Re: [ntp:questions] ntp-4.2.6p2 doesn't sync with Autokey
Hi all,
I has wroted a documentation for Autokey+IFF, but in French...sorry
http://archi.laurent.perso.neuf.fr/Autokey-IFF.xhtml
And i known it's not easy, but i has never a problem similar at you.
And the mode "debug" is really better in the beginning, for memory :
--> /usr/sbin/ntpd -c /etc/ntp/ntp.conf -D2 (or -D <=10)
--> look too, the many flags for autokey, it's important too (for me), or
just this,
there are many example here :
http://archi.laurent.perso.neuf.fr/Autokey-IFF.xhtml#d4e336
an example :
*ntpq> pstatus 20454*
associd=20454 status=f43a conf, authenb, auth, reach, sel_candidate, 3
events, sys_peer,
srcadr=portable.archi.amt, srcport=123, dstadr=192.168.1.11, dstport=123,
leap=00, stratum=3, precision=-20, rootdelay=67.993, rootdisp=48.798,
refid=81.19.16.225,
reftime=ceb89d87.c51dbd30 Thu, Nov 26 2009 7:24:07.769,
rec=ceb89e4e.50c6730f Thu, Nov 26 2009 7:27:26.315, reach=377,
unreach=0, hmode=3, pmode=4, hpoll=7, ppoll=7, headway=138, flash=00 ok,
keyid=3927447286, offset=1.931, delay=1.526, dispersion=5.404,
jitter=0.898, xleave=0.044,
filtdelay= 5.551.791.531.553.361.531.53
1.54,
filtoffset= -0.071.731.781.682.621.932.30
2.88,
filtdisp= 0.002.033.054.085.076.097.11
8.15,
host="GR1", flags=0x87f21, signature="md5WithRSAEncryption"
Best regards
2010/10/18 Dave Hart
> On Sun, Oct 17, 2010 at 03:43 UTC, Joe Smithian
> wrote:
> > I've compiled ntp-4.2.6p2 from the source code with crypto, openssl and
> > autokey enabled on CentOS 5.4 platform. I've configured my CentOS 5.4
> client
> > to use Autokey but it doesn't sync as you can see below.
>
> What I see looks normal, given your configuration. Linux
> distributions in particular seem to include the local clock driver
> 127.127.1.0 ill-advisedly, and you are the latest victim. You have
> instructed both your client and autokey server to freewheel using the
> PC's clock while claiming to be synchronized. Unless some other
> software is disciplining that clock outside of ntpd, you probably
> don't want that.
>
> > Authentication is OK but it rejects the trusted server.
>
> Right, so if you remove 127.127.1.0 from the client's configuration,
> it should sync to its single remaining source.
>
> > I've done the same configuration using
> > ntp-4.2.4p5 on an old RedHat 7.2 machine and it syncs to the same trusted
> > server. So I guess the problem might be in the new version of NTP.
>
> There was a three-year-long development process between 4.2.4 and
> 4.2.6 stable releases. During that time, autokey was substantially
> updated. Configurations that worked with 4.2.4 may not work with
> 4.2.6 without change.
>
> Good luck,
> Dave Hart
> ___________
> questions mailing list
> questions@lists.ntp.org
> http://lists.ntp.org/listinfo/questions
>
--
~o00o-//{ ´°`(_)´°` }\\-o00o~--
Laurent Archambault
Under Linux
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] General ntp architecture question
Hi all,
For this sentence "You also minimize your exposure to other people's
mistakes and disasters.", you can choice an specific appliance. i think it's
better choice for all (security and same for NTP). There is many industrial
shop for this, with GPS, quartz, and for INTERNET to DMZ (PPC, IRIG-B, 10
Mhz...) :
Jtelec.fr (fr/GB), Meinberg (de/GB) ... etc
Best regards
2010/8/2 Richard B. Gilbert
> konsu wrote:
>
>> Hello list,
>>
>> I work for an investment bank with 300 UNIX servers, around 3000
>> workstation PCs and would like to ask some questions to more
>> experience users.
>>
>> a) Are there any banks relying on ntp pool project or should we
>> consider having our own GPS clock ?
>>
>
> Ask a banker. For most of us the question is out of our area of expertise!
>
> b) What are the criteria to consider in deciding when ntp pool project
>> is enough for our needs ?
>>
>
> 1. Availability
> 2. Reliability
> 3. Distance from your site. Absurd example: If you are in New York City,
> you would NOT want to configure a server in Tokyo!
>
> c) Should we decide to use ntp, for an organization of our size would
>> 2 servers syncing to ntp pool project in DMZ and 2 servers inside to
>> which all UNIX servers + Domain Controller will sync (PCs would sync
>> to the Domain controller) suffice ?
