[External Email] Re: Question about internal 'private' servers

Dave Hall kdhall at binghamton.edu
Mon Jul 22 17:08:19 UTC 2024 

Matt,

Thank you for your quick response.  The config on both of my primaries is:

driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
tos maxclock 11
tos minclock 4 minsane 3
server utcnist2.colorado.edu
server bonehed.lcs.mit.edu
server time.nc7j.com
server tick.uh.edu
restrict default kod nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1


On my secondaries, I have:

driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
tos maxclock 11
tos minclock 4 minsane 3
pool ntp-core.cs.binghamton.edu iburst

server primary1.x.x.x iburst

server primary2.x.x.x iburst

restrict default kod nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1


(In the secondary config, the names shown for the primaries have been
obscured, but primaries and secondaries are all in the same DNS domain and
same network segment.)

Thanks.

-Dave

--
Dave Hall
Binghamton University
kdhall at binghamton.edu
607-760-2328 (Cell)
607-777-4641 (Office)


On Mon, Jul 22, 2024 at 11:38 AM Matt Selsky <Matthew.Selsky at twosigma.com>
wrote:

> On Mon, Jul 22, 2024 at 10:17:21AM -0400, Dave Hall via users wrote:
>
> >    I have until recently had a two-tier NTP configuration running on an
> >    internal subnet with 2 'primary' servers configured to connect to
> external
> >    stratum 1 services, and 4 secondary servers syncing with the
> primaries.
> >    All other systems ('clients') in the subnet are configured to sync
> with
> >    the 4 secondary servers.  In 'ntpq -c pe' the 2 primary servers show
> as
> >    stratum 2.
> >    WIth the upgrade to Debian 12, NTP is replaced by NTPSEC, and this no
> >    longer works:  The 4 secondary servers come up as stratum 16,
> causing all
> >    of the 'client' to become unsynced.
> >    In studying the documentation and with many experiments, I have not
> found
> >    a way to get past this.  Not that I have not configured any SSL
> >    certificates anywhere, the assumption being that my network segment is
> >    isolated enough that I should not need this.  Further, all of my
> systems
> >    are willing to sync with the 2 'primaries' even though they are still
> >    running the same old ntp.conf.
> >    So how do I get my secondaries to be something other than stratum 16,
> and
> >    where is this documented?
>
> Hi Dave,
>
> Can you please share your ntp.conf from both your primary and secondaries?
>
> Thanks,
> -Matt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/users/attachments/20240722/ad4d5943/attachment.htm>

More information about the users mailing list