Mac – Configure Snow Leopard Server as NTP server for private LAN with no Internet access

macntposx-snow-leopard

I have a Snow Leopard Server box running on a private LAN with no Internet access. If you can avoid ever doing this, you should, as not having an Internet connection has brought us hours and hours of headaches.

Anyway, our most recent headache is that Open Directory users can't authenticate with Kerberos as the client computers' individual clocks drift from the server's clock. So the server also needs to be an NTP server.

I cannot figure out how to configure the server so that it will respond to client requests in a way that they trust. Here's what a query looks like from a client machine:

$ ntpdate -q 192.168.1.250
server 192.168.1.250, stratum 16, offset 8.010421, delay 0.02605
 2 Sep 16:32:23 ntpdate[346]: no server suitable for synchronization found

Here are my configuration files on the server:

/etc/ntp.conf

server 192.168.1.250
fudge 127.0.0.1 stratum 8 refid NIST

/etc/ntp-restrict.conf

restrict 127.0.0.1
restrict -6 ::1
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

includefile /private/etc/ntp.conf

Update

This is the configuration that I went with.

These 2 files are configured, and the NTP service is turned on in Server Admin under the General tab, and these 2 files are configured thusly:

/etc/ntp.conf

server 127.127.1.1
fudge 127.127.1.1 stratum 8 refid NIST

/etc/ntp-restrict.conf

restrict default notrust nomodify
restrict 127.127.1.1 mask 255.255.0.0 nomodify
restrict 192.168.1.0 mask 255.255.255.0 nomodify
includefile /private/etc/ntp.conf

Then the clients are configured to point to this server by name. It works perfectly.

Best Answer

IIRC, ntpdate is used to set times, but ntpd is used to maintain the time on a system.

Look in Server Admin --> --> Settings for the NTP on/off check box. Don't worry about the config files.

If you can't get a solution from the GUI, then the following website might help: http://docsrv.sco.com/NET_tcpip/ntpT.no_inet.html

Good luck.

Related Solutions

Problem Synchronizing Server Time with ntpd – Solutions

Many distributions these days are configuring ntpd to restrict access. If restrict lines are present in your server's /etc/ntp.conf, only hosts/networks matching those lines will be permitted to connect to ntpd. You probably need to add additional restrict lines for the hosts or networks you want to allow to sync to your server. For example, to let the client you mentioned sync, add one of the following lines:

# allow just this host
restrict 10.99.84.134 nomodify notrap

# or allow the whole /24 segment
restrict 10.99.84.0 mask 255.255.255.0 nomodify notrap

After that, restart ntpd, and your clients should be able to sync.

Linux – Single NTP server on isolate network

NTP should work fine. Look at some of the options for fast synchronization on start-up. Look at the burst and iburst options for the system B. Look at the true option for the GPS clock source.

Consider using the hardware clock as a backup time source on both systems. Set a higher stratum system B. Something like the following should work:

server  127.127.1.0
fudge   127.127.1.0 stratum 8

Watch the output of ntpq -c peers to see when you get a trusted clock source. Normally ntp wants a number of responses from a trusted time source before it trusts it. This is indicated by the first character on each line.

While NTP likes more sources, any odd number of time sources within one stratum level should work well. As you only have two servers and a GPS clock the priority (stratum) of the sources should increase from GPS, clock on server A, clock on server B. Increasing the stratum between each by three or four levels will ensure priorities are respected.

EDIT: If you have the busybox NTP server on server A, it may be worthwhile installing the full ntp server package. Understanding what is happening with server A should go a long way to solving your problem. You will need at least one trusted time source there before server B should trust it. If ntpq -c peers doesn't work, then you can try ntpdc peers. Both these commands allow you to query other hosts. A peerstats log could also be useful.

On server B use ntpclient as documented the busybox ntp howto to log what is happening on it

The clocks should be reasonably close to the correct time if the servers haven't been down for long. If you need to sync the two systems, that should be sufficient. The GPS will bring the time into sync with the real world eventually.

'ntpd -q' synchronizes quickly, but exits (ntpdate behaviour). It needs to be followed by an ntpd command without the quit option to have continuous synchronization.

EDIT2: I check my server and found one of the servers was off by a second. While fixing this I played with the settings. iburst gets a server trusted very quickly. true ensured the clock driver was trusted if there weren't multiple other trusted sources. The clock took a little more than a minute before it was locally trusted and could be trusted remotely.

When testing you should be able to restart the ntpd process once it is synchronized and test how fast settings work. In the above case Server B may need to be restarted to test how fast it synchronizes. When monitoring ntpd changes I use a line like:

while ntpq -c peers localhost; do sleep 10; done

The hostname and sleep time are adjusted as require. In some cases I chain two or more ntpq command lines in the loop. When doing so I use an echo and/or date command to provide an indication of where sets of data change.

/etc/ntp.conf

/etc/ntp-restrict.conf

Update

/etc/ntp.conf

/etc/ntp-restrict.conf

Best Answer

Related Solutions

Problem Synchronizing Server Time with ntpd – Solutions

Linux – Single NTP server on isolate network

Related Topic