Solved

Setup NTP server for stand alone, non-internet attached network using debian as NTP server

Posted on 2009-07-02
52
3,922 Views
Last Modified: 2013-12-06
I have a small stand alone network, that I need to synchronize time on.  I have a debian box that I would like to use as the time server.  the clients are windows XP.  I've tried following the instructions at http://www.debianadmin.com/ntp-server-and-client-configuration-in-debian.html, but I can't seem to get it working.  I get an error on the windows boxes stating that "the peer's stratum is less that the hosts"

My ntp.conf file is

server 192.168.2.20 (local IP address of debian box)
fudge 192.168.2.20 stratum 5 (i've tried everything from 0 to 16 here)
restrict 192.168.2.20 (i've also tried the IP address of one of the XP machine here)
0
Comment
Question by:psueoc
  • 29
  • 16
  • 7
52 Comments
 

Author Comment

by:psueoc
Comment Utility
NOTE: the link in my original post refers to install ntp-server via the apt-get command

when I run "apt-get install ntp-server' its says that the package no longer exists.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Hi,

you can use ntpq to query your stratum. If you don't get time through a Atomic clock or from a lesser stratum clock you stratum will be 10 or higher. This is why your hosts reject the time.

ntpq
> cl

Will display your current status.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Since ntpd is already installed you can only update it.
0
 

Author Comment

by:psueoc
Comment Utility
I understand that, but is there a way to FORCE a lower stratum number so my clients will accept it's time?
like I said, this system will never be on the internet, and will never get a chance to sync with an actual atomic clock.

0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
TRy entering the following 2 lines into your ntpd.conf file:

server 127.127.1.0
fudge 127.127.1.0 stratum 10

This tells the server to "trust" itself and set it's stratum value to 10...

If you want to, you can lower the value even further.

Best of luck!

Dan
IT4SOHO
0
 

Author Comment

by:psueoc
Comment Utility
will try monday
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Though you can reduce the fuge stratum it will be a problem if your computer have some way of connecting to any ntp server over internet. The stratum valued for the fudge should not be less than 4 !

0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
Running an NTP server that cannot connect to the outside world isn't exactly a "best practices" -- but given that it will be limited to the LAN environment, it would be VALID (although again, NOT best practice!) to set the year to 1980 and give yourself a "stratum" of 1!

Among other things, the above would definitely prevent any SSL connections to the outside world! :-)

Good luck, and let us know how it turns out!

Dan
IT4SOHO
0
 

Author Comment

by:psueoc
Comment Utility
no go.

NOTE: these are the ONLY 2 lines in my NTP.CONF file, I don't have an ntpd.conf file

server 127.127.1.0
fudge 127.127.1.0 stratum 10



0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
Sorry for the delay in replying... I've had a VERY busy week!

The location of your "real" ntp configuration file may have to be found through examination...

First, cd to the startup script folder (cd /etc/init.d) [the example is for a RedHat "family" distribution]

Next, look at the startup script for your NTP service (more ntpd)

In "my" startup script, there are 2 variables set near the top:
  ntpconf=/etc/ntp.conf
  ntpstep=/etc/ntp/step-tickers

If this is not the case for you, then the config file should be defined in the "start" section of the script...
As it turns out, the "default" NPT config file is indeed /etc/ntp.conf (not ntpd.conf)....

OK... the last thing I'll say here is this ... most debian system install with a firewall in place (iptables)... If this is to be an NTP server for your LAN, you'll need to open the NTP port (UDP 123) to LAN traffic.

Oh... and one more question -- Windows clients inherently use the "Windows Time Service" instead of the "Network Time Service" -- this can be enabled in your Samba.
  Time Server = yes
goes into your smb.conf file...

Good luck!

