<div dir="ltr"><div dir="ltr"><div>Hans,</div><div><br></div><div>So you're saying that the NTPSEC ntpd running with generic default configuration is, by default, configured to be both a client and a server?</div><div><br></div><div>More specifically, are you saying that I could take the vanila distribution configuration file and only change the pools/servers lines so that my 'master' servers are pointing to some external pools or servers. Then, on all of my 'internal' systems I could take the same vanilla distribution config file and change the pools/servers lines to point to point to my local masters, and it would all work?</div><div><br></div><div>This is the configuration that I had before NTPSEC, but when a recent Debian upgrade forced me to NTPSEC, it all stopped working. What I didn't realize until yesterday is that ntpstat says that my internal client systems are not synchronizing even though they seem to be in touch with my 'local masters'.</div><div><br></div><div>Am I missing something?</div><div><br></div><div>Thanks.</div><div><br></div><div>-Dave</div><div><br></div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>--</div><div>Dave Hall<br>Binghamton University<br><a href="mailto:kdhall@binghamton.edu" target="_blank">kdhall@binghamton.edu</a><br></div></div></div></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Wed, Jan 15, 2025 at 1:04 PM Hans Mayer <<a href="mailto:ntp.sec@ma.yer.at">ntp.sec@ma.yer.at</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<p><br>
</p>
<p>Hi Dave, <br>
</p>
<p>I hope I understand correctly. You have some servers which can
successfully synchronize from the internet. But the clients to
this servers are not in sync. And all of them have ntpsec. <br>
</p>
<p>I wouldn't say this is related to ntpsec. I am running ntpsec and
ntp classic in a mix environment since several years. <br>
Keys are not really necessary. <br>
I assume you enabled logging. What says syslog or debug log ?
Especially after the start. <br>
</p>
<p>The difference between master and client configuration is only
the fact which "server" you define. For the client it's the IP or
name of the master. And the master will probably take some of some
pools. <br>
</p>
<p>Attached is part of the config from a server with ntpsec, which
is member of AT pool for IPv6. Maybe you don't need all of it. And
of course you have to adapt to your situation. <br>
</p>
<p>Let us know if you have success. <br>
</p>
<p>Kind regards <br>
Hans <br>
</p>
<p><br>
</p>
<p># 2017-04-14 20:13:01 startup configuration file /etc/ntp.conf<br>
#<br>
#
<a href="https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#saveconfigdir" target="_blank">https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#saveconfigdir</a><br>
# removed for ntpsec<br>
# saveconfigdir "/etc"<br>
#<br>
# <a href="https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#leapfile" target="_blank">https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#leapfile</a><br>
leapfile "/etc/leap-seconds"<br>
#<br>
#
<a href="https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#driftfile" target="_blank">https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#driftfile</a><br>
driftfile "/var/lib/ntp/ntp.drift"<br>
logconfig =allall<br>
#<br>
# <a href="http://doc.ntp.org/4.2.4/monopt.html" target="_blank">http://doc.ntp.org/4.2.4/monopt.html</a><br>
statsdir "/var/log/ntpstats/"<br>
filegen peerstats file peerstats type day enable<br>
filegen loopstats file loopstats type day enable<br>
#<br>
#<br>
# <a href="https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#tinker" target="_blank">https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#tinker</a><br>
tinker panic 1.4<br>
#<br>
# <a href="https://www.eecis.udel.edu/~mills/ntp/html/confopt.html" target="_blank">https://www.eecis.udel.edu/~mills/ntp/html/confopt.html</a><br>
server <a href="http://2.ch.pool.ntp.org" target="_blank">2.ch.pool.ntp.org</a><br>
server <a href="http://2.de.pool.ntp.org" target="_blank">2.de.pool.ntp.org</a><br>
# here you may have to define some servers <br>
# for internal servers take them which can reach the internet <br>
#<br>
