Solved

ntpd on CentOS 5 not working - maybe authentication?

Posted on 2011-03-01
10
901 Views
Last Modified: 2012-06-17
I am trying to get ntpd working on my CentOS 5 server.  The service starts just fun and seems to be able to retrieve time from servers, but there is a problem somewhere with the syncronization...

The ntpd rpm is showing:  ntp-4.2.2pl-9.el5.centos.2.1

When I run the command: ntpq -c peer -c as -c rl
My list of servers looks ok but the associations list shows the condition of every server as 'reject'

If I run the pstatus command on any of them, I get the value flash=400 on all of them, which the docs seem to indicate are some problem with the authentication.

When I run the ntptime command it complains about ntp_gettime and ntp_adjtime both returning code 5 errors.

I can't seem to find the magic combination of values to search on to come up with an answer for this one.  And nothing I do seems to make it work.  When I was using just the default pool servers the time wasn't even staying in sync, with a few other public servers added, it at least keeps the time in sync but it the ntpd server isn't happy.

Does anyone have a working configuration or the information on how to get this working?
0
Comment
Question by:Volox
  • 6
  • 4
10 Comments
 
LVL 3

Expert Comment

by:g8kbv
Comment Utility
Hi.

If it can't use any servers, then your system time will indeed not be sync'd with anything.

What does ntpq -p show you?   In particular the "Reach" values.   my guess is they are stuck at zero.
(Also shown at the top of the  "ntpq -c peer -c as -c rl"  output)

Idealy, you should use time servers close to you (in network terms.)   Your ISP or network provider should have some time servers, if not try the ntp pool project servers.  

http://www.pool.ntp.org/en/

You should select at least 3 external servers, 4 would be better.

http://www.pool.ntp.org/en/use.html   shows how.

Remember to use the ones in your own country/teretory, or as nearby (in network terms) as you can find.  Sadly, forget mobile internet or satelite links, the latency is just too long and variable for NTP to work well, but in that case, you can setup your own GPS disiplined NTP server if needed.

Regards

DaveB
0
 
LVL 8

Author Comment

by:Volox
Comment Utility

The reach values are rotating over time (not stuck at zero).

I am using several external servers.  I have 3 pool servers and 4 or 5 other open ones from the list.  I tried to find ones that were geographically close, but kind of ended up with a number of different ones from across the US.

I'm on a wired cablemodem broadband connection with plently of speed so I shouldn't be having issues with latency problems.

That is what is really frustrating me about this issue, the reach values rotate and it appears I'm getting time information down, so I just don't understand why I have the 'reject' with flash=400 across every server.
0
 
LVL 8

Author Comment

by:Volox
Comment Utility
Grabbed a snapshot of the statuses...

ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 47075  90f4   yes   yes  none    reject   reachable 15
  2 47076  90f4   yes   yes  none    reject   reachable 15
  3 47077  90f4   yes   yes  none    reject   reachable 15
  4 47078  90f4   yes   yes  none    reject   reachable 15
  5 47079  90f4   yes   yes  none    reject   reachable 15
  6 47080  90f4   yes   yes  none    reject   reachable 15
  7 47081  90f4   yes   yes  none    reject   reachable 15
  8 47082  90f4   yes   yes  none    reject   reachable 15
  9 47083  90f4   yes   yes  none    reject   reachable 15
assID=0 status=c0f5 sync_alarm, sync_unspec, 15 events, event_clock_reset,
version="ntpd 4.2.2p1@1.1570-o Sat Dec 19 00:58:16 UTC 2009 (1)",
processor="i686", system="Linux/2.6.18-194.32.1.el5", leap=11,
stratum=16, precision=-7, rootdelay=0.000, rootdispersion=61.635,
peer=0, refid=STEP,
reftime=00000000.00000000  Wed, Feb  6 2036 22:28:16.000, poll=4,
clock=d119ca2d.a142a687  Thu, Mar  3 2011  0:05:01.629, state=4,
offset=0.000, frequency=8.747, jitter=418.975, noise=7.812,
stability=0.000, tai=0
0
 
LVL 3

Assisted Solution

by:g8kbv
g8kbv earned 200 total points
Comment Utility
Stratum=16  ???   If that's true, it's a very long way down the usability status.

