NTP client configuration

English Network/Internet
1

Hello

I am running Opensuse 12.2, and trying to get NTP to work using YAST. I have added a public UK server (uk.pool.ntp.org), and the ‘Test’ returns “Server is reachable and responds properly”. But if I then run ‘ntpq -p’ in a console, I get


ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 ntppub.le.ac.uk .INIT.          16 u    -   64    0    0.000    0.000   0.000

ie reach=0, which I think means the server has not been reached.

Is there a problem here, if so what is it likely to be? I do have firewalls set up, but the test succeeded.

Thanks for any help

2

Your ‘refid’ is INIT, which I think means it’s still initializing. Give
it a few minutes… half-hour maybe, and see how it goes. Mine shows the
same until the first contact.

If really concerned about things then watch the wire to see if your
queries are not being responded-to like this:

Code:

sudo /usr/sbin/tcpdump -n -s 0 -i any port 123

#then in another shell…
sudo /etc/init.d/ntp restart

Good luck.

3

On 2013-09-27 19:52, ab wrote:
> Your ‘refid’ is INIT, which I think means it’s still initializing. Give
> it a few minutes… half-hour maybe, and see how it goes. Mine shows the
> same until the first contact.

Also, the servers in the pool change from time to time.

It would be also appropriate to configure several servers; from the
pool, from instance.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

4

On 9/27/2013 9:03 PM, Carlos E. R. wrote:
> On 2013-09-27 19:52, ab wrote:
>> Your ‘refid’ is INIT, which I think means it’s still initializing. Give
>> it a few minutes… half-hour maybe, and see how it goes. Mine shows the
>> same until the first contact.
>
> Also, the servers in the pool change from time to time.
>
> It would be also appropriate to configure several servers; from the
> pool, from instance.
>
Libarch;

You can configure up to four random pool servers in your /etc/ntp/conf by using a prefix of 0-3 as follows:


server 0.uk.pool.ntp.org
server 1.uk.pool.ntp.org
server 2.uk.pool.ntp.org
server 3.uk.pool.ntp.org

Of course uk could be replaced with any valid country or continent code.


P.V.
“We’re all in this together, I’m pulling for you” Red Green

5

Thank you very much for taking the time to respond.

OK, I’ve set up 4 servers from the pool, as suggested. My ntp.conf is

# LCL is unsynchronized

##
## Add external Servers using
## # rcntp addserver <yourserver>
## 

##
## Miscellaneous stuff
##

driftfile /var/lib/ntp/drift/ntp.drift       
# path for drift file

logfile /var/log/ntp              
# alternate log file
# logconfig =syncstatus + sysevents
# logconfig =all

# statsdir /tmp/        # directory for statistics files
# filegen peerstats  file peerstats  type day enable
# filegen loopstats  file loopstats  type day enable
# filegen clockstats file clockstats type day enable

#
# Authentication stuff
#
keys /etc/ntp.keys              
# path for keys file
trustedkey 1                  
# define trusted keys
requestkey 1                  
server 0.uk.pool.ntp.org
server 1.uk.pool.ntp.org
server 2.uk.pool.ntp.org
server 3.uk.pool.ntp.org
# key (7) for accessing server variables
# controlkey 15            # key (6) for accessing server variables

When I restarted ntpd, the tcpdump output was

10:59:06.224636 IP 192.168.1.2.42664 > 85.119.80.232.123: NTPv4, Client, length 48
10:59:06.248212 IP 85.119.80.232.123 > 192.168.1.2.42664: NTPv4, Server, length 48
10:59:06.249084 IP 192.168.1.2.53406 > 87.124.126.49.123: NTPv4, Client, length 48
10:59:06.275743 IP 87.124.126.49.123 > 192.168.1.2.53406: NTPv4, Server, length 48
10:59:06.276284 IP 192.168.1.2.59194 > 91.208.177.20.123: NTPv4, Client, length 48
10:59:06.300823 IP 91.208.177.20.123 > 192.168.1.2.59194: NTPv4, Server, length 48
10:59:06.301926 IP 192.168.1.2.50522 > 194.238.48.2.123: NTPv4, Client, length 48
10:59:06.329006 IP 194.238.48.2.123 > 192.168.1.2.50522: NTPv4, Server, length 48

after which, at 64 sec intervals, the output is (typically)

11:29:21.568114 IP 192.168.1.2.123 > 85.119.80.232.123: NTPv4, Client, length 48
11:29:23.568095 IP 192.168.1.2.123 > 178.18.118.13.123: NTPv4, Client, length 48
11:29:24.568104 IP 192.168.1.2.123 > 94.125.129.7.123: NTPv4, Client, length 48
11:29:25.568102 IP 192.168.1.2.123 > 217.169.26.196.123: NTPv4, Client, length 48

Does this suggest something? I’m a bit out of my depth here! My (naive) interpretation is that ntpd manages to get a response from the servers when it starts, but not subsequently.

Thanks again for any help or pointers

6

It turns out to be the ‘off site’ firewall at my broadband ISP (Plus Net in the UK), which was set to ‘High’. Changing that to ‘Low’ has fixed it. I’m sorry to have wasted your time with this. However it’s still strange that the Yast ‘Test’ should have succeeded?

Thanks again for help.

7

On 2013-09-28 05:18, PV wrote:

> You can configure up to four random pool servers in your /etc/ntp/conf
> by using a prefix of 0-3 as follows:

I have ten :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

8

On 2013-09-28 16:26, Libarch wrote:
>
> It turns out to be the ‘off site’ firewall at my broadband ISP (Plus Net
> in the UK), which was set to ‘High’. Changing that to ‘Low’ has fixed
> it. I’m sorry to have wasted your time with this. However it’s still
> strange that the Yast ‘Test’ should have succeeded?

It depends on what it exactly tests


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

9

I, too, have seen the Yast test succeed when other things did not. If you
compare the LAN trace (probably using Wireshark to get more detail) of the
Yast-based test vs. the other things that fail you’ll likely see a
difference in the packet structure, allowing the first test to work and
the later operations to fail. Unfortunately your overactive ISP firewall
cared in one case but not another. Go figure… My guess is the firewall
cared about the low-port sending since that’s a little less-common than a
high-port sending to the outside world, just like with most services.
There’s no requirement either way, as long as the route back is allowed,
but your ISP may care about low ports being sent anything from the
Internet, for example if they want you (as a home user) to NOT have a home
web server unless you pay extra.

Good luck.

10

Libarch wrote:
> It turns out to be the ‘off site’ firewall at my broadband ISP (Plus Net
> in the UK), which was set to ‘High’. Changing that to ‘Low’ has fixed
> it. I’m sorry to have wasted your time with this. However it’s still
> strange that the Yast ‘Test’ should have succeeded?

If you’re with plus.net, you don’t need to go to the pool servers. Use
ntp.plus.net instead. Most ISPs have their own time servers, I think.

11

On 2013-09-30 11:09, Dave Howorth wrote:

> If you’re with plus.net, you don’t need to go to the pool servers. Use
> ntp.plus.net instead. Most ISPs have their own time servers, I think.

None of my ISPs has it, and I personally deal with 3. If they have it,
they don’t publish it.


Telcontar:~ # host ntp.telefonica.es
Host ntp.telefonica.es not found: 3(NXDOMAIN)
Telcontar:~ # host ntp.ono.es
Host ntp.ono.es not found: 3(NXDOMAIN)
Telcontar:~ # host ntp.yoigo.es
Host ntp.yoigo.es not found: 3(NXDOMAIN)
Telcontar:~ #
Telcontar:~ # host ntp.jaztel.es
Host ntp.jaztel.es not found: 3(NXDOMAIN)

Telcontar:~ # host ntp.orange.es
ntp.orange.es is an alias for www-default.orange.es.
www-default.orange.es has address 62.37.237.90
www-default.orange.es has address 62.37.237.91
Telcontar:~ #

1 out of 5.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

12

Carlos E. R. wrote:
> On 2013-09-30 11:09, Dave Howorth wrote:
>
>> If you’re with plus.net, you don’t need to go to the pool servers. Use
>> ntp.plus.net instead. Most ISPs have their own time servers, I think.
>
> None of my ISPs has it, and I personally deal with 3. If they have it,
> they don’t publish it.
>
>


> Telcontar:~ # host ntp.telefonica.es
> Host ntp.telefonica.es not found: 3(NXDOMAIN)
> Telcontar:~ # host ntp.ono.es
> Host ntp.ono.es not found: 3(NXDOMAIN)
> Telcontar:~ # host ntp.yoigo.es
> Host ntp.yoigo.es not found: 3(NXDOMAIN)
> Telcontar:~ #
> Telcontar:~ # host ntp.jaztel.es
> Host ntp.jaztel.es not found: 3(NXDOMAIN)
>
> Telcontar:~ # host ntp.orange.es
> ntp.orange.es is an alias for www-default.orange.es.
> www-default.orange.es has address 62.37.237.90
> www-default.orange.es has address 62.37.237.91
> Telcontar:~ #
>

>
> 1 out of 5.

I see you said pretty much the same thing in 2006! Spain appears to be
an exception.

According to http://www.pool.ntp.org/zone/es
Spain — es.pool.ntp.org
We need more servers in this country.

So complain to your ISPs, not us!

13

On 2013-09-30 15:49, Dave Howorth wrote:

> I see you said pretty much the same thing in 2006! Spain appears to be
> an exception.

I do not claim to know the situation on every country.

> According to http://www.pool.ntp.org/zone/es
> Spain — es.pool.ntp.org
> We need more servers in this country.
>
> So complain to your ISPs, not us!

I do not complain to anybody, I just object to the affirmation that
«Most ISPs have their own time servers». Complaining to ISPs here is
useless, they just have robotized human talking heads, aka flower pots,
to hear the complaints.

Complaints are filled in the appropiate folder, the ‘P’, for “papelera”
(dustbin).


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

14

Carlos E. R. wrote:
> On 2013-09-30 15:49, Dave Howorth wrote:
>
>> I see you said pretty much the same thing in 2006! Spain appears to be
>> an exception.
>
> I do not claim to know the situation on every country.
>
>
>> According to http://www.pool.ntp.org/zone/es
>> Spain — es.pool.ntp.org
>> We need more servers in this country.
>>
>> So complain to your ISPs, not us!
>
> I do not complain to anybody,

Well you should.

http://www.usno.navy.mil/USNO/time/ntp

“ISPs should configure routers or firewalls to serve as stratum 2
servers to the ISP network.”

I just object to the affirmation that
> «Most ISPs have their own time servers».

I could adapt my statement to say “Most ISPs have their own time
servers, except in Spain” if you believe the population of ISPs in Spain
is big enough to affect anything. :slight_smile:

The point is that people should try to use their ISP’s time servers
before they try to use the public pool.

And, of course, time servers cannot be found simply by guessing host
names. Your ISPs might have them under some other name, such as the DNS
server. Have you asked? Or tested?

There’s a script in
http://blogtech.oc9.com/index.php?view=article&id=13%3Ahow-to-find-the-best-ntp-servers-near-you-to-query-for-time-for-ntpd-server&Itemid=1&option=com_content

15

On 2013-09-30 16:40, Dave Howorth wrote:
> Carlos E. R. wrote:

>> I do not complain to anybody,
>
> Well you should.
>
> http://www.usno.navy.mil/USNO/time/ntp

What the USA Military says, does not apply outside of the USA. Unless
they apply “force”.

If you show text from the international telecomunication union or some
other international body, that would be different. No, RFC are not
enough, not mandatory.

> I just object to the affirmation that
>> «Most ISPs have their own time servers».
>
> I could adapt my statement to say “Most ISPs have their own time
> servers, except in Spain” if you believe the population of ISPs in Spain
> is big enough to affect anything. :slight_smile:

Well, IMO it is.

> The point is that people should try to use their ISP’s time servers
> before they try to use the public pool.

That, yes.

> And, of course, time servers cannot be found simply by guessing host
> names. Your ISPs might have them under some other name, such as the DNS
> server. Have you asked? Or tested?

Asking whom? The flower pots?

For what is worth, years ago I worked for a big ISP. There were no NTP
servers internal to the network, even for use by our own servers.

ISPs do not care for service. They are removing mail service, for
instance. What the mass of people ask for is web. Windows work, no idea
what NTP is.

> There’s a script in
> http://blogtech.oc9.com/index.php?view=article&id=13%3Ahow-to-find-the-best-ntp-servers-near-you-to-query-for-time-for-ntpd-server&Itemid=1&option=com_content

Using the servers in the pool is just easier :wink:


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)