ntp.conf help restricting queries

I have a FreeBSD-6 server running ntp 4.2.0a and am having trouble configuring ntp.conf (restrict statements etc) correctly.

I want to prevent anyone from modifying my server time and I want to use 6 or 7 other servers as peers. Are my potential restrict lines for my internal networks (the commented lines below) correct?

I originally had my restrict default set to ignore but replaced it with "nomodify nopeer notrap" when client machines could not get the time from the server.


my current ntp.conf (have changed the dns names of my time source servers)
# more /etc/ntp.conf
restrict default nomodify nopeer notrap
restrict 127.0.0.1
#restrict 192.168.0.0 mask 255.255.0.0 notrust nomodify notrap
#restrict 172.20.0.0 mask 255.255.0.0 notrust nomodify notrap
#restrict 10.0.0.0 mask 255.255.0.0 notrust nomodify notrap
#restrict 10.2.0.0 mask 255.255.0.0 notrust nomodify notrap
server clock.myntp.tld prefer nomodify notrap noquery
server ntp.something.tld nomodify notrap noquery
multicastclient
restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
fudge   127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay  0.008
keys            /etc/ntp/keys


on a related note, all machines except win2k3 server have worked fine, but win2k3 server logs say "no suitable server found" (or something very like that), even though other machines (windows XP Pro, unix, linux, mac os x etc) all get the time ok from the server. Any ideas what I'm doing wrong there?
LVL 9
David PiniellaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David PiniellaAuthor Commented:
increasing points
0
bpeterseCommented:
This may not be the answer you're seeking, but it's definitely a workaround.  I've had *challenges* getting ntp configured on a slack box and learned this trick from a slack wizard.  All you have to do in your crontab is point it to a timeserver:

# Added to synch with local NTP server -
0 15 * * * /usr/sbin/ntpdate <ip_address_time_server>

You could synch it as often as you'd prefer this way as well.


0
David PiniellaAuthor Commented:
my problem isn't synching my machine, it's getting my LAN machines to sync to my machine

ntpdate works dandy, and I can talk to other servers, but when I tell the win2k3 servers on my lan to get their time from my ntp....they can't.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

gheistCommented:
ntpd on FreeBSd is broken, especially restrict does not work well.
in most cases ntpdate is enough unless you wish to serve time to clients

http://ntp.isc.org/bin/view/Main/DocumentationIndex

read thru three-part doc, i can post working ntp config if you need one.
0
David PiniellaAuthor Commented:
I wouldn't mind a working config copy; I have read through the docs (there's one at us-webmaster.com that's great for ntp) and wound up installing from source since the port installs an unpatched version of ntp w/ a broken broadcastclient.

I am planning on serving time to clients and running my own ntp pool of servers. all my clients get time ok except win2k3 servers.
0
gheistCommented:
2003 has to be configured differently than XP, 2000 or NT4, your problems finding right doc.
0
David PiniellaAuthor Commented:
found a doc ages ago that said the problem was the packet type 2k3 was sending; suggested sending a diff packet type (in the 2k3 CLI net time command) and that didn't help either....something about 2k3 sending packets as a peer instead of as a client.
0
gheistCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept dpiniella http:#16446835

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

gheist
EE Cleanup Volunteer
0
gheistCommented:
I am punishing myself for not posting:
---
server xxx

driftfile /var/db/ntp.drift

restrict default ignore

restrict 192.168.0.0 mask 255.255.0.0 notrust nomodify notrap

restrict xxx noquery nomodify notrap

restrict 127.0.0.1

0
David PiniellaAuthor Commented:
This particular setup (conf file below) would not let me sync my win2k3 server (on the 10.64./16 network) to my ntp server (public IP, same VLAN, same switch). I'm not running a firewall on the ntp host itself, and there isn't one on the windows host either (there is a hardware firewall between them both and the world at large though). I still don't know what to make of this.

I eventually solved my problem by making my server an open NTP server in the conf and blocking access via the firewall, but this is inelegant and less than ideal. I'll try your config tomorrow (I have to reboot the server _anyway_ and i want to see if I've set it up correctly for the services coming up on reboot).

would changing the fudge line change what strata my server reports itself as being?

root@ntp:[/etc%]# more ntp.conf
# Prohibit general access to this service.
restrict default nomodify nopeer notrap
# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 10.64.0.0 mask 255.255.255.0 notrust nomodify notrap

# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
server ntp.myfloridacity.us
restrict ntp.myfloridaviry.us nomodify notrap noquery
server tick.navy.mil
restrict tick.navy.mil nomodify notrap noquery


# --- NTP MULTICASTCLIENT ---
multicastclient                        # listen on default 224.0.1.1
restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap



# --- GENERAL CONFIGURATION ---
#
fudge   127.127.1.0 stratum 10
# server 1.north-america.pool.ntp.org
# server 2.north-america.pool.ntp.org
# driftfile stuff
driftfile /var/lib/ntp/drift
broadcastdelay  0.008
# authenticate yes
# keys
keys            /etc/ntp/keys
0
GranModCommented:
PAQed with points refunded (350)

GranMod
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.