might otherwise be acting as a door stop or a
> paper weight.  Yes, that three year old PC that just isn't good enough
> for your desktop any longer will make a fine Stratum 1 NTP server!

I would recommend FreeBSD if you want the best timekeeping performance. 
You can now also run a Windows PC as stratum-1 server if performance 
within a millisecond is adequate.  I have some notes here:

  http://www.satsignal.eu/ntp/FreeBSD-GPS-PPS.htm
  http://www.satsignal.eu/mrtg/feenix_ntp_2.html
  http://www.satsignal.eu/ntp/NTP-on-Windows-serial-port.html

Cheers,
David 

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] Syncing to nearby vs. faraway servers

2009-06-15 Thread David J Taylor 
Rich wrote:
[]
> Recently, in order to spread out my time base somewhat, I tried adding
> some outside servers (using the *.pool.ntp.org DNS names) to my NTP
> configurations.  Since doing this, I've noticed that the nearby
> (Stanford) servers are uniformly "off" by several milliseconds, in
> comparison to more distant servers.  Here, for example, is some output
> from the ntpq "peers" command (with host names turned off) on one of
> my servers:
[]
> I also see that the above machine is currently syncing to a server in
> Germany (delay = 171 msec) -- possibly because it's on stratum 1.  (I
> submitted a separate posting questioning whether stratum-1 servers
> should really be in the pools, but that's a separate issue.)
>
> Is this sort of behaviour to be expected?  Does this mean that the NTP
> algorithm ought to be giving more weight to servers with shorter
> delays?  Or, perhaps, does it suggest that there might be something
> wrong with the Stanford servers that is making them all cluster around
> a time that is several milliseconds different from the rest of the
> world?
>
> Rich Wales

Rich,

Is it possible that your connection to one lot of servers is 
asymmetrical - in the sense of having more delay outbound than inbound or 
vice-versa?  NTP cannot compensate for such asymmetry, and could cause the 
apparent offsets you have seen.  You could also issue NTPQ commands 
against these remote servers.

I have also seen NTP make what appear to be unusual choices for sync 
servers, and reported it here.  As I now use my own stratum-1 servers and 
the "prefer" option, the problem has gone away.  I was never completely 
convinced about such behaviour.

Cheers,
David 

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] Syncing to nearby vs. faraway servers

2009-06-15 Thread Rich Wales 
Richard B. Gilbert wrote:

> The "Delay" values for some of the servers you have configured
> are large enough to suggest that they are poor choices!

Agreed.  Please note, though, that I didn't explicitly choose
these particular servers -- they came from pools.

This does suggest that even servers randomly picked from my own
country's pool (*.us.pool.ntp.org) might not be good choices.

When 4.2.6 comes out, will the "pool" command with the "preempt"
option do a better job of weeding out pool servers that are far
away, and thus possibly of doubtful reliability?

-- 
Rich Wales  /  ri...@richw.org  /  richwa...@gmail.com
Wikipedia:  http://en.wikipedia.org/wiki/User:Richwales
Facebook:   http://www.facebook.com/richwales

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] ntpdate

2009-06-15 Thread Brad Knowles 
on 6/15/09 8:52 PM, Danny Mayer quoted Scott Haneda:

 I am only looking for the basics of keeping my system clock in sync on
 OS X 10.5.  On OS X 10.5 the clock will drift badly on a machine that is
 not logged in.  If you log in, it is less of a problem, but the date and
 time parts of OS X do not check into the time servers nearly often
 enough.  An idle machine is usually fine, but certain types of
 applications can stall the OS, and in turn, stall the clock.  For a
 server, this makes log files a royal pain to deal with timestamps.
>>> You should be running ntpd as a daemon. That will keep the clock in
>>> synch and you never have to touch it.
>> I will look at this.  It seems, OS X, in it's GUI based controls, has a
>> "use network time server", but it is known, and documented in regards to
>> OS 10.4, to not be reliable. I am not sure the position on OS 10.5,
>> which I am using, though I suspect there are still issues, as when I
>> have that setting on, I still get major drift of time.
> 
> I don't know what OS X does, maybe Brad, our resident MAC expert, can
> tell us.

