psueoc
asked on
Setup NTP server for stand alone, non-internet attached network using debian as NTP server
I have a small stand alone network, that I need to synchronize time on. I have a debian box that I would like to use as the time server. the clients are windows XP. I've tried following the instructions at http://www.debianadmin.com/ntp-server-and-client-configuration-in-debian.html, but I can't seem to get it working. I get an error on the windows boxes stating that "the peer's stratum is less that the hosts"
My ntp.conf file is
server 192.168.2.20 (local IP address of debian box)
fudge 192.168.2.20 stratum 5 (i've tried everything from 0 to 16 here)
restrict 192.168.2.20 (i've also tried the IP address of one of the XP machine here)
My ntp.conf file is
server 192.168.2.20 (local IP address of debian box)
fudge 192.168.2.20 stratum 5 (i've tried everything from 0 to 16 here)
restrict 192.168.2.20 (i've also tried the IP address of one of the XP machine here)
Hi,
you can use ntpq to query your stratum. If you don't get time through a Atomic clock or from a lesser stratum clock you stratum will be 10 or higher. This is why your hosts reject the time.
ntpq
> cl
Will display your current status.
you can use ntpq to query your stratum. If you don't get time through a Atomic clock or from a lesser stratum clock you stratum will be 10 or higher. This is why your hosts reject the time.
ntpq
> cl
Will display your current status.
Since ntpd is already installed you can only update it.
ASKER
I understand that, but is there a way to FORCE a lower stratum number so my clients will accept it's time?
like I said, this system will never be on the internet, and will never get a chance to sync with an actual atomic clock.
like I said, this system will never be on the internet, and will never get a chance to sync with an actual atomic clock.
TRy entering the following 2 lines into your ntpd.conf file:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
This tells the server to "trust" itself and set it's stratum value to 10...
If you want to, you can lower the value even further.
Best of luck!
Dan
IT4SOHO
server 127.127.1.0
fudge 127.127.1.0 stratum 10
This tells the server to "trust" itself and set it's stratum value to 10...
If you want to, you can lower the value even further.
Best of luck!
Dan
IT4SOHO
ASKER
will try monday
Though you can reduce the fuge stratum it will be a problem if your computer have some way of connecting to any ntp server over internet. The stratum valued for the fudge should not be less than 4 !
Running an NTP server that cannot connect to the outside world isn't exactly a "best practices" -- but given that it will be limited to the LAN environment, it would be VALID (although again, NOT best practice!) to set the year to 1980 and give yourself a "stratum" of 1!
Among other things, the above would definitely prevent any SSL connections to the outside world! :-)
Good luck, and let us know how it turns out!
Dan
IT4SOHO
Among other things, the above would definitely prevent any SSL connections to the outside world! :-)
Good luck, and let us know how it turns out!
Dan
IT4SOHO
ASKER
no go.
NOTE: these are the ONLY 2 lines in my NTP.CONF file, I don't have an ntpd.conf file
server 127.127.1.0
fudge 127.127.1.0 stratum 10
NOTE: these are the ONLY 2 lines in my NTP.CONF file, I don't have an ntpd.conf file
server 127.127.1.0
fudge 127.127.1.0 stratum 10
Sorry for the delay in replying... I've had a VERY busy week!
The location of your "real" ntp configuration file may have to be found through examination...
First, cd to the startup script folder (cd /etc/init.d) [the example is for a RedHat "family" distribution]
Next, look at the startup script for your NTP service (more ntpd)
In "my" startup script, there are 2 variables set near the top:
ntpconf=/etc/ntp.conf
ntpstep=/etc/ntp/step-tick ers
If this is not the case for you, then the config file should be defined in the "start" section of the script...
As it turns out, the "default" NPT config file is indeed /etc/ntp.conf (not ntpd.conf)....
OK... the last thing I'll say here is this ... most debian system install with a firewall in place (iptables)... If this is to be an NTP server for your LAN, you'll need to open the NTP port (UDP 123) to LAN traffic.
Oh... and one more question -- Windows clients inherently use the "Windows Time Service" instead of the "Network Time Service" -- this can be enabled in your Samba.
Time Server = yes
goes into your smb.conf file...
Good luck!
Dan
IT4SOHO
The location of your "real" ntp configuration file may have to be found through examination...