The "Reach" value should start at 0, then 1, 3, 7 ...  to 377 when everything is happy.  (Octal format numbers!)   AFIK most NTP servers don't need any authentication.

Don't be fooled into assuming a cable internet service is fast and predictable.   Try ping'ing the time servers and see what the round trip times are, if that varies, choose another server.   (Try pinging regular domain names too, see if those round trip times are flakey.   If so, your 'net service could be a bit odd.)    You could also substitute the IP address, for the server names in the NTP config, though that sort of messes with the ntp pool functioning, but it would remove any DNS issues.

Does your ISP have a NTP server (or two) you can use?   You may have to call them, or at least look on their status pages to see if they have.   Sadly, many ISP helpdesks are populated with muppets who wouldnt know a NTP server even if it fell on them.

If you have newsgroup access, you might want to get onto:-
comp.protocols.time.ntp  and ask there.  That's where the real NTP experts hide.

I'm off again for a few days, not back till Tuesday, hence the suggestion to look at the newsgroup above, noting no one else responded to you.

Best Regards.

DaveB
0
 
LVL 8

Author Comment

by:Volox
Comment Utility
So after letting the server sit for a few days it seems to be keeping the clock in sync the way it ought to but still is reporting errors.  Here is what the ntp looks like...

ntpq -c peer -c as -c rl
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 packman-ha.isc. 131.107.13.100   2 u   39   64  377   22.334  117999. 13390.3
 ip-173-201-38-8 198.153.152.52   2 u   45   64  377   19.708  116873. 12898.4
 time.nist.gov   .ACTS.           1 u   26   64  377   40.663  107502. 7926.08
 mailserv1.phoen .LCL.            1 u  181 1024    1   29.892  113197.   7.812
 louie.udel.edu  128.4.1.1        2 u   39   64  377   69.109  106574. 8453.43
 ns.unc.edu      204.34.198.40    2 u   62   64  377  118.644  115810. 12198.1
 ntp-3.cns.vt.ed 198.82.247.164   2 u   47   64  377   87.920  111419. 9217.98
 ntp-2.cns.vt.ed 198.82.247.164   2 u   40   64  377   66.546  104742. 9054.28
 clock.isc.org   .GPS.            1 u   58   64  367   12.086  116027. 14631.7

ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 47075  90f4   yes   yes  none    reject   reachable 15
  2 47076  90f4   yes   yes  none    reject   reachable 15
  3 47077  90f4   yes   yes  none    reject   reachable 15
  4 47078  90f4   yes   yes  none    reject   reachable 15
  5 47079  90f4   yes   yes  none    reject   reachable 15
  6 47080  90f4   yes   yes  none    reject   reachable 15
  7 47081  90f4   yes   yes  none    reject   reachable 15
  8 47082  90f4   yes   yes  none    reject   reachable 15
  9 47083  90f4   yes   yes  none    reject   reachable 15
assID=0 status=c0f5 sync_alarm, sync_unspec, 15 events, event_clock_reset,
version="ntpd 4.2.2p1@1.1570-o Sat Dec 19 00:58:16 UTC 2009 (1)",
processor="i686", system="Linux/2.6.18-194.32.1.el5", leap=11,
stratum=16, precision=-7, rootdelay=0.000, rootdispersion=78.525,
peer=0, refid=STEP,
reftime=00000000.00000000  Wed, Feb  6 2036 22:28:16.000, poll=4,
clock=d11d51b0.e89f86b3  Sat, Mar  5 2011 16:20:00.908, state=4,
offset=0.000, frequency=8.747, jitter=878.651, noise=7.812,
stability=0.000, tai=0


As you suggested I performed some pings out to various places.  The big names (yahoo, google) have very low (10 ms or less) times and ttl around 55.  Some of the servers I've got configured are around 20 ms with ttl around 55 while some of them are around 100 ms and ttl around 200s.  None of that seems too extreme to be able to get a decent result - after all, this stuff used to work over dialup speed connections.  And as I understand it, ntpd ought to figure out the best servers and select one even if I do have one or two that are less than optimal, right?