Well, I wrote the page that was originally at 
, 
but it seems that there have been a few updates by other authors since 
then.  It does seem that Mac OS X 10.5 should be somewhat more 
intelligent about ntpd, but still not as good as it should be.  I would 
still recommend replacing the ntpd binary with one that is built from 
our sources.

You'll still have problems with the Mac OS X GUI screwing up your 
ntpd.conf file every time you go into that panel, but so long as you 
stay away from that panel then you should be able to put whatever 
appropriate stuff you might want in your ntp.conf (make sure to save a 
copy off to the side, in case you do go back to that panel), and have a 
reasonable expectation that it should work properly.  Oh, and you'll 
have to make sure that Apple doesn't "upgrade" your binary for you on 
the next OS update.


That's basically what I've done on Mac OS X ever since I ran into these 
problems.

-- 
Brad Knowles 
LinkedIn Profile: 
___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] Stratum 1 servers in pools?!?

2009-06-15 Thread Steve Kostecke 
On 2009-06-15, Rich  wrote:

> Since (as I understand) end-user clients should avoid dealing directly
> with stratum-1 servers, I assume this probably isn't as it should be.
> Is it, in fact, proper for a stratum-1 server to be registered as part
> of a pool?

Yes, if that's what the operator wants to do with their time server.

Of course, not all "stratum-1 time servers" are equal.

Some time servers will rely solely on thier locally attached ref-clock.
While others will be configured with remote time servers in addition to
the ref-clock.

> Where -- if anywhere -- should I report a stratum-1 server
> found in a pool?

Please visit http://www.pool.ntp.org/ for NTP Pool contact information.

> Should I consider doing something in my ntp.conf so as to avoid
> bothering a server from a pool if it happens to be in stratum 1?

If a time server is a member of the NTP Pool you are not "bothering it"
by using it.

You should ensure that you are polling an adequate number of time
servers (i.e. no less than 4).

And you should refrain from hard-coding any Pool Server's IP address in
your ntp.conf.

If you are concerned about the servers you are acquiring from the Pool,
you may wish to consult the Public Stratum-2 Time Server List, at
http://support.ntp.org/s2, to select time servers in your geographic
area.

-- 
Steve Kostecke 
NTP Public Services Project - http://support.ntp.org/

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] ntpdate

2009-06-15 Thread Danny Mayer 
Scott Haneda wrote:
> Hi Danny, thanks for your comments...
> Replies below...
> 
> On Jun 14, 2009, at 9:00 PM, Danny Mayer wrote:
> 
>> Scott Haneda wrote:
>>> I am only looking for the basics of keeping my system clock in sync on
>>> OS X 10.5.  On OS X 10.5 the clock will drift badly on a machine that is
>>> not logged in.  If you log in, it is less of a problem, but the date and
>>> time parts of OS X do not check into the time servers nearly often
>>> enough.  An idle machine is usually fine, but certain types of
>>> applications can stall the OS, and in turn, stall the clock.  For a
>>> server, this makes log files a royal pain to deal with timestamps.
>>
>> You should be running ntpd as a daemon. That will keep the clock in
>> synch and you never have to touch it.
> 
> I will look at this.  It seems, OS X, in it's GUI based controls, has a
> "use network time server", but it is known, and documented in regards to
> OS 10.4, to not be reliable. I am not sure the position on OS 10.5,
> which I am using, though I suspect there are still issues, as when I
> have that setting on, I still get major drift of time.

I don't know what OS X does, maybe Brad, our resident MAC expert, can
tell us.

