[External Email] Re: Question about internal 'private' servers

Dave Hall kdhall at binghamton.edu
Wed Jan 15 16:33:46 UTC 2025 

Hello.  Sorry to bring up an old question from July.  I will restate my
problem:

I have a large number of Linux systems, some of which are on non-routable
10.x.x.x subnets.  Out of consideration for the network at large, I have
been using a couple of these servers to act as 'local master' NTP servers.
These 'local master' NTP servers are the only ones where the ntp.conf
points to external NTP servers.  The ntp.conf files on all other servers
point to these local NTP servers.

Since Debian has switched to NTPSEC, I have been having continuous issues
with drift.  It appears from the output of 'ntpq -c pe' that my internal
ntp clients are seeing my local servers but are never
achieving synchronization - no * on any of my ilocal servers.

I am sorry to say this, but what I could really use right now is a
couple of cookbook ntp.conf examples - one for my local masters and one for
my local clients.  The current Debian package on all systems is ntpsec
1.2.2+dfsg1-1+deb12u1 if that helps.

One other note:  I haven't created any ntpsec keys and I would prefer not
to unless it is necessary.  I understand the need for the 'sec' in the
larger sense, but in the long run I'll need to distribute NTP configuration
via DHCP, so as simple as possible.

Thanks.

-Dave

--
Dave Hall
Binghamton University
kdhall at binghamton.edu



On Mon, Jul 22, 2024 at 1:08 PM Dave Hall <kdhall at binghamton.edu> wrote:

> Matt,
>
> Thank you for your quick response.  The config on both of my primaries is:
>
> driftfile /var/lib/ntpsec/ntp.drift
> leapfile /usr/share/zoneinfo/leap-seconds.list
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> tos maxclock 11
> tos minclock 4 minsane 3
> server utcnist2.colorado.edu
> server bonehed.lcs.mit.edu
> server time.nc7j.com
> server tick.uh.edu
> restrict default kod nomodify nopeer noquery limited
> restrict 127.0.0.1
> restrict ::1
>
>
> On my secondaries, I have:
>
> driftfile /var/lib/ntpsec/ntp.drift
> leapfile /usr/share/zoneinfo/leap-seconds.list
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> tos maxclock 11
> tos minclock 4 minsane 3
> pool ntp-core.cs.binghamton.edu iburst
>
> server primary1.x.x.x iburst
>
> server primary2.x.x.x iburst
>
> restrict default kod nomodify nopeer noquery limited
> restrict 127.0.0.1
> restrict ::1
>
>
> (In the secondary config, the names shown for the primaries have been
> obscured, but primaries and secondaries are all in the same DNS domain and
> same network segment.)
>
> Thanks.
>
> -Dave
>
> --
> Dave Hall
> Binghamton University
> kdhall at binghamton.edu
> 607-760-2328 (Cell)
> 607-777-4641 (Office)
>
>
> On Mon, Jul 22, 2024 at 11:38 AM Matt Selsky <Matthew.Selsky at twosigma.com>
> wrote:
>
>> On Mon, Jul 22, 2024 at 10:17:21AM -0400, Dave Hall via users wrote:
>>
>> >    I have until recently had a two-tier NTP configuration running on an
>> >    internal subnet with 2 'primary' servers configured to connect to
>> external
>> >    stratum 1 services, and 4 secondary servers syncing with the
>> primaries.
>> >    All other systems ('clients') in the subnet are configured to sync
>> with
>> >    the 4 secondary servers.  In 'ntpq -c pe' the 2 primary servers show
>> as
>> >    stratum 2.
>> >    WIth the upgrade to Debian 12, NTP is replaced by NTPSEC, and this no
>> >    longer works:  The 4 secondary servers come up as stratum 16,
>> causing all
>> >    of the 'client' to become unsynced.
>> >    In studying the documentation and with many experiments, I have not
>> found
>> >    a way to get past this.  Not that I have not configured any SSL
>> >    certificates anywhere, the assumption being that my network segment
>> is
>> >    isolated enough that I should not need this.  Further, all of my
>> systems
>> >    are willing to sync with the 2 'primaries' even though they are still
>> >    running the same old ntp.conf.
>> >    So how do I get my secondaries to be something other than stratum
>> 16, and
>> >    where is this documented?
>>
>> Hi Dave,
>>
>> Can you please share your ntp.conf from both your primary and secondaries?
>>
>> Thanks,
>> -Matt
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/users/attachments/20250115/e86b9807/attachment.htm>

More information about the users mailing list