# <a href="http://doc.ntp.org/4.2.8/miscopt.html" target="_blank">http://doc.ntp.org/4.2.8/miscopt.html</a><br>
# <a href="http://lists.ntp.org/pipermail/questions/2010-April/026306.html" target="_blank">http://lists.ntp.org/pipermail/questions/2010-April/026306.html</a><br>
mru initmem 1024 incmem 512 maxmem 262144 mindepth 8192 maxage
1024<br>
#<br>
# <a href="https://www.eecis.udel.edu/~mills/ntp/html/accopt.html#discard" target="_blank">https://www.eecis.udel.edu/~mills/ntp/html/accopt.html#discard</a><br>
# removed for ntpsec<br>
# discard average 5 minimum 1<br>
#<br>
# <a href="https://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict" target="_blank">https://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict</a><br>
restrict 0.0.0.0 mask 0.0.0.0 limited notrap nomodify nopeer
noquery<br>
restrict :: mask :: limited notrap nomodify nopeer noquery<br>
restrict 127.0.0.1<br>
restrict ::1<br>
restrict source nomodify nopeer notrap<br>
# maybe some additional <br>
#<br>
</p>
<p><br>
</p>
<p><br>
</p>
<div>On 15.01.25 17:33, Dave Hall via users
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello. Sorry to bring up an old question from July. I
will restate my problem:</div>
<div><br>
</div>
<div>I have a large number of Linux systems, some of which are
on non-routable 10.x.x.x subnets. Out of consideration for
the network at large, I have been using a couple of these
servers to act as 'local master' NTP servers. These 'local
master' NTP servers are the only ones where the ntp.conf
points to external NTP servers. The ntp.conf files on all
other servers point to these local NTP servers.</div>
<div><br>
</div>
<div>Since Debian has switched to NTPSEC, I have been having
continuous issues with drift. It appears from the output of
'ntpq -c pe' that my internal ntp clients are seeing my local
servers but are never achieving synchronization - no * on any
of my ilocal servers.</div>
<div><br>
</div>
<div>I am sorry to say this, but what I could really use right
now is a couple of cookbook ntp.conf examples - one for my
local masters and one for my local clients. The current
Debian package on all systems is ntpsec 1.2.2+dfsg1-1+deb12u1
if that helps. </div>
<div><br>
</div>
<div>One other note: I haven't created any ntpsec keys and I
would prefer not to unless it is necessary. I understand the
need for the 'sec' in the larger sense, but in the long run
I'll need to distribute NTP configuration via DHCP, so as
simple as possible.</div>
<div><br>
</div>
<div>Thanks.</div>
<div><br>
</div>
<div>-Dave</div>
<div><br>
</div>
<div>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>--</div>
<div>Dave Hall<br>
Binghamton University<br>
<a href="mailto:kdhall@binghamton.edu" target="_blank">kdhall@binghamton.edu</a><br>
<br>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Jul 22, 2024 at
1:08 PM Dave Hall <<a href="mailto:kdhall@binghamton.edu" target="_blank">kdhall@binghamton.edu</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Matt,
<div><br>
</div>
<div>Thank you for your quick response. The config on both
of my primaries is:</div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div><font face="monospace">driftfile
/var/lib/ntpsec/ntp.drift</font></div>
<div><font face="monospace">leapfile
/usr/share/zoneinfo/leap-seconds.list</font></div>
<div><font face="monospace">statistics loopstats peerstats
clockstats</font></div>
<div><font face="monospace">filegen loopstats file
loopstats type day enable</font></div>
<div><font face="monospace">filegen peerstats file
peerstats type day enable</font></div>
<div><font face="monospace">filegen clockstats file
clockstats type day enable</font></div>
<div><font face="monospace">tos maxclock 11</font></div>
<div><font face="monospace">tos minclock 4 minsane 3</font></div>
<div><font face="monospace">server <a href="http://utcnist2.colorado.edu" target="_blank">utcnist2.colorado.edu</a></font></div>
<div><font face="monospace">server <a href="http://bonehed.lcs.mit.edu" target="_blank">bonehed.lcs.mit.edu</a></font></div>
<div><font face="monospace">server <a href="http://time.nc7j.com" target="_blank">time.nc7j.com</a></font></div>