> 
>>> I run, on a schedule, with launchd, which can be thought of as a cron
>>> like scheduler for OS X, once an hour, and also, when the machine
>>> boots.  Launchd can be told to run on load as well.  I sleep the script
>>> long enough for all interfaces to come up.
>>>
>>> Here is my command:
>>>   /usr/sbin/ntpdate -u
>>
>> Why are you bothering to do this when you can just run ntpd as a daemon
>> which will keep your clock perfectly synchronized.
> 
> I was just not aware that there was an alternate way, in part, why I was
> asking questions here.
> 
>>> This works fine, all the time, sans one exception.  If the machine has a
>>> kernel panic, or some form of more serious crash, it will come up with
>>> the date and time set to 1969, which I believe is Apple's epoch (
>>> December 31, 1969, at 4 pm PST )
>>>
>>> This happens on all OS X machines, I have only tested on 10.4 and 10.5,
>>> and only on PPC hardware, I do not have a way to get the date and time
>>> to fall into 1969 on an Intel machine.
>>
>> I don't know OS X but I cannot imagine why it would do that.
> 
> It appears when there is a kernel panic, the machine loses NVRAM, which
> is where the date and time settings are stored, backed up by a on board
> battery.  When that setting is lost, the date defaults to the earliest
> date the OS supports.
> 
>>> When this happens, I can see in my syslog, that /usr/sbin/ntpdate -u is
>>> called, on the normal schedule, but the date and time is never synced.
>>
>> You need to have a network connection first and I suspect you don't at
>> that point, hence the problem. The network interfaces need to come up
>> first, and then you can query for the correct time.
> 
> The network is up, I know this much for certain.

Is it querying the DNS to lookup the names of the servers and is your
resolv.conf pointing to 127.0.0.1 or ::1? If so you cannot start this
until named finishes loading as it will unable to lookup the names.

> 
>>> Syslog tells me, as a normal working result:
>>> Jun 10 00:40:48 moses com.domain.ntpdate[78719]: 10 Jun 00:40:48
>>> ntpdate[78741]: adjust time server 17.151.16.21 offset -0.070716 sec
>>>
>>> * That is actually the output of launchd to syslog, lunachd just passes
>>> the output of a command into syslog.
>>>
>>> Here is a failure line, after I had a kernel panic.
>>> Dec 31 16:00:54 host-domain-com com.apple.launchd[1] >>
>>> (com.domain.ntpdate[50]): Exited with exit code: 1
>>
>> Where's the part of the log that shows when the network interfaces are
>> up and running?
> 
> Unfortunately, my logs have been rolled out.  This happens
> infrequently.  The next time it happens, I may be able to get a log
> snippet.  The trouble is, even that is hard to catch.  OS X's syslog
> will get stamps set to Dec 1969, the log rolling utility will see that,
> and roll it away.  I will look into how to disable the log rolling for a
> time.
> 
>>> What is exit code 1 of ntpdate?
>>
>> I don't know and it doesn't matter. ntpdate is deprecated. you should
>> used ntpd -gq instead if you just want to set the clock and ntpd -g if
>> you want to discipline it so that it never is off.
> 
> I was not aware of this, thank you.  I tried to use ntpd in the past,
> since there is more data that I was able to find about it. It would
> never adjust the time and date for me, so I abandoned it.  Turns out,
> even with debugging enabled to very high levels of verbosity, ntpd will
> still return nothing when run.
> 
> I finally happened to be watching the syslog when I ran it, and there it
> reports a message that I did not have privileges to be running it. 
> su'ing to higher level user allowed me to get it work.
> 
> ntpdate on the other hand, reports the privilege error to stdout, which
> is why I ended up using it.

Re: [ntp:questions] Syncing to nearby vs. faraway servers

2009-06-15 Thread Dave Hart 
On Mon, Jun 15, 2009 at 11:35 PM, Richard B.
Gilbert wrote:
> The best choices, other things being equal, are the servers with the
> lowest round trip delays.

As usual, though, all other things are not equal.  Notice a number of
the nearby servers have higher apparent jitter in the peers billboard
snapshot.  Look at individual associations using "ntpq -cas -p" to
correlate peer to association ID then "ntpq -c 'rv ___'" filling in
the blank with the association ID.  Root dispersion plus dispersion
from that output gives an estimate of maximum error for you from that
source.

Jitter (variability in apparent offset) is a killer.  Low delay plus
high jitter is not better than high delay plus low jitter.