First, cd to the startup script folder (cd /etc/init.d) [the example is for a RedHat "family" distribution]
Next, look at the startup script for your NTP service (more ntpd)
In "my" startup script, there are 2 variables set near the top:
ntpconf=/etc/ntp.conf
ntpstep=/etc/ntp/step-tick
If this is not the case for you, then the config file should be defined in the "start" section of the script...
As it turns out, the "default" NPT config file is indeed /etc/ntp.conf (not ntpd.conf)....
OK... the last thing I'll say here is this ... most debian system install with a firewall in place (iptables)... If this is to be an NTP server for your LAN, you'll need to open the NTP port (UDP 123) to LAN traffic.
Oh... and one more question -- Windows clients inherently use the "Windows Time Service" instead of the "Network Time Service" -- this can be enabled in your Samba.
Time Server = yes
goes into your smb.conf file...
Good luck!
Dan
IT4SOHO
ASKER
how do i ensure udp 123 is open on the firewall?
> how do i ensure udp 123 is open on the firewall?
issue
iptables -L -n
and see if you have
udp 123
is among allowed ports list if not edit your /etc/firewall-rules and add this line in there:
iptables -A FIREWALL -p udp -m udp --dport 123 -j ACCEPT
issue
iptables -L -n
and see if you have
udp 123
is among allowed ports list if not edit your /etc/firewall-rules and add this line in there:
iptables -A FIREWALL -p udp -m udp --dport 123 -j ACCEPT
To check if ntp is running on your server issue this command:
netstat -anpu |grep :123
it should output something similat to this if it is running:
udp 0 0 10.0.0.1:123 0.0.0.0:* 3542/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 3542/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 3542/ntpd
udp 0 0 :::123 :::* 3542/ntpd
netstat -anpu |grep :123
it should output something similat to this if it is running:
udp 0 0 10.0.0.1:123 0.0.0.0:* 3542/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 3542/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 3542/ntpd
udp 0 0 :::123 :::* 3542/ntpd
The latter above actually checks to see if you are running the NTP service, while the one immediately prior checks your firewall rules to see if NTP is being allowed.
The only TRUE way to see if NTP is available is to specifically test from another system (one of your clients). (maybe a full port scan of your Linux system wouldn't be a bad idea! lookup nmap in a google window for win or lin implementations.
Dan
IT4SOHO
The only TRUE way to see if NTP is available is to specifically test from another system (one of your clients). (maybe a full port scan of your Linux system wouldn't be a bad idea! lookup nmap in a google window for win or lin implementations.
Dan
IT4SOHO
ASKER
Here is my portscan output.
Starting Nmap 4.68 ( http://nmap.org ) at 2009-07-29 11:13 Eastern Daylight Time
Interesting ports on 10.232.3.102:
Not shown: 1706 closed ports
PORT STATE SERVICE
9/tcp open discard
13/tcp open daytime
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
37/tcp open time
80/tcp open http
111/tcp open rpcbind
990/tcp open ftps
MAC Address: 00:D0:69:41:D4:C9 (Technologic Systems)
Nmap done: 1 IP address (1 host up) scanned in 1.344 seconds
ASKER
10.232.3.102 is the IP address of the box I'm trying to setup as an NTP server, I scanned from another system on the same network.
ASKER
should UDP 123 be open?
In short, yes you need to open port 123 (the NTP port) to local traffic.
Were it my system, I'd also stop the FTP, Telnet, and RPC functions (these all use "cleartext" authentication). I cannot imagine what is opening the daytime port (13) and time port (37), as they shouldn't be there anymore -- all but depreciated. Also, I'd close the discard port as it has no real useful use in a working network.
Finally, if HTTP is optn, HTTPS should also be open...
If you follow my suggestions, you should find ONLY the following open ports (you may choose to open more later):
22/tcp - SSH
80/tcp - HTTP
123/udp - NTP <= Add this
443/tcp - HTTPS <= and this
990/tcp - FTPS
Now, to open or close the ports you'll need to adjust your firewall (assuming you're running one).... if you're NOT running a firewall, then you'll need to find out why your ntp server isn't running (if it was, you'd be listening on port 123!).
I would also think it wise to look into what processes are on those unwanted ports (daytime, time, & discard). You can do that with the lsof command:
lsof -i | grep discard
will show you the process(es) that are listening on port 9 (discard).
The telnet & ftp ports are probably openned by your xinetd facility... go find the files "telnet" and "ftp" in your /etc/xinetd.d folder and change the line that says "disable = no" to "disable = yes" in each; then restart xinetd (service xinetd restart)... it is likely you don't really need xinetd running, but it harms nothing to leave xinetd running for now.
