ntp problems

Hi,

Using Debian Lenny, default install of ntp on several servers.
The only change applied on most servers is to add a line to a nearby startum 2 server.
Somehow is looks as if the ntp server is running ok but clients cannot connect.

Can I assume rdate is a proper ntp client?
And if rdate -p 127.0.0.1 fails that there is a problem?
----------<quote>-------------------------------
linbobo:~# rdate -p 127.0.0.1
rdate: Could not connect socket: Connection refused
----------<quote>-------------------------------

iptables is running full open as this is an internal server.
----------<quote>-------------------------------
linbobo:~# iptables -L -v
Chain INPUT (policy ACCEPT 137K packets, 58M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 370K packets, 115M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 134K packets, 16M bytes)
pkts bytes target prot opt in out source destination
linbobo:~#
----------<quote>-------------------------------

The entire /etc/ntp.conf file (without the comment and blank lines) is:
----------<quote>-------------------------------
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server 0.debian.pool.ntp.org iburst dynamic
server 1.debian.pool.ntp.org iburst dynamic
server 2.debian.pool.ntp.org iburst dynamic
server 3.debian.pool.ntp.org iburst dynamic
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1

----------<quote>-------------------------------

The syslog file shows this after a stop/start of the service
----------<quote>-------------------------------
[....]
Apr 19 17:10:59 linbobo ntpd[9084]: ntpd exiting on signal 15
Apr 19 17:11:25 linbobo ntpd[9167]: ntpd 4.2.4p4@1.1520-o Sun Nov 22 17:34:54 UTC 2009 (1)
Apr 19 17:11:25 linbobo ntpd[9168]: precision = 1.000 usec
Apr 19 17:11:25 linbobo ntpd[9168]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled
Apr 19 17:11:25 linbobo ntpd[9168]: Listening on interface #1 wildcard, ::#123 Disabled
Apr 19 17:11:25 linbobo ntpd[9168]: Listening on interface #2 lo, ::1#123 Enabled
Apr 19 17:11:25 linbobo ntpd[9168]: Listening on interface #3 eth0, fe80::21c:c0ff:fe72:997f#123
Enabled
Apr 19 17:11:25 linbobo ntpd[9168]: Listening on interface #4 lo, 127.0.0.1#123 Enabled
Apr 19 17:11:25 linbobo ntpd[9168]: Listening on interface #5 eth0, 192.168.1.10#123 Enabled
Apr 19 17:11:25 linbobo ntpd[9168]: Listening on interface #6 eth0, 172.16.17.1#123 Enabled
Apr 19 17:11:25 linbobo ntpd[9168]: Listening on interface #7 tun0, 172.16.1.138#123 Enabled
Apr 19 17:11:25 linbobo ntpd[9168]: kernel time sync status 0040
Apr 19 17:11:25 linbobo ntpd[9168]: frequency initialized -11.117 PPM from /var/lib/ntp/ntp.drift
Apr 19 17:11:32 linbobo ntpd[9168]: synchronized to 85.17.133.31, stratum 2
Apr 19 17:11:32 linbobo ntpd[9168]: kernel time sync status change 0001
Apr 19 17:11:44 linbobo ntpd[9168]: synchronized to 79.141.36.205, stratum 2
Apr 19 17:17:01 linbobo /USR/SBIN/CRON[9198]: (root) CMD ( cd / && run-parts --report
/etc/cron.hourly)
[....]
----------<quote>-------------------------------
As you can see the rdate command leaves no trace in the log.


Now why would a simple rdate command on the local command line fail? the iptables INPUT chain is set
to ACCEPT and the ntp config file has almost no restrictions to the loopback address.

In the end I want to allow client from the local 172.16.0.0/16 network, but that should allready be
allowed by the restict -4 default .... line as far as I can see, right?

Anyone any idea what is going wrong?

Bonno Bloksma

Hi,

>> Can I assume rdate is a proper ntp client?

>No, rdate is an RFC868 time client with no relationship whatsoever to
>ntp. Use 'ntpdate'.

Ok, that explains a lot.

>> And if rdate -p 127.0.0.1 fails that there is a problem?

>It would be surprising if it succeeded since most Linux boxes stopped
>supporting that protocol around the same time they stopped running
>'inetd' by default.