Cheers,
Dave Hart
___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] ntpdate

2009-06-15 Thread Danny Mayer 
tglassey wrote:
> Danny Mayer wrote:
>> Scott Haneda wrote:
>>  
>>> On Jun 15, 2009, at 8:59 AM, Todd Glassey CISM CIFI wrote:
>>>
>>>
> You should be running ntpd as a daemon. That will keep the clock in
> synch and you never have to touch it.
> 
 Which creates an audit issue and security profile which always needs
 to be watched. NTPD is not the answer for everyone Danny.
   
>>> Can you elaborate on this?  I see that ntpdate and ntpd can both be made
>>> to do the same thing in my case, which is a non daemonized single
>>> instance setting of time.
>>>
>>> If I do not plan on making a daemon, and just running it once a hour on
>>> schedule, as well as in a reboot of the machine after the interfaces are
>>> up, what would my concerns be?
>>>
>>> If I do decide to run ntpd as a daemon, what audit/secuirty issues
>>> should I be looking into?
>>>
>>> Thank you Todd.
>>> 
>>
>> He's just blowing fud.
>>
>> Danny
>>   
> No Danny I was speaking from an audit perspective. No FUD here - just
> reality.

There are no audit requirements here. That's the reality.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] Stratum 1 servers in pools?!?

2009-06-15 Thread Dave Hart 
On Mon, Jun 15, 2009 at 11:26 PM, Richard B.
Gilbert wrote:
> I wouldn't worry excessively about it!  If there is a stratum one server
> in the pool, it's there because the owner wanted it there.
>
> What you should NOT do, is configure several of your machines to use it!
> If you have ONE server querying that stratum 1 box, that server is a
> stratum two server and can serve time to your local network.

Using the pool on several machines is fine.  What the pool folks do
ask is that you don't find servers using the pool, then hardcode their
name or IP address in your configuration.  That is so people can leave
the pool and not have the IP/name continue to get (at that point)
unwanted NTP queries.

> For that matter, you could set up your own stratum one server!  All it
> takes is a GPS Timing Receiver and a PC running Solaris or Linux and
> NTPD.  Net investment is $100-$300 for the timing receiver, cable,
[...]

I don't think you can find a timing-specialized GPS receiver for that
price.  You can get a location-oriented GPS receiver with PPS, namely
the Garmin GPS 18x LVC, in that price range.  I spent $100 for mine
modified by someone more competent with a soldering iron to have a
PC-compatible DB-9 serial connector and a USB cable for power.  The
receiver itself can be had for under $60 in the US, but then you have
to supply the DB-9 hood, USB cable (or other 5V supply), and time to
wire it up.

Cheers,
Dave Hart
___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] Stratum 1 servers in pools?!?

2009-06-15 Thread E-Mail Sent to this address will be added to the BlackLists 
Rich wrote:
> Should I consider doing something in my ntp.conf so
>  as to avoid bothering a server from a pool if it
>  happens to be in stratum 1?

tos floor 2 ?

Not likely necessary,
 if the server owner is the one who included their stratum
  1 server in the pool, they would expect those using the
  pool to sometimes get their servers IP, and use it.

-- 
E-Mail Sent to this address 
  will be added to the BlackLists.

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] Syncing to nearby vs. faraway servers