Whew... that's a few steps for now! Get that done & report back... I'd personally like to know what process was listening to the discard port! :-)
When done, a "fresh" output of an nmap scan would be useful, but then would a complete listing of the output of "lsof -i"
Good luck!
Dan
IT4SOHO
Were it my system, I'd also stop the FTP, Telnet, and RPC functions (these all use "cleartext" authentication). I cannot imagine what is opening the daytime port (13) and time port (37), as they shouldn't be there anymore -- all but depreciated. Also, I'd close the discard port as it has no real useful use in a working network.
Finally, if HTTP is optn, HTTPS should also be open...
If you follow my suggestions, you should find ONLY the following open ports (you may choose to open more later):
22/tcp - SSH
80/tcp - HTTP
123/udp - NTP <= Add this
443/tcp - HTTPS <= and this
990/tcp - FTPS
Now, to open or close the ports you'll need to adjust your firewall (assuming you're running one).... if you're NOT running a firewall, then you'll need to find out why your ntp server isn't running (if it was, you'd be listening on port 123!).
I would also think it wise to look into what processes are on those unwanted ports (daytime, time, & discard). You can do that with the lsof command:
lsof -i | grep discard
will show you the process(es) that are listening on port 9 (discard).
The telnet & ftp ports are probably openned by your xinetd facility... go find the files "telnet" and "ftp" in your /etc/xinetd.d folder and change the line that says "disable = no" to "disable = yes" in each; then restart xinetd (service xinetd restart)... it is likely you don't really need xinetd running, but it harms nothing to leave xinetd running for now.
Whew... that's a few steps for now! Get that done & report back... I'd personally like to know what process was listening to the discard port! :-)
When done, a "fresh" output of an nmap scan would be useful, but then would a complete listing of the output of "lsof -i"
Good luck!
Dan
IT4SOHO
ASKER
keep in mind, this system will never see the internet.
as far as I know, (I kinda got dumped on this project). This box is going to be used for TIMING various different data acquisition systems over ethernet. That's the reason I'm trying to make it and NTP server. "correct" time is not a critical as "synced" time.
as far as I know, (I kinda got dumped on this project). This box is going to be used for TIMING various different data acquisition systems over ethernet. That's the reason I'm trying to make it and NTP server. "correct" time is not a critical as "synced" time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
how can i tell whether or not I have a firewall installed. FYI, this is all command line based, no GUI. In fact I can hold this box in the palm of my hand, doesn't even have a hard drive, boots from an SD card. you have to console or telnet or ssh to it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can check if the ntp process is running or not using this command:
netstat -anptu | grep :123
if not start it using
/etc/initi.d/ntp start
if still does not run check /var/log/messages to see why does it quit. If it aborts it will print some nag lines in the log.
Cheers,
K.
netstat -anptu | grep :123
if not start it using
/etc/initi.d/ntp start
if still does not run check /var/log/messages to see why does it quit. If it aborts it will print some nag lines in the log.
Cheers,
K.
ASKER
my nmap command was "nmap -P0 10.232.3.102" so i think that scan TCP and UDP
I got an error when I attempted thatd iptables command, so I must not be running one.
I got an error when I attempted thatd iptables command, so I must not be running one.
ASKER
i can see the NTPD daemon starting during boot. But I'll have to verify whether or not it just getting and error and stopping.
what does your
netstat -anA inet
show ?? Ae you really not running any process that listens to udp ports?
netstat -anA inet
show ?? Ae you really not running any process that listens to udp ports?
nmap -P0 means that nmap always assume the system is up skiipng host discovery and nmap scans only TCP ports if it nos instructed otherwise !
ASKER
will it still be possible to have windows xp clients sync to this NTP server without having samba installed?
Yeah. Definitely.
In fact what they do through samba is windows time synching not NTP. NTP is a different protocol and won't require samba.
In fact what they do through samba is windows time synching not NTP. NTP is a different protocol and won't require samba.
ASKER
is windows capable of NTP without modification? like in windows XP, when I double-click the clock in the bottom right, then click the "internet time" tab. Can I just put the IP address of my debian box in there when it's all said and done?
Yeah they do. Date and Time Properties >> Internet Time. Then enter your NTP servers ip and click set. But to use NTP synchronization XP PC's must not be a member of a Windows Domain. Id they are internet time sync menu is not accessible.