On a HP switch there is the option TimeP or SNTP. Eventhough TimeP is still the default it seems I
then need to use SNTP to talk to a NTP server.

If I have other hardware that only understands RFC868, can I service them as well, is there a
converter available I can install on my Debian Lenny servers?

Bonno Bloksma

On 2010-04-19, Bonno Bloksma <(E-Mail Removed)> wrote:
> Hi,
>
> Using Debian Lenny, default install of ntp on several servers.
> The only change applied on most servers is to add a line to a nearby startum 2 server.
> Somehow is looks as if the ntp server is running ok but clients cannot connect.
>
> Can I assume rdate is a proper ntp client?

No. rdate has absolutely nothing to do with ntp. It is an ancient time
deamon/proceedure.


> And if rdate -p 127.0.0.1 fails that there is a problem?

No, rdate has nothing to do with ntp. It does NOT use the ntp protocol.
YOu could try ntpdate.

Bonno Bloksma <(E-Mail Removed)> wrote:
> On a HP switch there is the option TimeP or SNTP. Eventhough TimeP
> is still the default it seems I then need to use SNTP to talk to a
> NTP server.

Yes. You should use SNTP rather than TimeP

> If I have other hardware that only understands RFC868, can I service
> them as well, is there a converter available I can install on my
> Debian Lenny servers?

You could install/enable xinted - not sure if it has a date/time
built-in service like most inetds or not but that should become
obvious in short order. I wouldn't count on "great" time
synchronization that way though.

rick jones
--
oxymoron n, Hummer H2 with California Save Our Coasts and Oceans plates
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

On 2010-04-19, Rick Jones <(E-Mail Removed)> wrote:
> Bonno Bloksma <(E-Mail Removed)> wrote:
>> On a HP switch there is the option TimeP or SNTP. Eventhough TimeP
>> is still the default it seems I then need to use SNTP to talk to a
>> NTP server.
>
> Yes. You should use SNTP rather than TimeP

Or ntpd, or chrony, both of which will discipline your local time to
better than a ms.
sntp is a cutdown implimentation of ntp for use for final leaves in a
tree ( ie it shoulc not be used as a server for anything else). Your
switch may well be something you use to then discipline other clocks on
your network.


>
>> If I have other hardware that only understands RFC868, can I service
>> them as well, is there a converter available I can install on my
>> Debian Lenny servers?
>
> You could install/enable xinted - not sure if it has a date/time
> built-in service like most inetds or not but that should become
??? What has xinetd to do with time? Or inetd?

> obvious in short order. I wouldn't count on "great" time
> synchronization that way though.
>
> rick jones

unruh <(E-Mail Removed)> wrote:
> On 2010-04-19, Rick Jones <(E-Mail Removed)> wrote:
> > Bonno Bloksma <(E-Mail Removed)> wrote:
> >> On a HP switch there is the option TimeP or SNTP. Eventhough
> >> TimeP is still the default it seems I then need to use SNTP to
> >> talk to a NTP server.
> >
> > Yes. You should use SNTP rather than TimeP

> Or ntpd, or chrony, both of which will discipline your local time to
> better than a ms.

Have you ported chrony to HP ProCurve switches?-)

rick jones
--
I don't interest myself in "why". I think more often in terms of
"when", sometimes "where"; always "how much." - Joubert
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

On 2010-04-19, Rick Jones <(E-Mail Removed)> wrote:
> unruh <(E-Mail Removed)> wrote:
>> On 2010-04-19, Rick Jones <(E-Mail Removed)> wrote:
>> > Bonno Bloksma <(E-Mail Removed)> wrote:
>> >> On a HP switch there is the option TimeP or SNTP. Eventhough
>> >> TimeP is still the default it seems I then need to use SNTP to
>> >> talk to a NTP server.
>> >
>> > Yes. You should use SNTP rather than TimeP
>
>> Or ntpd, or chrony, both of which will discipline your local time to
>> better than a ms.
>
> Have you ported chrony to HP ProCurve switches?-)

What operating system do they run? If it is linux or bsd then it might
well work. If not, then no.

