Question about internal 'private' servers

Dave Hall kdhall at binghamton.edu
Wed Jan 15 20:36:32 UTC 2025 

Hans,

So you're saying that the NTPSEC ntpd running with generic default
configuration is, by default, configured to be both a client and a server?

More specifically, are you saying that I could take the vanila distribution
configuration file and only change the pools/servers lines so that my
'master' servers are pointing to some external pools or servers.  Then, on
all of my 'internal' systems I could take the same vanilla distribution
config file and change the pools/servers lines to point to point to my
local masters, and it would all work?

This is the configuration that I had before NTPSEC, but when a recent
Debian upgrade forced me to NTPSEC, it all stopped working.  What I didn't
realize until yesterday is that ntpstat says that my internal client
systems are not synchronizing even though they seem to be in touch with my
'local masters'.

Am I missing something?

Thanks.

-Dave

--
Dave Hall
Binghamton University
kdhall at binghamton.edu

On Wed, Jan 15, 2025 at 1:04 PM Hans Mayer <ntp.sec at ma.yer.at> wrote:

>
> Hi Dave,
>
> I hope I understand correctly.  You have some servers which can
> successfully synchronize from the internet. But the clients to this servers
> are not in sync. And all of them have ntpsec.
>
> I wouldn't say this is related to ntpsec. I am running ntpsec and ntp
> classic in a mix environment since several years.
> Keys are not really necessary.
> I assume you enabled logging. What says syslog or debug log ? Especially
> after the start.
>
> The difference between master and client configuration is only the fact
> which "server" you define. For the client it's the IP or name of the
> master. And the master will probably take some of some pools.
>
> Attached is part of the config from a server with ntpsec, which is member
> of AT pool for IPv6. Maybe you don't need all of it. And of course you have
> to adapt to your situation.
>
> Let us know if you have success.
>
> Kind regards
> Hans
>
>
> # 2017-04-14 20:13:01 startup configuration file /etc/ntp.conf
> #
> # https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#saveconfigdir
> # removed for ntpsec
> # saveconfigdir "/etc"
> #
> # https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#leapfile
> leapfile "/etc/leap-seconds"
> #
> # https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#driftfile
> driftfile "/var/lib/ntp/ntp.drift"
> logconfig =allall
> #
> # http://doc.ntp.org/4.2.4/monopt.html
> statsdir "/var/log/ntpstats/"
> filegen peerstats file peerstats type day enable
> filegen loopstats file loopstats type day enable
> #
> #
> # https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#tinker
> tinker panic 1.4
> #
> # https://www.eecis.udel.edu/~mills/ntp/html/confopt.html
> server 2.ch.pool.ntp.org
> server 2.de.pool.ntp.org
> # here you may have to define some servers
> # for internal servers take them which can reach the internet
> #
> # http://doc.ntp.org/4.2.8/miscopt.html
> # http://lists.ntp.org/pipermail/questions/2010-April/026306.html
> mru initmem 1024 incmem 512 maxmem 262144 mindepth 8192 maxage 1024
> #
> # https://www.eecis.udel.edu/~mills/ntp/html/accopt.html#discard
> # removed for ntpsec
> # discard average 5 minimum 1
> #
> # https://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict
> restrict 0.0.0.0 mask 0.0.0.0 limited notrap nomodify nopeer noquery
> restrict :: mask :: limited notrap nomodify nopeer noquery
> restrict 127.0.0.1
> restrict ::1
> restrict source nomodify nopeer notrap
> # maybe some additional
> #
>
>
>
> On 15.01.25 17:33, Dave Hall via users wrote:
>
> Hello.  Sorry to bring up an old question from July.  I will restate my
> problem:
>
> I have a large number of Linux systems, some of which are on non-routable
> 10.x.x.x subnets.  Out of consideration for the network at large, I have
> been using a couple of these servers to act as 'local master' NTP servers.
> These 'local master' NTP servers are the only ones where the ntp.conf
> points to external NTP servers.  The ntp.conf files on all other servers
> point to these local NTP servers.
>
> Since Debian has switched to NTPSEC, I have been having continuous issues
