[External Email] Re: Question about internal 'private' servers

Hans Mayer ntp.sec at ma.yer.at
Wed Jan 15 18:04:27 UTC 2025 

Hi Dave,

I hope I understand correctly.  You have some servers which can 
successfully synchronize from the internet. But the clients to this 
servers are not in sync. And all of them have ntpsec.

I wouldn't say this is related to ntpsec. I am running ntpsec and ntp 
classic in a mix environment since several years.
Keys are not really necessary.
I assume you enabled logging. What says syslog or debug log ? Especially 
after the start.

The difference between master and client configuration is only the fact 
which "server" you define. For the client it's the IP or name of the 
master. And the master will probably take some of some pools.

Attached is part of the config from a server with ntpsec, which is 
member of AT pool for IPv6. Maybe you don't need all of it. And of 
course you have to adapt to your situation.

Let us know if you have success.

Kind regards
Hans


# 2017-04-14 20:13:01 startup configuration file /etc/ntp.conf
#
# https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#saveconfigdir
# removed for ntpsec
# saveconfigdir "/etc"
#
# https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#leapfile
leapfile "/etc/leap-seconds"
#
# https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#driftfile
driftfile "/var/lib/ntp/ntp.drift"
logconfig =allall
#
# http://doc.ntp.org/4.2.4/monopt.html
statsdir "/var/log/ntpstats/"
filegen peerstats file peerstats type day enable
filegen loopstats file loopstats type day enable
#
#
# https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#tinker
tinker panic 1.4
#
# https://www.eecis.udel.edu/~mills/ntp/html/confopt.html
server 2.ch.pool.ntp.org
server 2.de.pool.ntp.org
# here you may have to define some servers
# for internal servers take them which can reach the internet
#
# http://doc.ntp.org/4.2.8/miscopt.html
# http://lists.ntp.org/pipermail/questions/2010-April/026306.html
mru initmem 1024 incmem 512 maxmem 262144 mindepth 8192 maxage 1024
#
# https://www.eecis.udel.edu/~mills/ntp/html/accopt.html#discard
# removed for ntpsec
# discard average 5 minimum 1
#
# https://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict
restrict 0.0.0.0 mask 0.0.0.0 limited notrap nomodify nopeer noquery
restrict :: mask :: limited notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
restrict source nomodify nopeer notrap
# maybe some additional
#