2009-06-15 Thread Richard B. Gilbert 
Rich wrote:
> I'm running ntpd 4.2.4p4 on several Ubuntu 9.04 ("Jaunty") servers.
> I'm associated with Stanford University and have been depending
> primarily on Stanford's own pool of stratum-2 servers.
> 
> Recently, in order to spread out my time base somewhat, I tried adding
> some outside servers (using the *.pool.ntp.org DNS names) to my NTP
> configurations.  Since doing this, I've noticed that the nearby
> (Stanford) servers are uniformly "off" by several milliseconds, in
> comparison to more distant servers.  Here, for example, is some output
> from the ntpq "peers" command (with host names turned off) on one of
> my servers:
> 
>  remote   refid  st t when poll reach   delay
> offset  jitter
> ==
>  10.0.229.29 10.0.229.53  3 u   25   64  3760.109
> -3.955   0.130
> -10.0.229.114171.64.7.89  3 u  103  256  3776.058
> -5.277   3.545
> -10.0.229.117209.167.68.100   3 u   78  256  377   22.338
> -8.460   5.624
> +171.64.7.61 171.64.7.87  2 u  392 1024  3775.614
> -5.418   0.923
> +171.64.7.55 171.64.7.87  2 u  393 1024  3774.998
> -5.405   0.977
> -171.64.7.111171.64.7.87  2 u  394 1024  3775.598
> -5.499   1.000
> -207.150.167.80  209.51.161.238   2 u  387 1024  377   79.606
> 6.888   1.485
> -72.36.170.170   132.163.4.1022 u  368 1024  377   51.702
> 6.867   0.297
> -66.254.57.165   18.26.4.105  2 u  386 1024  377   95.627
> 3.567   1.373
> *131.234.137.24  .DCF.1 u  449 1024  377  171.784
> 0.923   0.978
> -89.16.178.36195.66.241.3 2 u  442 1024  377  157.082
> 1.874   0.443
> 
> (The 10.0.229.* servers are on my home LAN; the 171.64.7.* servers are
> at Stanford; and the others are from various places around the world
> and have much larger delays than the nearby servers.)
> 
> I also see that the above machine is currently syncing to a server in
> Germany (delay = 171 msec) -- possibly because it's on stratum 1.  (I
> submitted a separate posting questioning whether stratum-1 servers
> should really be in the pools, but that's a separate issue.)
> 
> Is this sort of behaviour to be expected?  Does this mean that the NTP
> algorithm ought to be giving more weight to servers with shorter
> delays?  Or, perhaps, does it suggest that there might be something
> wrong with the Stanford servers that is making them all cluster around
> a time that is several milliseconds different from the rest of the
> world?
> 
> Rich Wales
> ri...@richw.org, richwa...@gmail.com

The "Delay" values for some of the servers you have configured are large 
enough to suggest that they are poor choices!  The potential error in 
getting time from a distant server is limited to one half of the round 
trip delay.  It may and should be a lot better than that but it can't be 
worse.

The best choices, other things being equal, are the servers with the 
lowest round trip delays.

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] Stratum 1 servers in pools?!?

2009-06-15 Thread Richard B. Gilbert 
Rich wrote:
> I'm using ntpd 4.2.4p4 on several Ubuntu 9.04 ("Jaunty") servers.
> 
> Recently, I've been reconfiguring some of my servers to use the "pool"
> DNS names (e.g., "server 0.us.pool.ntp.org").  I've noticed that I
> sometimes end up associating with a stratum-1 server from a pool.  As
> an experiment, I specified 0.de.pool.ntp.org (the German pool), and
> one of my servers is currently syncing to zit-net2.uni-paderborn.de (a
> stratum-1 server currently syncing to a DCF77 clock).  I've seen this
> a couple of times with the US pool as well -- though I'm afraid it
> didn't occur to me at the time to write down the stratum-1 servers
> involved.
> 
> Since (as I understand) end-user clients should avoid dealing directly
> with stratum-1 servers, I assume this probably isn't as it should be.
> Is it, in fact, proper for a stratum-1 server to be registered as part
> of a pool?  Where -- if anywhere -- should I report a stratum-1 server
> found in a pool?  Should I consider doing something in my ntp.conf so
> as to avoid bothering a server from a pool if it happens to be in
> stratum 1?
> 
> Rich Wales
> ri...@richw.org, richwa...@gmail.com

I wouldn't worry excessively about it!  If there is a stratum one server 
in the pool, it's there because the owner wanted it there.

What you should NOT do, is configure several of your machines to use it!
If you have ONE server querying that stratum 1 box, that server is a 
stratum two server and can serve time to your local network.

For that matter, you could set up your own stratum one server!  All it 
takes is a GPS Timing Receiver and a PC running Solaris or Linux and 
NTPD.  Net investment is $100-$300 for the timing receiver, cable, 
connectors and a PC that might otherwise be acting as a door stop or a 
paper weight.  Yes, that three year old PC that just isn't good enough 
for your desktop any longer will make a fine Stratum 1 NTP server!

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

[ntp:questions] Syncing to nearby vs. faraway servers

2009-06-15 Thread Rich 
I'm running ntpd 4.2.4p4 on several Ubuntu 9.04 ("Jaunty") servers.
I'm associated with Stanford University and have been depending
primarily on Stanford's own pool of stratum-2 servers.