I'm still trying to find out if my ISP has servers I can use, but as was said, it's kind of hard to get people that actually know what I'm even asking for.

If anyone can help me get to the bottom of this I would greatly appreciate it.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 3

Expert Comment

by:g8kbv
Comment Utility
Hi.
Back after a long time out, with poor wifi access, of little use other then plain un-secure browsing.

The "Big servers" you are pinging are OK to see if your WAN access is working, but they are not time servers.

Though your servers are showing a "Reach" of 377, their offset and jitter are rather extreme to say the least.

You obviously called your ISP and asked about NTP servers, bet they said something along the lines of "we do (or do not) have any news servers".  (NNTP of course.)

They almost certainly will have some time servers (2 or three at least) but may not advertised them for "public" use.  Try asking on any user forums there are for your ISP.  You'r looking for "NTP Time Servers"  Not SNTP.

Do you still have the original setup papers for your ISP account?   That often will have (as well as the usual DNS and Gateway IP's etc) details of mail, news and what you need "Time" server addresses/names.  It's that you need.   Your router if it came from them, may be pre-configured to use one or more for it's time keeping.  Try using those addresses in your system as time servers.  (It's unlikley your router will act as one.)

If all else fails, and you have a spare machine lying about (old P3 sub 1G etc) you could try this.....
http://blog.doylenet.net/?p=145

I ended up doing that as my ISP's time servers are wayward to say the least, also the WAN latency is long and variable.  Other than the steep learning curve, it all went exactly as described.  Mind you, I need sub ms stability for what I am doing.

Look also at...
http://www.satsignal.eu/ntp/FreeBSD-GPS-PPS.htm

and
http://time.qnan.org/

There are of course a multitude of ways to get basic time sync from a GPS, not needing the accuracy afforded by using the PPS signal some of them provide.

Perhaps that could be of use to you?   You can then sync other machines to that one.

Lastly, again, the real NTP experts are at
nntp://comp.protocols.time.ntp

There are many "News Reader" programs about.

I'm sure there are other NTP experts here too, that know far more about it, *And* linux.

Best Regards.

DaveB.
0
 
LVL 8

Author Comment

by:Volox
Comment Utility
Yeah I don't need super-accurate time.

I've tried the newsgroup (you may or may not have seen my thread).  There seem to be a fair number of less than friendly people in that forum.  But regardless of that it hasn't lead to any good answers yet.

What I have learned is that most people seem to blame the linux system clock and the root cause of the system clock being off is that the 'machine' is a VM and (as I'm told) a VM doesn't stand a chance of keeping accurate time.  My retort (which wasn't taken well) was that my windows VMs don't seem to have any issue keeping time.

Regardless of that, there seems to be a disagreement as to whether one can or cannot successfully run ntpd on a VM and have it actually work.  And numerous people keep telling me that the VM should quote 'get' it's time from the host and the host should run time sync, but no one seems to want to answer the question of HOW the guest is suppose to 'get' the time from the host?

So to provide the details (which I got flamed on the newsgroups for not providing up front)...  This is a CentOS VM, running on a Windows 2008 server host, within a Windows Virtual Server VM.  I hadn't called this out as being a VM previously because (a) my experience with VMs in the past was that it didn't matter whether it was a guest or a physical machine and (b) the error code that I thought was the clue to the source of the problem didn't look like it had anything to do with timing.  And by the way in case anyone cares, the host computer keeps time just fine; so if I can get the guest to keep in step with the host, I'd be fine with that.

If anyone has suggestions on how I can get the clock on this thing running smoothly, it would be greatly appreciated.
0
 
LVL 3

Expert Comment

by:g8kbv
Comment Utility
Ah.  I also hadn't picked up you were running things in a VM.