ASKER
right, i noticed that machines joined to a domain no longer have that option.
ASKER
netstat -anpu |grep :123
udp 0 0 127.0.0.1:123 0.0.0.0:* 1324/ntpd
udp 0 0 10.232.3.102:123 0.0.0.0:* 1324/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 1324/ntpd
ps -aefww | grep -i ntp
ntp 1324 1 0 1943 ? 00:00:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 105:105 -g
root 1366 1336 0 1943 ttyS0 00:00:00 grep ntp
netstat -anA inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1002 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:13 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:9 0.0.0.0:*
udp 0 0 0.0.0.0:69 0.0.0.0:*
udp 0 0 0.0.0.0:996 0.0.0.0:*
udp 0 0 0.0.0.0:999 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 10.232.3.102:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
NMAP is currently scanning with the -sU switch, will post results when complete
ASKER
i don't have a /var/log/messages
ASKER
see windows xp screenshot
time.jpg
time.jpg
ASKER
ntp.conf file
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server 127.0.0.1
fudge 127.0.0.1 stratum 4
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#server 0.debian.pool.ntp.org iburst dynamic
#server 1.debian.pool.ntp.org iburst dynamic
#server 2.debian.pool.ntp.org iburst dynamic
#server 3.debian.pool.ntp.org iburst dynamic
# Access control configuration; see /usr/share/doc/ntp-doc/htm l/accopt.h tml for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict 10.232.0.0 mask 255.255.252.0 nomodify notrap
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 10.232.3.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
disable auth
broadcastclient
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server 127.0.0.1
fudge 127.0.0.1 stratum 4
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#server 0.debian.pool.ntp.org iburst dynamic
#server 1.debian.pool.ntp.org iburst dynamic
#server 2.debian.pool.ntp.org iburst dynamic
#server 3.debian.pool.ntp.org iburst dynamic
# Access control configuration; see /usr/share/doc/ntp-doc/htm
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict 10.232.0.0 mask 255.255.252.0 nomodify notrap
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 10.232.3.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
disable auth
broadcastclient
ASKER
nmap -T Aggressive -v -n -sU 10.232.3.102
Starting Nmap 4.68 ( http://nmap.org ) at 2009-07-30 15:13 Eastern Daylight Time
Initiating ARP Ping Scan at 15:13
Scanning 10.232.3.102 [1 port]
Completed ARP Ping Scan at 15:13, 0.38s elapsed (1 total hosts)
Initiating UDP Scan at 15:13
Scanning 10.232.3.102 [1488 ports]
Increasing send delay for 10.232.3.102 from 0 to 50 due to max_successful_tryno increase to 5
Increasing send delay for 10.232.3.102 from 50 to 100 due to 11 out of 12 dropped probes since last increase.
UDP Scan Timing: About 3.92% done; ETC: 15:26 (0:12:16 remaining)
Increasing send delay for 10.232.3.102 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.232.3.102 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.232.3.102 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.232.3.102 from 800 to 1000 due to 11 out of 27 dropped probes since last increase.
UDP Scan Timing: About 48.76% done; ETC: 15:39 (0:13:26 remaining)
UDP Scan Timing: About 97.68% done; ETC: 15:40 (0:00:37 remaining)
Completed UDP Scan at 15:40, 1649.69s elapsed (1488 total ports)
Host 10.232.3.102 appears to be up ... good.
All 1488 scanned ports on 10.232.3.102 are closed (1456) or open|filtered (32)
MAC Address: 00:D0:69:41:D4:C9 (Technologic Systems)
Read data files from: C:\Program Files\Nmap
Nmap done: 1 IP address (1 host up) scanned in 1650.375 seconds
Raw packets sent: 1923 (53.858KB) | Rcvd: 1677 (93.994KB)
Starting Nmap 4.68 ( http://nmap.org ) at 2009-07-30 15:13 Eastern Daylight Time
Initiating ARP Ping Scan at 15:13
Scanning 10.232.3.102 [1 port]
Completed ARP Ping Scan at 15:13, 0.38s elapsed (1 total hosts)
Initiating UDP Scan at 15:13
Scanning 10.232.3.102 [1488 ports]
Increasing send delay for 10.232.3.102 from 0 to 50 due to max_successful_tryno increase to 5
Increasing send delay for 10.232.3.102 from 50 to 100 due to 11 out of 12 dropped probes since last increase.