>>
>
> I would suggest that you consider purchasing a GPS Timing Receiver and
> installing it. If you can site an antenna smaller than a hockey puck
> somewhere within reach and with a good view of the sky, and connect it to
> your receiver and your receiver to your computer you will have your very own
> Stratum 1 server. You also minimize your exposure to other people's
> mistakes and disasters.
>
> Don't use two servers! It is written that a man with two clocks can never
> be certain what time it is. Four servers is generally regarded as the
> minimum. A configuration of five servers can survive the failure of two
> servers and a configuration of seven servers is able to survive the failure
> of three.
>
> Failure, in this context, can mean either not responding or responding with
> an incorrect time. The last NTP survey found one server that responded with
> the wrong year!! This sort of thing does not happen often; that survey
> covered several thousand NTP servers and most of the world.
>
> _______
> questions mailing list
> questions@lists.ntp.org
> http://lists.ntp.org/listinfo/questions
>
--
~o00o-//{ ´°`(_)´°` }\\-o00o~--
Laurent Archambault
Under Linux
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTPGraffe V1 (FR !)
Thanks a lot,
I known your workaround for NTP, and same in the mailing list NTP, and your
are in my documentation too.
Utils links : --> Divers programmes de « monitoring » dans tous les genres :
www.satsignal.eu (http://www.satsignal.eu/software/net.htm#NTPmonitor).
Best regards
2010/7/21 David J Taylor
> "ARCHI" wrote in message
> news:0e10346c-cc33-4a10-8f36-8c88403dd...@k19g2000yqc.googlegroups.com...
>
> Sorry all in French language...sorry
>>
>> NTPGraffe rassemble 3 scripts en Perl, et une interface WEB pour
>> visualiser différents graphiques (RRDTool) liées à des serveurs NTP,
>> avec ou sans Autokey en plus.
>>
>> Doc : http://www.archil.fr/ntpgraffe/NTPGraffe-v1.xhtml
>> Les sources : http://www.archil.fr/ntpgraffe/ntpgraffe-v1.tgz
>>
>> Cordialement
>>
>
> Thanks for your posting, Archi. It's good to see someone providing a
> graphic tool for NTP, and the plots look useful. I managed just with MRTG
> alone, but I then wrote some programs which analyse working NTP in different
> ways, including having access to the loopstats files.
>
> http://www.satsignal.eu/mrtg/performance_ntp.php
> http://www.satsignal.eu/software/net.htm#NTPmonitor
>
> Merci,
> David
> ___
> questions mailing list
> questions@lists.ntp.org
> http://lists.ntp.org/listinfo/questions
>
--
~o00o-//{ ´°`(_)´°` }\\-o00o~--
Laurent Archambault
Under Linux
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] An unknown flags (for me)
>
> Hi all,
>
> Actuallay my version of ntpd is "ntpd 4.2.7...@1.2121-o" and i use autokey
> IFF + Group for only 2 servers.
> With ntpq -cas (extract on 1 lign) :
> 5 44702 f43d yes yes AUTH-> ok candidate 3
>
> But there is my problem, with "ntpq -pstatus &5 :
>
> i has this :
> pstatus &5
> associd=44702 status=f43d conf, authenb, auth, reach, sel_candidate, 3
> events, popcorn,
> srcadr=serveur.archi.amt, srcport=123, dstadr=192.168.1.90, dstport=123,
> leap=00, stratum=3, precision=-21, rootdelay=78.033, rootdisp=48.798,
> refid=88.191.108.178,
> reftime=cfae6463.6b5845fe Mon, May 31 2010 18:37:55.419,
> rec=cfae6681.1d9018b9 Mon, May 31 2010 18:46:57.115, reach=377,
> unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=64, flash=00 ok,
> keyid=324133, offset=-2.218, delay=1.210, dispersion=0.062,
> jitter=0.802, xleave=0.087,
> filtdelay= 5.471.211.211.221.231.231.25
> 1.23,
> filtoffset= -0.10 -2.22 -2.21 -2.20 -2.20 -2.21 -2.20
> -2.20,
> filtdisp= 0.000.030.060.090.120.150.18
> 0.21,
> host="GR1",* flags=0x415f01*, signature="sha1WithRSAEncryption"
>
> The "flags=0x415f01" is for myself a problem, i can not resolv this (?) and
> especially with table :
>
> #define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */
> #define CRYPTO_FLAG_TAI 0x0002 /* leapseconds table */
>
> #define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */
> #define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */
> #define CRYPTO_FLAG_GQ0x0040 /* GQ identity scheme */
> #define CRYPTO_FLAG_MV0x0080 /* MV identity scheme */
>
> #define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
> #define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */
> #define CRYPTO_FLAG_PROV 0x0400 /* signature verified */
> #define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
>
> #define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */
> #define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */
> #define CRYPTO_FLAG_LEAP 0x4000 /* leapseconds table verified */
>
>
> Thanks a lot - Best regards
>
>
> --
> ~o00o-//{ ´°`(_)´°` }\\-o00o~--
>
> Laurent Archambault
>Under Linux
>
--
~o00o-//{ ´°`(_)´°` }\\-o00o~--
Laurent Archambault
Under Linux
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] XFAC (?)