Yes, I believe that can cause problems, as I am told, the "virtual CPU" doesnt "Run" at a fixed or even known or predictable clock rate, plus the Virtualizing machinery can take whole chunks of real time away from the VM, that it will not ordinarily be aware of.   That I suspect could be causing your problems with the exesive offsets and jitter.  NTPD (among other things) needs a relatively stable CPU clock to work correctly.   Heck it is posible to tell when the heating/air-con kicks in, in a room with a NTP server, by looking at it's statistics files, where the CPU frequency drift is logged!   At home, I can tell when the sun comes up and shines through the room window, just by examining the driftfile logs!

At a guess, if you can get the host "Real hardware" system to make it's time available via NTP or whatever, then configure the VM's to take their time from that, via the virtual LAN, that might work.  I suspect however, that NTP/NTPD will not be the best tool to use in this situation.

I'm making the rash assumption that other tools are available that would work much better in that situation, but I can't think of what exactly for now.

I have to say, other than what they are, I know next to nothing about running VM's, of any sort on any platform.

I have not (yet) spotted your thread on the NTP newsgroup, there again, I've been zapping about the UK for work, so other than like now (sitting in the office with a coffee playing "catch up") little 'net access to speak of, and what has been available, has been highly restrictive.  (Blocked outgoing ports, other than port 80, and VPN blocking too!)

AFIK any Linux is more than good enough to run NTP/NTPD, as many people/companies/ISP's etc do just that, but on a real hardware systems, not on a VM.   FreeBSD seems to be regarded as the best OS for timekeeping by those who know, but again not when run on a VM.  I do not know anything about CentOS.

I even have an old Windows 2000 system running the Meinberg port of NTPD with PPS/GPS, and that is reliable and amazingly stable too (much to everyone's surprise.)  But again, that is on real hardware (an old P1 1G machine) not on a VM.   I also have a FreeBSD based GPS disiplined NTPD timekeeper on another old P1 700M  machine.   But I'm looking for relatively accurate timekeeping, very much sub ms stability tollerance.   Going to all that trouble, as my ISP couldnt provide the sort of relaiblility and stability I need from their ADSL service.

If you could somehow configure the VM CentOS runs on, so that it's virtual CPU runs to a regular tick, then things may be able to work, but how to do that (if it is at all possible) I havent a clue, plus it could of course affect the behaviour of other VM's you have running on the same host.

I'll keep monitoring this, as if a solution is available, it'd be good to know about.   I'll also go look at the newsgroup, and see what happened there, for a more complete picture.

Best Regards.

DaveB
0
 
LVL 8

Accepted Solution

by:
Volox earned 0 total points
Comment Utility
With a bit of discussion on the newsgroup it has become clear why there is such a problem with ntpd working on a VM.  However no one has come forward with a solution for how to get time on a VM to 'behave' well enough to stay within a minute or two of real time.

If anyone has a solution to that, I would be very interested.

To review the situation:
  CentOS 5.5 guest (32-bit)
running in Windows Virtual Server (32-bit)
on Windows 2008 host

The fact that the host computer is a 32-bit machine and can't run 64-bit is part of the reason that I can't run Hyper-V and therefore cannot run the new VM extensions that MS has made available.  So I need a solution to this that doesn't require 64-bit (becaue I'm not in the mood ot build a new machine).
0
 
LVL 8

Author Closing Comment

by:Volox
Comment Utility
Wanted to thank g8kbv for pointing me to the newsgroup even though that ultimately did not prove fruitful; it did at least lead me to a lot of learning.

I hate to say it but my eventual answer ended up being to upgrade my hardware and move to a Windows 2008 R2 64-bit machines so that I could run Hyper-V and install the VM extensions that keep the clock nicely in sync with the host computer.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This document is written for Red Hat Enterprise Linux AS release 4 and ORACLE 10g.  Earlier releases can be installed using this document as well however there are some additional steps for packages to be installed see Metalink. Disclaimer: I hav…
You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now