Dan
IT4SOHO
0
 

Author Comment

by:psueoc
Comment Utility
how do i ensure udp 123 is open on the firewall?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
> how do i ensure udp 123 is open on the firewall?

issue

iptables -L -n

and see if you have

udp 123

is among allowed ports list if not edit your  /etc/firewall-rules and add this line in there:

iptables -A FIREWALL -p udp -m udp --dport 123 -j ACCEPT
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
To check if ntp is running on your server issue this command:

netstat -anpu |grep :123

it should output something similat to this if it is running:

udp        0      0 10.0.0.1:123                0.0.0.0:*                               3542/ntpd          
udp        0      0 127.0.0.1:123               0.0.0.0:*                               3542/ntpd          
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               3542/ntpd          
udp        0      0 :::123                      :::*                                    3542/ntpd          
0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
The latter above actually checks to see if you are running the NTP service, while the one immediately prior checks your firewall rules to see if NTP is being allowed.

The only TRUE way to see if NTP is available is to specifically test from another system (one of your clients). (maybe a full port scan of your Linux system wouldn't be a bad idea! lookup nmap in a google window for win or lin implementations.

Dan
IT4SOHO

0
 

Author Comment

by:psueoc
Comment Utility

Here is my portscan output.


Starting Nmap 4.68 ( http://nmap.org ) at 2009-07-29 11:13 Eastern Daylight Time
Interesting ports on 10.232.3.102:
Not shown: 1706 closed ports
PORT    STATE SERVICE
9/tcp   open  discard
13/tcp  open  daytime
21/tcp  open  ftp
22/tcp  open  ssh
23/tcp  open  telnet
37/tcp  open  time
80/tcp  open  http
111/tcp open  rpcbind
990/tcp open  ftps
MAC Address: 00:D0:69:41:D4:C9 (Technologic Systems)

Nmap done: 1 IP address (1 host up) scanned in 1.344 seconds
0
 

Author Comment

by:psueoc
Comment Utility
10.232.3.102 is the IP address of the box I'm trying to setup as an NTP server, I scanned from another system on the same network.
0
 

Author Comment

by:psueoc
Comment Utility
should UDP 123 be open?
0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
In short, yes you need to open port 123 (the NTP port) to local traffic.

Were it my system, I'd also stop the FTP, Telnet, and RPC functions (these all use "cleartext" authentication). I cannot imagine what is opening the daytime port (13) and time port (37), as they shouldn't be there anymore -- all but depreciated. Also, I'd close the discard port as it has no real useful use in a working network.

Finally, if HTTP is optn, HTTPS should also be open...

If you follow my suggestions, you should find ONLY the following open ports (you may choose to open more later):

  22/tcp  - SSH
  80/tcp  - HTTP
123/udp - NTP        <= Add this
443/tcp  - HTTPS    <= and this
990/tcp  - FTPS

Now, to open or close the ports you'll need to adjust your firewall (assuming you're running one).... if you're NOT running a firewall, then you'll need to find out why your ntp server isn't running (if it was, you'd be listening on port 123!).

I would also think it wise to look into what processes are on those unwanted ports (daytime, time, & discard). You can do that with the lsof command:
   lsof -i | grep discard
will show you the process(es) that are listening on port 9 (discard).

The telnet & ftp ports are probably openned by your xinetd facility... go find the files "telnet" and "ftp" in your /etc/xinetd.d folder and change the line that says "disable = no" to "disable = yes" in each; then restart xinetd (service xinetd restart)... it is likely you don't really need xinetd running, but it harms nothing to leave xinetd running for now.

Whew... that's a few steps for now! Get that done & report back... I'd personally like to know what process was listening to the discard port! :-)

When done, a "fresh" output of an nmap scan would be useful, but then would a complete listing of the output of "lsof -i"

Good luck!

Dan
IT4SOHO
0
 

Author Comment

by:psueoc
Comment Utility
keep in mind, this system will never see the internet.  

as far as I know, (I kinda got dumped on this project).  This box is going to be used for TIMING various different data acquisition systems over ethernet.  That's the reason I'm trying to make it and NTP server.   "correct" time is not a critical as "synced" time.
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 250 total points
Comment Utility
OK... so you don't care about telnet, ftp, or the other services running... the fact remains that there is nothing on port 123 (the NTP port!)