UDP Scan Timing: About 3.92% done; ETC: 15:26 (0:12:16 remaining)
Increasing send delay for 10.232.3.102 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.232.3.102 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.232.3.102 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.232.3.102 from 800 to 1000 due to 11 out of 27 dropped probes since last increase.
UDP Scan Timing: About 48.76% done; ETC: 15:39 (0:13:26 remaining)
UDP Scan Timing: About 97.68% done; ETC: 15:40 (0:00:37 remaining)
Completed UDP Scan at 15:40, 1649.69s elapsed (1488 total ports)
Host 10.232.3.102 appears to be up ... good.
All 1488 scanned ports on 10.232.3.102 are closed (1456) or open|filtered (32)
MAC Address: 00:D0:69:41:D4:C9 (Technologic Systems)
Read data files from: C:\Program Files\Nmap
Nmap done: 1 IP address (1 host up) scanned in 1650.375 seconds
Raw packets sent: 1923 (53.858KB) | Rcvd: 1677 (93.994KB)
ASKER
iptables -L -n
iptables v1.2.11: can't initialize iptables table 'filter' : iptables who?": (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded
uname -a
linux ts7800 2.6.21-ts #1 PREEMPT Tue Apr 15 11:05:50 MST 2008 armv5tejl GNU/Linux
iptables v1.2.11: can't initialize iptables table 'filter' : iptables who?": (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded
uname -a
linux ts7800 2.6.21-ts #1 PREEMPT Tue Apr 15 11:05:50 MST 2008 armv5tejl GNU/Linux
ASKER
did apt-get install iptables
and now it says
iptables v1.4.2: can't initialize iptables table 'filter' : iptables who?": (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded
same error different version :)
and now it says
iptables v1.4.2: can't initialize iptables table 'filter' : iptables who?": (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded
same error different version :)
yeah but where do you log hour daemons ? Will you please post your /etc/syslog.conf too ?
BTW your udp scan can not find your ntp daemon. I've noticed you'set the user to "-u105:105" with the ntp daemon. re these really valid numbers ? Will you check /etc/passwd and /etc/group to see if ntp uses 105 for both id and gid ?
ASKER
see attachments.
I can enable logging to help diagnose this problem if you think it will help.
group.txt
passwd.txt
syslog.txt
I can enable logging to help diagnose this problem if you think it will help.
group.txt
passwd.txt
syslog.txt
ASKER
-u105:105
????? I didn't do anything...
????? I didn't do anything...
> -u105:105
>
>
> ????? I didn't do anything...
Please check here: https://www.experts-exchange.com/questions/24540637/Setup-NTP-server-for-stand-alone-non-internet-attached-network-using-debian-as-NTP-server.html?cid=1066&anchorAnswerId=24983449#a24983449
> ps -aefww | grep -i ntp
>
> ntp 1324 1 0 1943 ? 00:00:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 105:105 -g
> root 1366 1336 0 1943 ttyS0 00:00:00 grep ntp
>
>
> ????? I didn't do anything...
Please check here: https://www.experts-exchange.com/questions/24540637/Setup-NTP-server-for-stand-alone-non-internet-attached-network-using-debian-as-NTP-server.html?cid=1066&anchorAnswerId=24983449#a24983449
> ps -aefww | grep -i ntp
>
> ntp 1324 1 0 1943 ? 00:00:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 105:105 -g
> root 1366 1336 0 1943 ttyS0 00:00:00 grep ntp
ASKER
but i didn't set that "105" part.
the -u 105 part is setting the username and groupname of the process to 105 -- probably ntp or ntpd in /etc/passwd and /etc/group... this is so that the ntp daemon runs without root permission so that, should someone find a way to hack into the ntp daemon, all they get are the permissions of that user (minimal, to say the least).
The ntp user & group are properly set & there is nothing wrong with that part...
Dan
IT4SOHO
The ntp user & group are properly set & there is nothing wrong with that part...
Dan
IT4SOHO
ASKER
any more ideas guys? Why would port 123 not be open? why do i get errors when I try to issue iptables commands?
Hi,
As it could be seen from passwd and group files 105 belongs to the 105 user.
And your syslog conf says:
# Don't log anything by default to reduce wear on compact flash
# To enable logging, "cp /etc/syslog.conf-debian /etc/syslog.conf"
This is why you don't have any logs. Pelase do as it says and populare your syslog then restart it.