<div><font face="monospace">server <a href="http://tick.uh.edu" target="_blank">tick.uh.edu</a></font></div>
<div><font face="monospace">restrict default kod nomodify
nopeer noquery limited</font></div>
<div><font face="monospace">restrict 127.0.0.1</font></div>
<div><font face="monospace">restrict ::1</font></div>
</blockquote>
<div><br>
</div>
<div>On my secondaries, I have:</div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div><font face="monospace">driftfile
/var/lib/ntpsec/ntp.drift</font></div>
<div><font face="monospace">leapfile
/usr/share/zoneinfo/leap-seconds.list</font></div>
<div><font face="monospace">statistics loopstats peerstats
clockstats</font></div>
<div><font face="monospace">filegen loopstats file
loopstats type day enable</font></div>
<div><font face="monospace">filegen peerstats file
peerstats type day enable</font></div>
<div><font face="monospace">filegen clockstats file
clockstats type day enable</font></div>
<div><font face="monospace">tos maxclock 11</font></div>
<div><font face="monospace">tos minclock 4 minsane 3</font></div>
<div><font face="monospace">pool <a href="http://ntp-core.cs.binghamton.edu" target="_blank">ntp-core.cs.binghamton.edu</a>
iburst</font></div>
</blockquote>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div><font face="monospace">server primary1.x.x.x iburst</font></div>
</blockquote>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div><font face="monospace">server primary2.x.x.x iburst</font></div>
</blockquote>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div><font face="monospace">restrict default kod nomodify
nopeer noquery limited</font></div>
<div><font face="monospace">restrict 127.0.0.1</font></div>
<div><font face="monospace">restrict ::1</font></div>
</blockquote>
<div><br>
</div>
<div>(In the secondary config, the names shown for the
primaries have been obscured, but primaries and
secondaries are all in the same DNS domain and same
network segment.)</div>
<div><br>
</div>
<div>Thanks.</div>
<div><br>
</div>
<div>-Dave</div>
<div><br clear="all">
<div>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>--</div>
<div>Dave Hall<br>
Binghamton University<br>
<a href="mailto:kdhall@binghamton.edu" target="_blank">kdhall@binghamton.edu</a><br>
607-760-2328 (Cell)<br>
607-777-4641 (Office)<br>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Jul 22, 2024 at
11:38 AM Matt Selsky <<a href="mailto:Matthew.Selsky@twosigma.com" target="_blank">Matthew.Selsky@twosigma.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On
Mon, Jul 22, 2024 at 10:17:21AM -0400, Dave Hall via users
wrote:<br>
<br>
> I have until recently had a two-tier NTP
configuration running on an<br>
> internal subnet with 2 'primary' servers
configured to connect to external<br>
> stratum 1 services, and 4 secondary servers
syncing with the primaries. <br>
> All other systems ('clients') in the subnet are
configured to sync with<br>
> the 4 secondary servers. In 'ntpq -c pe' the 2
primary servers show as<br>
> stratum 2. <br>
> WIth the upgrade to Debian 12, NTP is replaced by
NTPSEC, and this no<br>
> longer works: The 4 secondary servers come up as
stratum 16, causing all<br>
> of the 'client' to become unsynced. <br>
> In studying the documentation and with many
experiments, I have not found<br>
> a way to get past this. Not that I have not
configured any SSL<br>
> certificates anywhere, the assumption being that
my network segment is<br>
> isolated enough that I should not need this.
Further, all of my systems<br>
> are willing to sync with the 2 'primaries' even
though they are still<br>
> running the same old ntp.conf.<br>
> So how do I get my secondaries to be something
other than stratum 16, and<br>
> where is this documented?<br>
<br>
Hi Dave,<br>
<br>
Can you please share your ntp.conf from both your primary
and secondaries?<br>
<br>
Thanks,<br>
-Matt<br>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
users mailing list
<a href="mailto:users@ntpsec.org" target="_blank">users@ntpsec.org</a>
<a href="https://lists.ntpsec.org/mailman/listinfo/users" target="_blank">https://lists.ntpsec.org/mailman/listinfo/users</a>
</pre>
</blockquote>
</div>
</blockquote></div></div>