Recently, in order to spread out my time base somewhat, I tried adding
some outside servers (using the *.pool.ntp.org DNS names) to my NTP
configurations.  Since doing this, I've noticed that the nearby
(Stanford) servers are uniformly "off" by several milliseconds, in
comparison to more distant servers.  Here, for example, is some output
from the ntpq "peers" command (with host names turned off) on one of
my servers:

 remote   refid  st t when poll reach   delay
offset  jitter
==
 10.0.229.29 10.0.229.53  3 u   25   64  3760.109
-3.955   0.130
-10.0.229.114171.64.7.89  3 u  103  256  3776.058
-5.277   3.545
-10.0.229.117209.167.68.100   3 u   78  256  377   22.338
-8.460   5.624
+171.64.7.61 171.64.7.87  2 u  392 1024  3775.614
-5.418   0.923
+171.64.7.55 171.64.7.87  2 u  393 1024  3774.998
-5.405   0.977
-171.64.7.111171.64.7.87  2 u  394 1024  3775.598
-5.499   1.000
-207.150.167.80  209.51.161.238   2 u  387 1024  377   79.606
6.888   1.485
-72.36.170.170   132.163.4.1022 u  368 1024  377   51.702
6.867   0.297
-66.254.57.165   18.26.4.105  2 u  386 1024  377   95.627
3.567   1.373
*131.234.137.24  .DCF.1 u  449 1024  377  171.784
0.923   0.978
-89.16.178.36195.66.241.3 2 u  442 1024  377  157.082
1.874   0.443

(The 10.0.229.* servers are on my home LAN; the 171.64.7.* servers are
at Stanford; and the others are from various places around the world
and have much larger delays than the nearby servers.)

I also see that the above machine is currently syncing to a server in
Germany (delay = 171 msec) -- possibly because it's on stratum 1.  (I
submitted a separate posting questioning whether stratum-1 servers
should really be in the pools, but that's a separate issue.)

Is this sort of behaviour to be expected?  Does this mean that the NTP
algorithm ought to be giving more weight to servers with shorter
delays?  Or, perhaps, does it suggest that there might be something
wrong with the Stanford servers that is making them all cluster around
a time that is several milliseconds different from the rest of the
world?

Rich Wales
ri...@richw.org, richwa...@gmail.com

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

[ntp:questions] Stratum 1 servers in pools?!?

2009-06-15 Thread Rich 
I'm using ntpd 4.2.4p4 on several Ubuntu 9.04 ("Jaunty") servers.

Recently, I've been reconfiguring some of my servers to use the "pool"
DNS names (e.g., "server 0.us.pool.ntp.org").  I've noticed that I
sometimes end up associating with a stratum-1 server from a pool.  As
an experiment, I specified 0.de.pool.ntp.org (the German pool), and
one of my servers is currently syncing to zit-net2.uni-paderborn.de (a
stratum-1 server currently syncing to a DCF77 clock).  I've seen this
a couple of times with the US pool as well -- though I'm afraid it
didn't occur to me at the time to write down the stratum-1 servers
involved.

Since (as I understand) end-user clients should avoid dealing directly
with stratum-1 servers, I assume this probably isn't as it should be.
Is it, in fact, proper for a stratum-1 server to be registered as part
of a pool?  Where -- if anywhere -- should I report a stratum-1 server
found in a pool?  Should I consider doing something in my ntp.conf so
as to avoid bothering a server from a pool if it happens to be in
stratum 1?

Rich Wales
ri...@richw.org, richwa...@gmail.com

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] ntpdate

2009-06-15 Thread Danny Mayer 
Scott Haneda wrote:
> On Jun 15, 2009, at 8:59 AM, Todd Glassey CISM CIFI wrote:
> 
>>> You should be running ntpd as a daemon. That will keep the clock in
>>> synch and you never have to touch it.
>>
>> Which creates an audit issue and security profile which always needs
>> to be watched. NTPD is not the answer for everyone Danny.
> 
> 
> Can you elaborate on this?  I see that ntpdate and ntpd can both be made
> to do the same thing in my case, which is a non daemonized single
> instance setting of time.
> 
> If I do not plan on making a daemon, and just running it once a hour on
> schedule, as well as in a reboot of the machine after the interfaces are
> up, what would my concerns be?
> 
> If I do decide to run ntpd as a daemon, what audit/secuirty issues
> should I be looking into?
> 
> Thank you Todd.