That is either because you have a firewall in place and it's blocking it, or because the NTP daemon isn't starting properly.

if you do a "ps -aefww | grep -i ntp" is there anything BUT the grep line that shows??

Dan
IT4SOHO
0
 

Author Comment

by:psueoc
Comment Utility
how can i tell whether or not I have a firewall installed.  FYI, this is all command line based, no GUI.  In fact I can hold this box in the palm of my hand, doesn't even have a hard drive, boots from an SD card.  you have to console or telnet or ssh to it.
0
 
LVL 30

Assisted Solution

by:Kerem ERSOY
Kerem ERSOY earned 250 total points
Comment Utility
Hi,

Your remote NMAP shows your open ports are:
PORT    STATE SERVICE
9/tcp   open  discard
13/tcp  open  daytime
21/tcp  open  ftp
22/tcp  open  ssh
23/tcp  open  telnet
37/tcp  open  time
80/tcp  open  http
111/tcp open  rpcbind
990/tcp open  ftps
MAC Address: 00:D0:69:41:D4:C9 (Technologic Systems)

But it seems that you've scanned only TCP ports. Ans since tehre are so many open ports I assume you have no firewall.

Please run nmpa with -sU siwtch. It is to san UDP ports. Your NTP should be listening to UDP:123.

You can also check firewall with:

iptables -L -n

if the command displays something like that:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

Or complains about it can not find iptables then it measn that you're not using a firewall. BTW it isalways a good idea to use one :)

If it displays something like:
 iptables -L -n        
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:5900:5999
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Then just check for this line:

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:123

If not edit /etc/iptables to add the rule.

Cheers,
K.

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
You can check if the ntp process is running or not using this command:

netstat -anptu | grep :123

if not start it using

/etc/initi.d/ntp start

if still does not run check /var/log/messages to see why does  it quit. If it aborts it will print some nag lines in the log.


Cheers,
K.
0
 

Author Comment

by:psueoc
Comment Utility
my nmap command was "nmap -P0 10.232.3.102"  so i think that scan TCP and UDP

I got an error when I attempted thatd iptables command, so I must not be running one.
0
 

Author Comment

by:psueoc
Comment Utility
i can see the NTPD daemon starting during boot.  But I'll have to verify whether or not it just getting and error and stopping.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
what does your

netstat -anA inet

show ?? Ae you really not running any process that listens to udp ports?

 
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
nmap -P0 means that nmap always assume the system is up skiipng host discovery and nmap scans only TCP ports if it nos instructed otherwise !
0
 

Author Comment

by:psueoc
Comment Utility
will it still be possible to have windows xp clients sync to this NTP server without having samba installed?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Yeah. Definitely.

In fact what they do through samba is windows time synching not NTP. NTP is a different protocol and won't require samba.
0
 

Author Comment

by:psueoc
Comment Utility
is windows capable of NTP without modification?   like in windows XP, when I double-click the clock in the bottom right, then click the "internet time" tab.  Can I just put the IP address of my debian box in there when it's all said and done?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Yeah they do. Date and Time Properties >> Internet Time. Then enter your NTP servers ip and click set. But to use NTP synchronization XP PC's must not be a member of a Windows Domain. Id they are internet time sync menu is not accessible.
0
 

Author Comment

by:psueoc
Comment Utility
right, i noticed that machines joined to a domain no longer have that option.
0
 