> with drift.  It appears from the output of 'ntpq -c pe' that my internal
> ntp clients are seeing my local servers but are never
> achieving synchronization - no * on any of my ilocal servers.
>
> I am sorry to say this, but what I could really use right now is a
> couple of cookbook ntp.conf examples - one for my local masters and one for
> my local clients.  The current Debian package on all systems is ntpsec
> 1.2.2+dfsg1-1+deb12u1 if that helps.
>
> One other note:  I haven't created any ntpsec keys and I would prefer not
> to unless it is necessary.  I understand the need for the 'sec' in the
> larger sense, but in the long run I'll need to distribute NTP configuration
> via DHCP, so as simple as possible.
>
> Thanks.
>
> -Dave
>
> --
> Dave Hall
> Binghamton University
> kdhall at binghamton.edu
>
>
>
> On Mon, Jul 22, 2024 at 1:08 PM Dave Hall <kdhall at binghamton.edu> wrote:
>
>> Matt,
>>
>> Thank you for your quick response.  The config on both of my primaries is:
>>
>> driftfile /var/lib/ntpsec/ntp.drift
>> leapfile /usr/share/zoneinfo/leap-seconds.list
>> statistics loopstats peerstats clockstats
>> filegen loopstats file loopstats type day enable
>> filegen peerstats file peerstats type day enable
>> filegen clockstats file clockstats type day enable
>> tos maxclock 11
>> tos minclock 4 minsane 3
>> server utcnist2.colorado.edu
>> server bonehed.lcs.mit.edu
>> server time.nc7j.com
>> server tick.uh.edu
>> restrict default kod nomodify nopeer noquery limited
>> restrict 127.0.0.1
>> restrict ::1
>>
>>
>> On my secondaries, I have:
>>
>> driftfile /var/lib/ntpsec/ntp.drift
>> leapfile /usr/share/zoneinfo/leap-seconds.list
>> statistics loopstats peerstats clockstats
>> filegen loopstats file loopstats type day enable
>> filegen peerstats file peerstats type day enable
>> filegen clockstats file clockstats type day enable
>> tos maxclock 11
>> tos minclock 4 minsane 3
>> pool ntp-core.cs.binghamton.edu iburst
>>
>> server primary1.x.x.x iburst
>>
>> server primary2.x.x.x iburst
>>
>> restrict default kod nomodify nopeer noquery limited
>> restrict 127.0.0.1
>> restrict ::1
>>
>>
>> (In the secondary config, the names shown for the primaries have been
>> obscured, but primaries and secondaries are all in the same DNS domain and
>> same network segment.)
>>
>> Thanks.
>>
>> -Dave
>>
>> --
>> Dave Hall
>> Binghamton University
>> kdhall at binghamton.edu
>> 607-760-2328 (Cell)
>> 607-777-4641 (Office)
>>
>>
>> On Mon, Jul 22, 2024 at 11:38 AM Matt Selsky <Matthew.Selsky at twosigma.com>
>> wrote:
>>
>>> On Mon, Jul 22, 2024 at 10:17:21AM -0400, Dave Hall via users wrote:
>>>
>>> >    I have until recently had a two-tier NTP configuration running on an
>>> >    internal subnet with 2 'primary' servers configured to connect to
>>> external
>>> >    stratum 1 services, and 4 secondary servers syncing with the
>>> primaries.
>>> >    All other systems ('clients') in the subnet are configured to sync
>>> with
>>> >    the 4 secondary servers.  In 'ntpq -c pe' the 2 primary servers
>>> show as
>>> >    stratum 2.
>>> >    WIth the upgrade to Debian 12, NTP is replaced by NTPSEC, and this
>>> no
>>> >    longer works:  The 4 secondary servers come up as stratum 16,
>>> causing all
>>> >    of the 'client' to become unsynced.
>>> >    In studying the documentation and with many experiments, I have not
>>> found
>>> >    a way to get past this.  Not that I have not configured any SSL
>>> >    certificates anywhere, the assumption being that my network segment
>>> is
>>> >    isolated enough that I should not need this.  Further, all of my
>>> systems
>>> >    are willing to sync with the 2 'primaries' even though they are
>>> still
>>> >    running the same old ntp.conf.
>>> >    So how do I get my secondaries to be something other than stratum
>>> 16, and
>>> >    where is this documented?
>>>
>>> Hi Dave,
>>>
>>> Can you please share your ntp.conf from both your primary and
>>> secondaries?
>>>
>>> Thanks,
>>> -Matt
>>>
>>
> _______________________________________________
> users mailing listusers at ntpsec.orghttps://lists.ntpsec.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/users/attachments/20250115/aee6ca01/attachment-0001.htm>

More information about the users mailing list