Hi all,
Many thanks for all answers, and i have an another possibility for XFAC :
Extra
Fast
Attack
Crafts
Your solution seen better !
best regards
2010/5/12 Dave Hart
> On Wed, May 12, 2010 at 20:18 UTC, Uwe Klein wrote:
> >
> > so XFAC stands for
> > X Inter
> > F Face
> > A Association
> > c Change
> > ??
>
> I really don't know what was imagined initially. Perhaps eXchange
> interFACe? With four capital letters used for these locally-generated
> pseudo-refids, there's not a lot of room for clarity.
>
> > Does this only happen on interface down/change or at ntp bootup too ?
>
> Only on interface change. At startup, each association shows .INIT.
> as the refid.
>
> Cheers,
> Dave Hart
> ___
> questions mailing list
> questions@lists.ntp.org
> http://lists.ntp.org/listinfo/questions
>
--
~o00o-//{ ´°`(_)´°` }\\-o00o~--
Laurent Archambault
Under Linux
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
[ntp:questions] XFAC (?)
Hello all,
After many search, i has not find my answer, whay do it mean the status
"XFAC" (?).
I has find this "Extra Fast Attack Crafts", and i am very happy for
this...but in french language it's
very difficult to understand this status "XFAC".
Many thanks - best regards
--
~o00o-//{ ´°`(_)´°` }\\-o00o~--
Laurent Archambault
Under Linux
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
[ntp:questions] XFAC (?)
After many search, i has not find my answer, but for the human that
>the status "XFAC" represent (?). I has find this "Extra Fast Attack
>Crafts", and i am very happy for this...but in french language it's
>very difficult to understand this word "XFAC".
--
~o00o-//{ ´°`(_)´°` }\\-o00o~--
Laurent Archambault
Under Linux
___
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Tool to sample/monitor an NTP server?
Hi all,
I has make 2 scripts in Perl, but not finish at this time, but all
functionnal.
It's for you is you want, and it's by graphical view, its' most better and
easy.
Best regards
2009/11/10 Martin Burnicki
> PhilipPeake wrote:
> > My problem is a client with several systems using a single GPS-based
> > NTP server.
> > A couple of these systems have had occasions where the clock has
> > suddenly stepped around 10,000 seconds backwards:
> >
> > Oct 15 13:22:03 xxx xntpd[403]: [ID 261039 daemon.error] time error
> > -10369.999603 is way too large (set clock manually)
> [...]
> > I suspect that the NTP server is having issues, especially since this
> > same thing has happened on more than one server. The events are not
> > synchronised, so I suspect a short duration time glitch only seen if
> > the NTP client happens to poll at the "right" time.
> >
> > What I want is a client to poll the NTP server (say once per second)
> > and log the time received. A simple perl script can then look for any
> > large jumps in the recorded time. This will tell me if the NTP server
> > is really at fault.
>
> Reconfigure or set up a new NTP client with peerstats enable. If you can
> add
> a couple of pool servers to that client then the client should mark the
> server in question as falseticker and discard it if this happens again, and
> the peerstats should clearly indicate that the time on the server has
> jumped around.
>
> Or simply a one-line bash script:
>
> while true; do ntpdate -q your-ntp-server|grep ntpdate|tee -a ntpdate.log;
> \
> sleep 10; done
>
>
> Martin
> --
> Martin Burnicki
>
> Meinberg Funkuhren
> Bad Pyrmont
> Germany
>
> ___________
> questions mailing list
> questions@lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/questions
>
--
~o00o-//{ ´°`(_)´°` }\\-o00o~--
Laurent Archambault
Under Linux
___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions
[ntp:questions] NTP + STANAG 4430
Hello all,
After read many documentations for NTP, why the STANAG 4430 is not include
with ntp-4.x.x...
I am very intéresting for your answers - Best regards and good week-end.
For more informations about this STANAG 4430 :
http://tycho.usno.navy.mil/ptti/1993/Vol%2025_10.pdf
--
~o00o-//{ ´°`(_)´°` }\\-o00o~--
Laurent Archambault
Under Linux
___
questions mailing list
questions@lists.ntp.org
https://lists.ntp.org/mailman/listinfo/questions
[ntp:questions] NTP + kernel frequency
Hello all and soory for english ... I known now, in the "recen"t kernel the internal frequency will be to 250 Mhz... With my gentoo it's not a problem for me because i make myself my kernel ... but if i take Mandriva or a another distribution how find this values ? thanks for all -- ______ / Laurent Archambault \ |---| |Gentoo and Mandriva | _-_ ___ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
