Question about internal 'private' servers

James Browning jamesb192 at jamesb192.com
Mon Jul 22 17:11:45 UTC 2024 

On Monday, July 22, 2024 7:17:21 AM PDT Dave Hall via users wrote:
> Hello.
> 
> I have until recently had a two-tier NTP configuration running on an
> internal subnet with 2 'primary' servers configured to connect to 
external
> stratum 1 services, and 4 secondary servers syncing with the 
primaries.
> All other systems ('clients') in the subnet are configured to sync 
with the
> 4 secondary servers.  In 'ntpq -c pe' the 2 primary servers show as 
stratum
> 2.

please try some of the following.
- add annoyingly small values for 'tos minclock' and 'tos minsane' (not 
3, 1)
- change peer lines in your config files' to server lines
- replace instances of 'broadcast', 'broadcastclient', and 
'multicastclient'
- drop 'notrap' and 'nopeer' from restrict lines.
- replace 'unrestrict' lines with empty restrict lines. 
- use ntpq instead on ntpdc.
- replace any autokey config with Network Time Security.
- yell at us more to document the changes.

> WIth the upgrade to Debian 12, NTP is replaced by NTPSEC, and this no
> longer works:  The 4 secondary servers come up as stratum 16, causing 
all
> of the 'client' to become unsynced.
> 
> In studying the documentation and with many experiments, I have not 
found a
> way to get past this.  Not that I have not configured any SSL 
certificates
> anywhere, the assumption being that my network segment is isolated 
enough
> that I should not need this.  Further, all of my systems are willing 
to
> sync with the 2 'primaries' even though they are still running the 
same old
> ntp.conf.
> 
> So how do I get my secondaries to be something other than stratum 16, 
and
> where is this documented?

The documentation always lags behind reality.

-30-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ntpsec.org/pipermail/users/attachments/20240722/95da1cb8/attachment-0001.bin>

More information about the users mailing list