Author Comment

by:psueoc
Comment Utility

netstat -anpu |grep :123

udp        0      0 127.0.0.1:123           0.0.0.0:*                          1324/ntpd          
udp        0      0 10.232.3.102:123        0.0.0.0:*                          1324/ntpd          
udp        0      0 0.0.0.0:123             0.0.0.0:*                          1324/ntpd          





ps -aefww | grep -i ntp

ntp       1324     1  0  1943 ?        00:00:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 105:105 -g
root      1366  1336  0  1943 ttyS0    00:00:00 grep ntp




netstat -anA inet

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:9               0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:1002            0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:13              0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN    
udp        0      0 0.0.0.0:9               0.0.0.0:*                          
udp        0      0 0.0.0.0:69              0.0.0.0:*                          
udp        0      0 0.0.0.0:996             0.0.0.0:*                          
udp        0      0 0.0.0.0:999             0.0.0.0:*                          
udp        0      0 0.0.0.0:111             0.0.0.0:*                          
udp        0      0 127.0.0.1:123           0.0.0.0:*                          
udp        0      0 10.232.3.102:123        0.0.0.0:*                          
udp        0      0 0.0.0.0:123             0.0.0.0:*                          


NMAP is currently scanning with the -sU switch, will post results when complete




0
 

Author Comment

by:psueoc
Comment Utility
i don't have a /var/log/messages
0
 

Author Comment

by:psueoc
Comment Utility
see windows xp screenshot
time.jpg
0
 

Author Comment

by:psueoc
Comment Utility
ntp.conf file


# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
server 127.0.0.1       
fudge 127.0.0.1 stratum 4
 

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#server 0.debian.pool.ntp.org iburst dynamic
#server 1.debian.pool.ntp.org iburst dynamic
#server 2.debian.pool.ntp.org iburst dynamic
#server 3.debian.pool.ntp.org iburst dynamic


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1  
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict 10.232.0.0 mask 255.255.252.0 nomodify notrap


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 10.232.3.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
disable auth
broadcastclient
0
 

Author Comment

by:psueoc
Comment Utility
nmap -T Aggressive -v -n -sU 10.232.3.102


Starting Nmap 4.68 ( http://nmap.org ) at 2009-07-30 15:13 Eastern Daylight Time
Initiating ARP Ping Scan at 15:13
Scanning 10.232.3.102 [1 port]
Completed ARP Ping Scan at 15:13, 0.38s elapsed (1 total hosts)
Initiating UDP Scan at 15:13
Scanning 10.232.3.102 [1488 ports]
Increasing send delay for 10.232.3.102 from 0 to 50 due to max_successful_tryno increase to 5
Increasing send delay for 10.232.3.102 from 50 to 100 due to 11 out of 12 dropped probes since last increase.
UDP Scan Timing: About 3.92% done; ETC: 15:26 (0:12:16 remaining)
Increasing send delay for 10.232.3.102 from 100 to 200 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.232.3.102 from 200 to 400 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.232.3.102 from 400 to 800 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 10.232.3.102 from 800 to 1000 due to 11 out of 27 dropped probes since last increase.
UDP Scan Timing: About 48.76% done; ETC: 15:39 (0:13:26 remaining)
UDP Scan Timing: About 97.68% done; ETC: 15:40 (0:00:37 remaining)
Completed UDP Scan at 15:40, 1649.69s elapsed (1488 total ports)
Host 10.232.3.102 appears to be up ... good.
All 1488 scanned ports on 10.232.3.102 are closed (1456) or open|filtered (32)
MAC Address: 00:D0:69:41:D4:C9 (Technologic Systems)

Read data files from: C:\Program Files\Nmap
Nmap done: 1 IP address (1 host up) scanned in 1650.375 seconds
           Raw packets sent: 1923 (53.858KB) | Rcvd: 1677 (93.994KB)
0
 

Author Comment

by:psueoc
Comment Utility
iptables -L -n

iptables v1.2.11: can't initialize iptables table 'filter' : iptables who?": (do you need to insmod?)
Perhaps iptables or your kernel  needs to be upgraded


uname -a
linux ts7800 2.6.21-ts #1 PREEMPT Tue Apr 15 11:05:50 MST 2008 armv5tejl GNU/Linux
0
 

Author Comment

by:psueoc
Comment Utility
did apt-get install iptables

and now it says

iptables v1.4.2: can't initialize iptables table 'filter' : iptables who?": (do you need to insmod?)
Perhaps iptables or your kernel  needs to be upgraded

same error different version :)

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
yeah but where do you log hour daemons ? Will you please post your /etc/syslog.conf too ?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
BTW your udp scan can not find your ntp daemon.   I've noticed you'set the user to  "-u105:105" with the ntp daemon. re these really valid numbers ? Will you check /etc/passwd and /etc/group to see if ntp uses 105 for both id and gid ?
0
 

Author Comment

by:psueoc
Comment Utility
see attachments.