On 15.01.25 17:33, Dave Hall via users wrote:
> Hello.  Sorry to bring up an old question from July.  I will restate 
> my problem:
>
> I have a large number of Linux systems, some of which are on 
> non-routable 10.x.x.x subnets.  Out of consideration for the network 
> at large, I have been using a couple of these servers to act as 'local 
> master' NTP servers.  These 'local master' NTP servers are the only 
> ones where the ntp.conf points to external NTP servers.  The ntp.conf 
> files on all other servers point to these local NTP servers.
>
> Since Debian has switched to NTPSEC, I have been having continuous 
> issues with drift.  It appears from the output of 'ntpq -c pe' that my 
> internal ntp clients are seeing my local servers but are never 
> achieving synchronization - no * on any of my ilocal servers.
>
> I am sorry to say this, but what I could really use right now is a 
> couple of cookbook ntp.conf examples - one for my local masters and 
> one for my local clients.  The current Debian package on all systems 
> is ntpsec 1.2.2+dfsg1-1+deb12u1 if that helps.
>
> One other note:  I haven't created any ntpsec keys and I would prefer 
> not to unless it is necessary.  I understand the need for the 'sec' in 
> the larger sense, but in the long run I'll need to distribute NTP 
> configuration via DHCP, so as simple as possible.
>
> Thanks.
>
> -Dave
>
> --
> Dave Hall
> Binghamton University
> kdhall at binghamton.edu
>
>
>
> On Mon, Jul 22, 2024 at 1:08 PM Dave Hall <kdhall at binghamton.edu> wrote:
>
>     Matt,
>
>     Thank you for your quick response.  The config on both of my
>     primaries is:
>
>         driftfile /var/lib/ntpsec/ntp.drift
>         leapfile /usr/share/zoneinfo/leap-seconds.list
>         statistics loopstats peerstats clockstats
>         filegen loopstats file loopstats type day enable
>         filegen peerstats file peerstats type day enable
>         filegen clockstats file clockstats type day enable
>         tos maxclock 11
>         tos minclock 4 minsane 3
>         server utcnist2.colorado.edu <http://utcnist2.colorado.edu>
>         server bonehed.lcs.mit.edu <http://bonehed.lcs.mit.edu>
>         server time.nc7j.com <http://time.nc7j.com>
>         server tick.uh.edu <http://tick.uh.edu>
>         restrict default kod nomodify nopeer noquery limited
>         restrict 127.0.0.1
>         restrict ::1
>
>
>     On my secondaries, I have:
>
>         driftfile /var/lib/ntpsec/ntp.drift
>         leapfile /usr/share/zoneinfo/leap-seconds.list
>         statistics loopstats peerstats clockstats
>         filegen loopstats file loopstats type day enable
>         filegen peerstats file peerstats type day enable
>         filegen clockstats file clockstats type day enable
>         tos maxclock 11
>         tos minclock 4 minsane 3
>         pool ntp-core.cs.binghamton.edu
>         <http://ntp-core.cs.binghamton.edu> iburst
>
>         server primary1.x.x.x iburst
>
>         server primary2.x.x.x iburst
>
>         restrict default kod nomodify nopeer noquery limited
>         restrict 127.0.0.1
>         restrict ::1
>
>
>     (In the secondary config, the names shown for the primaries have
>     been obscured, but primaries and secondaries are all in the same
>     DNS domain and same network segment.)
>
>     Thanks.
>
>     -Dave
>
>     --
>     Dave Hall
>     Binghamton University
>     kdhall at binghamton.edu
>     607-760-2328 (Cell)
>     607-777-4641 (Office)
>
>
>     On Mon, Jul 22, 2024 at 11:38 AM Matt Selsky
>     <Matthew.Selsky at twosigma.com> wrote:
>
>         On Mon, Jul 22, 2024 at 10:17:21AM -0400, Dave Hall via users
>         wrote:
>
>         >    I have until recently had a two-tier NTP configuration
>         running on an
>         >    internal subnet with 2 'primary' servers configured to
>         connect to external
>         >    stratum 1 services, and 4 secondary servers syncing with
>         the primaries.
>         >    All other systems ('clients') in the subnet are
>         configured to sync with
>         >    the 4 secondary servers.  In 'ntpq -c pe' the 2 primary
>         servers show as
>         >    stratum 2.
>         >    WIth the upgrade to Debian 12, NTP is replaced by NTPSEC,
>         and this no
>         >    longer works:  The 4 secondary servers come up as stratum
>         16, causing all
>         >    of the 'client' to become unsynced.
>         >    In studying the documentation and with many experiments,
>         I have not found
>         >    a way to get past this.  Not that I have not configured
>         any SSL
>         >    certificates anywhere, the assumption being that my
>         network segment is
>         >    isolated enough that I should not need this. Further, all
>         of my systems
>         >    are willing to sync with the 2 'primaries' even though
>         they are still
>         >    running the same old ntp.conf.
>         >    So how do I get my secondaries to be something other than
>         stratum 16, and
>         >    where is this documented?
>
>         Hi Dave,
>
>         Can you please share your ntp.conf from both your primary and
>         secondaries?
>
>         Thanks,
>         -Matt
>
>
> _______________________________________________
> users mailing list
> users at ntpsec.org
> https://lists.ntpsec.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/users/attachments/20250115/e87e96e3/attachment-0001.htm>

More information about the users mailing list