He's just blowing fud.

Danny


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] ntpdate

2009-06-15 Thread Scott Haneda 
Hi Danny, thanks for your comments...
Replies below...

On Jun 14, 2009, at 9:00 PM, Danny Mayer wrote:

> Scott Haneda wrote:
>> I am only looking for the basics of keeping my system clock in sync  
>> on
>> OS X 10.5.  On OS X 10.5 the clock will drift badly on a machine  
>> that is
>> not logged in.  If you log in, it is less of a problem, but the  
>> date and
>> time parts of OS X do not check into the time servers nearly often
>> enough.  An idle machine is usually fine, but certain types of
>> applications can stall the OS, and in turn, stall the clock.  For a
>> server, this makes log files a royal pain to deal with timestamps.
>
> You should be running ntpd as a daemon. That will keep the clock in
> synch and you never have to touch it.

I will look at this.  It seems, OS X, in it's GUI based controls, has  
a "use network time server", but it is known, and documented in  
regards to OS 10.4, to not be reliable. I am not sure the position on  
OS 10.5, which I am using, though I suspect there are still issues, as  
when I have that setting on, I still get major drift of time.

>> I run, on a schedule, with launchd, which can be thought of as a cron
>> like scheduler for OS X, once an hour, and also, when the machine
>> boots.  Launchd can be told to run on load as well.  I sleep the  
>> script
>> long enough for all interfaces to come up.
>>
>> Here is my command:
>>   /usr/sbin/ntpdate -u
>
> Why are you bothering to do this when you can just run ntpd as a  
> daemon
> which will keep your clock perfectly synchronized.

I was just not aware that there was an alternate way, in part, why I  
was asking questions here.

>> This works fine, all the time, sans one exception.  If the machine  
>> has a
>> kernel panic, or some form of more serious crash, it will come up  
>> with
>> the date and time set to 1969, which I believe is Apple's epoch (
>> December 31, 1969, at 4 pm PST )
>>
>> This happens on all OS X machines, I have only tested on 10.4 and  
>> 10.5,
>> and only on PPC hardware, I do not have a way to get the date and  
>> time
>> to fall into 1969 on an Intel machine.
>
> I don't know OS X but I cannot imagine why it would do that.

It appears when there is a kernel panic, the machine loses NVRAM,  
which is where the date and time settings are stored, backed up by a  
on board battery.  When that setting is lost, the date defaults to the  
earliest date the OS supports.

>> When this happens, I can see in my syslog, that /usr/sbin/ntpdate - 
>> u is
>> called, on the normal schedule, but the date and time is never  
>> synced.
>
> You need to have a network connection first and I suspect you don't at
> that point, hence the problem. The network interfaces need to come up
> first, and then you can query for the correct time.

The network is up, I know this much for certain.

>> Syslog tells me, as a normal working result:
>> Jun 10 00:40:48 moses com.domain.ntpdate[78719]: 10 Jun 00:40:48
>> ntpdate[78741]: adjust time server 17.151.16.21 offset -0.070716 sec
>>
>> * That is actually the output of launchd to syslog, lunachd just  
>> passes
>> the output of a command into syslog.
>>
>> Here is a failure line, after I had a kernel panic.
>> Dec 31 16:00:54 host-domain-com com.apple.launchd[1] >>
>> (com.domain.ntpdate[50]): Exited with exit code: 1
>
> Where's the part of the log that shows when the network interfaces are
> up and running?

Unfortunately, my logs have been rolled out.  This happens  
infrequently.  The next time it happens, I may be able to get a log  
snippet.  The trouble is, even that is hard to catch.  OS X's syslog  
will get stamps set to Dec 1969, the log rolling utility will see  
that, and roll it away.  I will look into how to disable the log  
rolling for a time.