Your iptables prints error and quits because iptables is not properly installed. It means that it does not work and block anything from your computer.
This note shows that ntp is bound to the 123 port and listening
https://www.experts-exchange.com/questions/24540637/Setup-NTP-server-for-stand-alone-non-internet-attached-network-using-debian-as-NTP-server.html?cid=1066&anchorAnswerId=24983449#a24983449
Your config seems ok too:
https://www.experts-exchange.com/questions/24540637/Setup-NTP-server-for-stand-alone-non-internet-attached-network-using-debian-as-NTP-server.html?cid=1066&anchorAnswerId=24983639#a24983639
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> restrict 10.232.0.0 mask 255.255.252.0 nomodify notrap
>
>
> # If you want to provide time to your local subnet, change the next line.
> # (Again, the address is an example only.)
> broadcast 10.232.3.255
I guess you've made sure that all your clients are located in this segment 10.232.0.0/255.255.252.0 and All clients are agree on the subnet/mask/broadcat and Default Gateway addresses and this is not a routing issue. Can you ping the ntp sytem ? or run traceroute to it to double check??
But this note shows that there's something blocking you comms between your ntp server and your client.
https://www.experts-exchange.com/questions/24540637/Setup-NTP-server-for-stand-alone-non-internet-attached-network-using-debian-as-NTP-server.html?cid=1066&anchorAnswerId=24983672#a24983672
Please check any L3 switch, firewall etc against the blocking of NTP traffic between clients and your servers. Also please make sure that you can ping ans traceroute to your debian nt host.
Cheers,
K.
As it could be seen from passwd and group files 105 belongs to the 105 user.
And your syslog conf says:
# Don't log anything by default to reduce wear on compact flash
# To enable logging, "cp /etc/syslog.conf-debian /etc/syslog.conf"
This is why you don't have any logs. Pelase do as it says and populare your syslog then restart it.
Your iptables prints error and quits because iptables is not properly installed. It means that it does not work and block anything from your computer.
This note shows that ntp is bound to the 123 port and listening
https://www.experts-exchange.com/questions/24540637/Setup-NTP-server-for-stand-alone-non-internet-attached-network-using-debian-as-NTP-server.html?cid=1066&anchorAnswerId=24983449#a24983449
Your config seems ok too:
https://www.experts-exchange.com/questions/24540637/Setup-NTP-server-for-stand-alone-non-internet-attached-network-using-debian-as-NTP-server.html?cid=1066&anchorAnswerId=24983639#a24983639
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> restrict 10.232.0.0 mask 255.255.252.0 nomodify notrap
>
>
> # If you want to provide time to your local subnet, change the next line.
> # (Again, the address is an example only.)
> broadcast 10.232.3.255
I guess you've made sure that all your clients are located in this segment 10.232.0.0/255.255.252.0 and All clients are agree on the subnet/mask/broadcat and Default Gateway addresses and this is not a routing issue. Can you ping the ntp sytem ? or run traceroute to it to double check??
But this note shows that there's something blocking you comms between your ntp server and your client.
https://www.experts-exchange.com/questions/24540637/Setup-NTP-server-for-stand-alone-non-internet-attached-network-using-debian-as-NTP-server.html?cid=1066&anchorAnswerId=24983672#a24983672
Please check any L3 switch, firewall etc against the blocking of NTP traffic between clients and your servers. Also please make sure that you can ping ans traceroute to your debian nt host.
Cheers,
K.
> As it could be seen from passwd and group files 105 belongs to the 105 user.
I mean ntp user.
I mean ntp user.
ASKER
test client: 10.232.3.101/22
ntp server: 10.232.3.102/22
ping and tracert work fine.
both connected to a little 5 port mini hub at the moment
ntp server: 10.232.3.102/22
ping and tracert work fine.
both connected to a little 5 port mini hub at the moment
ASKER
interesting info from /var/log/daemon.log
although the date and time are incorrect. They do match the current system time.
see attached.
daemon.log
although the date and time are incorrect. They do match the current system time.
see attached.
daemon.log
ASKER
i got it working!!!!
http://doc.ntp.org/4.2.2/manyopt.html
orphan mode was the key, as well as uninstalling ntpdate.
thank you for all your help.
http://doc.ntp.org/4.2.2/manyopt.html
orphan mode was the key, as well as uninstalling ntpdate.
thank you for all your help.
ASKER
when I run "apt-get install ntp-server' its says that the package no longer exists.