I can enable logging to help diagnose this problem if you think it will help.

group.txt
passwd.txt
syslog.txt
0
 

Author Comment

by:psueoc
Comment Utility
-u105:105


?????    I didn't do anything...
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
> -u105:105
>
>
> ?????    I didn't do anything...


Please check here: http://www.experts-exchange.com/OS/Linux/Q_24540637.html?cid=1066#a24983449

> ps -aefww | grep -i ntp
>
> ntp       1324     1  0  1943 ?        00:00:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -u 105:105 -g
> root      1366  1336  0  1943 ttyS0    00:00:00 grep ntp
0
 

Author Comment

by:psueoc
Comment Utility
but i didn't set that "105" part.
0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
the -u 105 part is setting the username and groupname of the process to 105 -- probably ntp or ntpd in /etc/passwd and /etc/group... this is so that the ntp daemon runs without root permission so that, should someone find a way to hack into the ntp daemon, all they get are the permissions of that user (minimal, to say the least).

The ntp user & group are properly set & there is nothing wrong with that part...

Dan
IT4SOHO
0
 

Author Comment

by:psueoc
Comment Utility
any more ideas guys?  Why would port 123 not be open? why do i get errors when I try to issue iptables commands?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Hi,

As it could be seen from passwd and group files 105 belongs to the 105 user.

And your syslog conf says:

# Don't log anything by default to reduce wear on compact flash
# To enable logging, "cp /etc/syslog.conf-debian /etc/syslog.conf"

This is why you don't have any logs. Pelase do as it says and populare your syslog then restart it.

Your iptables prints error and quits because iptables is not properly installed. It means that it does not work and block anything from your computer.

This note shows that ntp is bound to the 123 port and listening
http://www.experts-exchange.com/OS/Linux/Q_24540637.html?cid=1066#a24983449

Your config seems ok too:
http://www.experts-exchange.com/OS/Linux/Q_24540637.html?cid=1066#a24983639

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1  
restrict ::1

> # Clients from this (example!) subnet have unlimited access, but only if
> # cryptographically authenticated.
> restrict 10.232.0.0 mask 255.255.252.0 nomodify notrap
>
>
> # If you want to provide time to your local subnet, change the next line.
> # (Again, the address is an example only.)
> broadcast 10.232.3.255

I guess you've  made sure that all your clients are located in this segment 10.232.0.0/255.255.252.0 and All clients are agree on the subnet/mask/broadcat and Default Gateway addresses and this is not a routing issue. Can you ping the ntp sytem ? or run traceroute to it to double check??

But this note shows that there's something blocking you comms between your ntp server and your client.

http://www.experts-exchange.com/OS/Linux/Q_24540637.html?cid=1066#a24983672

Please check any L3 switch, firewall etc against the blocking of NTP traffic between clients and your servers. Also please make sure that you can ping ans traceroute to your debian nt host.

Cheers,
K.



0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
> As it could be seen from passwd and group files 105 belongs to the 105 user.

I mean ntp user.
0
 

Author Comment

by:psueoc
Comment Utility
test client: 10.232.3.101/22
ntp server: 10.232.3.102/22

ping and tracert work fine.

both connected to a little 5 port mini hub at the moment
0
 

Author Comment

by:psueoc
Comment Utility
interesting info from /var/log/daemon.log

although the date and time are incorrect.  They do match the current system time.

see attached.

daemon.log
0
 

Author Comment

by:psueoc
Comment Utility
i got it working!!!!

http://doc.ntp.org/4.2.2/manyopt.html

orphan mode was the key, as well as uninstalling ntpdate.

thank you for all your help.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now