>
> rick jones

On 2010-04-19, David Schwartz <(E-Mail Removed)> wrote:
> On Apr 19, 9:05?am, "Bonno Bloksma" <bblok...@xs4all.nl> wrote:
>
>> If I have other hardware that only understands RFC868, can I service them as well, is there a
>> converter available I can install on my Debian Lenny servers?
>
> I don't specifically know Debian Lenny, but whatever inetd-equivalent
> is supplied on that platform should have that capability. If you have
> xinetd, follow this process:
>
> 1) Make sure no xinetd services are enabled that you don't want
> enabled. Check each file in '/etc/xinetd.d'. (Only needed if xinetd is
> not running already.)
>
> 2) Edit 'time-dgram' and 'time-stream' to enable these services and,
> if desired, restrict them.

IF all you want is time to withing 10s to 100s of ms, then this will
work, sort of ( results in a sawtooth behaviour of your clock). If you
want better accuracy and a clock that runs at the correct rate to PPM,
then use the ntp process to set your clock (ntpd, chrony,...)
The time protocol is an ancient protocol which has been supersceded by
ntp.

>
> 3) If needed, start xinetd and configure it to self-start on reboots.
>
> DS

Hi,

>>> On a HP switch there is the option TimeP or SNTP. Eventhough TimeP
>>> is still the default it seems I then need to use SNTP to talk to a
>>> NTP server.
>>
>> Yes. You should use SNTP rather than TimeP
>
> Or ntpd, or chrony, both of which will discipline your local time to
> better than a ms.
> sntp is a cutdown implimentation of ntp for use for final leaves in a
> tree ( ie it shoulc not be used as a server for anything else). Your
> switch may well be something you use to then discipline other clocks on
> your network.

No, the Linux machines are at the heart of all the site networks and wil be the time reference for
all machines** at that site. I have several network devices that need a somewhat accurate time in
order to have a proper timestamp in the logs. If that means that by using the only available but old
protocol it is even a second of I still would not care. ;-)

I want the Linux machines to be a good time source for my network. Anything that pulls the time
needs only be as good as it needs to be. So if the server itself is using ntp to reference several
servers on the internet and a nearby stratum 2 server it can then use something else to service
devices which use only the older time protocol, if need be.

I would rather not run an entire xined environment just to provide the old time protocol but if that
is what it takes.... If someone knows a better way I'd like to know about it.

Bonno Bloksma


** Except the Windows machines that are part of the Active Directory which will use the AD internal
timesync.

On 2010-04-20, Bonno Bloksma <(E-Mail Removed)> wrote:
> Hi,
>
>>>> On a HP switch there is the option TimeP or SNTP. Eventhough TimeP
>>>> is still the default it seems I then need to use SNTP to talk to a
>>>> NTP server.
>>>
>>> Yes. You should use SNTP rather than TimeP
>>
>> Or ntpd, or chrony, both of which will discipline your local time to
>> better than a ms.
>> sntp is a cutdown implimentation of ntp for use for final leaves in a
>> tree ( ie it shoulc not be used as a server for anything else). Your
>> switch may well be something you use to then discipline other clocks on
>> your network.
>
> No, the Linux machines are at the heart of all the site networks and wil be the time reference for
> all machines** at that site. I have several network devices that need a somewhat accurate time in
> order to have a proper timestamp in the logs. If that means that by using the only available but old
> protocol it is even a second of I still would not care. ;-)
>
> I want the Linux machines to be a good time source for my network. Anything that pulls the time
> needs only be as good as it needs to be. So if the server itself is using ntp to reference several
> servers on the internet and a nearby stratum 2 server it can then use something else to service
> devices which use only the older time protocol, if need be.
>
> I would rather not run an entire xined environment just to provide the old time protocol but if that
> is what it takes.... If someone knows a better way I'd like to know about it.
>
>

I am confused. You have Linux machines on which you want to have
accurate ( say better than 1msec) time, and some network devices which
you want time to say 1 sec. So on the Linux machines you can run ntpd or
chrony with some network sources (eg pool.ntp.org sources). If your
"network devices" only understand the time, not the ntp protocol, you
could always run the time servers. Not sure what you mean by "entire
xinetd environment". You just run one daemon. Or you can run the time
daemon directly. Either way. But since the Linux machine is already
running ntp, use ntp on the "network devices" or use ntpdate from
crontab. It is definitely a second best-- the time becomes a sawtooth,
as the local clock is stepped.

>