>> What is exit code 1 of ntpdate?
>
> I don't know and it doesn't matter. ntpdate is deprecated. you should
> used ntpd -gq instead if you just want to set the clock and ntpd -g if
> you want to discipline it so that it never is off.

I was not aware of this, thank you.  I tried to use ntpd in the past,  
since there is more data that I was able to find about it. It would  
never adjust the time and date for me, so I abandoned it.  Turns out,  
even with debugging enabled to very high levels of verbosity, ntpd  
will still return nothing when run.

I finally happened to be watching the syslog when I ran it, and there  
it reports a message that I did not have privileges to be running it.   
su'ing to higher level user allowed me to get it work.

ntpdate on the other hand, reports the privilege error to stdout,  
which is why I ended up using it.

>> Interestingly, all I have to do to solve this, is ssh in, and run
>> /usr/sbin/ntpdate -u, at which point, the lunachd scheduler will  
>> have no
>> issue with it on the next run.  I can not find any way to do this
>> without user intervention.  Being on a email server, I get a lot of
>> calls that their emails are dated wrong.
>
> Note that you cannot

Re: [ntp:questions] ntpdate

2009-06-15 Thread Scott Haneda 
On Jun 15, 2009, at 8:59 AM, Todd Glassey CISM CIFI wrote:

>> You should be running ntpd as a daemon. That will keep the clock in
>> synch and you never have to touch it.
>
> Which creates an audit issue and security profile which always needs  
> to be watched. NTPD is not the answer for everyone Danny.


Can you elaborate on this?  I see that ntpdate and ntpd can both be  
made to do the same thing in my case, which is a non daemonized single  
instance setting of time.

If I do not plan on making a daemon, and just running it once a hour  
on schedule, as well as in a reboot of the machine after the  
interfaces are up, what would my concerns be?

If I do decide to run ntpd as a daemon, what audit/secuirty issues  
should I be looking into?

Thank you Todd.
-- 
Scott * If you contact me off list replace talklists@ with scott@ *

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] ntp-keygen IFF

2009-06-15 Thread David Mills 
Grzegorz,

You didn't say whether that message came from the client or the server. 
I assume you are running in client/server mode and that NTP works when 
not authenticated or even as a sanity check whether it works with 
symmetric key cryptography. We have been running it here in several 
machines with no trouble at all.

You will need to look in the protostats file for both client and server 
when not authenticated to see what the steps are in mobilizing and 
starting up. The same steps should occur with IFF. Then look in the 
cryptostats file for the events leading up to the error report. That 
will tell you the state the client is in at the error. When it gets to 
the error, use ntpq to show the billboards for the client and verify the 
certificate trail, status word and cookie are present. Finally, you may 
need to turn on the debug trace and see what happens during the initial 
start.

Sorry I can't be more specific; you may need to do a little more digging.

Dave

Grzegorz Daniluk wrote:

>Hi again,
>I have one more question. In which situations I can get the 
>protocol_error in cryptostats file ? I read in the documentation that 
>this means 'The protocol state machine has wedged due to unexpected 
>restart.' However, what does it mean ? In which situations could this 
>happen ?
>I'm trying to force ntp-dev-4.2.5p179 to work with IFF crypto scheme. 
>Key generation with ntp-keygen looks OK, both keys and certificates are 
>loaded by ntp but the communication does not work.
>
>Thank you very much for your help,
>Best Regards,
>Grzegorz Daniluk
>
>___
>questions mailing list
>questions@lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>  
>

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions

Re: [ntp:questions] ntp-keygen IFF

2009-06-15 Thread Grzegorz Daniluk 
Hi again,
I have one more question. In which situations I can get the 
protocol_error in cryptostats file ? I read in the documentation that 
this means 'The protocol state machine has wedged due to unexpected 
restart.' However, what does it mean ? In which situations could this 
happen ?
I'm trying to force ntp-dev-4.2.5p179 to work with IFF crypto scheme. 
Key generation with ntp-keygen looks OK, both keys and certificates are 
loaded by ntp but the communication does not work.

Thank you very much for your help,
Best Regards,
Grzegorz Daniluk

___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions