I'm running all 10.5.8 servers and trying to get NTP straightened
out. All my boxes point to my OD Master, but all of the clocks
are out of sync by a minute or two here or there. I'd like to get
them in sync for obvious reasons.
My OD Master server is using time.apple.com, and my replicas and
other servers are using my OD Master as their time server, with
client computers using the replicas and other servers as their
time server.
I'm seeing in the system log file "no server suitable for
synchronization found". This is happening on my OD Master, my
servers, and my clients. Clients are a mix of 10.5.6 to 10.5.8.
The firewall service is not blocking ntp. Any thoughts on things
to check out on this to get it working. I don't want my clock
skews getting too far out of hand since that will make Kerberos
work less than ideal.
I have been dealing with cock drift for a long time [sic]. I do
recall I had to open the router to in and out for ntp, which of
course make sense.
I have a bunch of servers running 10.5 which can not use an external
NTP server, and one 10.6 server which can use the external NTP
server, so I'm thinking it isn't so much the config of the router
needing to allow the UDP 123 port inbound.
I wish I could remember the details, I was in the same boat. Run
$sudo launchctl list | grep ntp and make sure you see something come
back:
25 - org.ntp.ntpd
If you do not, you do not have the time server enabled in system
prefs. Also, it may not be a port 123, but the host you chose may be
broken. I use the time.apple.com ones.
Remember your switch and router also may be doing ntp as well so that
is a source of conflict to look into, do those set time correct?
/private/etc/ntp.conf will tell you which time server you are using.
If your launchd item is loaded, look at it:
$cat /System/Library/LaunchDaemons/org.ntp.ntpd.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd
">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<dict>
<key>PathState</key>
<dict>
<key>/private/etc/ntp.conf</key>
<true/>
</dict>
</dict>
<key>Label</key>
<string>org.ntp.ntpd</string>
<key>ProgramArguments</key>
<array>
<string>/usr/libexec/ntpd-wrapper</string>
</array>
<key>SHAuthorizationRight</key>
<string>system.preferences</string>
</dict>
</plist>
Now look at
$cat /usr/libexec/ntpd-wrapper
#!/bin/sh
PATH=/usr/sbin:/usr/bin:/bin
ipconfig waitall
ntpdate -bvs
# Un-comment the following line to run ntp with a sandbox profile.
# Sandbox profiles restrict processes from performing unauthorized
# operations; so it may be necessary to update the profile
# (/usr/share/sandbox/ntpd.sb) if any changes are made to the ntp
# configuration (/etc/ntp.conf).
#sb=/usr/bin/sandbox-exec -f /usr/share/sandbox/ntpd.sb
Take off the set date and time automatically, or those ports are going
to be in use when we run the command below:
And run the command, with a few more flags so you can see the debug
output:
$sudo /usr/bin/sandbox-exec -f /usr/share/sandbox/ntpd.sb /usr/sbin/
ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ntpd.pid -f /
var/db/ntp.drift -d -g -q
You should see pretty quickly you get an error of:
getconfig: Couldn't open </private/etc/ntp-restrict.conf>
My best memory is that ports are being bound to, and this is causing a
conflict, I spent some time on the ntp list. The way apple chases
around 3 or so config files is just weird.
I have been able to pull off working ntp on all machines, by modifying
how Apple does it, I only have to make sure that the set time and date
is not checked, I modified the plist to point to this scripts:
* a little debugging going on there, your syslog will show it when
launchd runs, if you do not want that in there, turn it off, you will
have to look up the flags, I think -d is the one.
The above command uses all apples orginal files, you are only altering
the plist, which could get nuked, but never has in my case. Apple
runs it as a daemon, as you can see is ps output, they run:
/usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/
ntpd.pid -f /var/db/ntp.drift
Now that I think about it, I think the best thing in this case may be
to alter the launchd item to simply run non dameon, one schedule, so
add in the -q flag, set launchd to run over x minutes.
My gut tells me ntpdate is running, and then ntpd starts, far too soon
before ntpdate releases itself, you get port in use conflicts and file
locks.
I have no idea why this stuff works on every home network I ever set
up, with a router, with no effort to port forward port 123, yet on a
sever, which is not ever "Server" version, everyone has drift. If we
can narrow is down and really figure it out, that would be nice.
I am sure it is all in the man pages, but there is a lot to read for
two commands that do no more than set the time :) I would love to get
it working as a daemon, and not drift, it just does not want to work.
Perhaps I need to set up an ntp server and point all my machines that
that, then every machine at least would be the same, even if off a few
seconds at times.
Please add more to this until we solve it.
* my personal issues with drift have been solved, thanks for all the
off list jokes :)
--
Scott * If you contact me off list replace talklists@ with scott@ *
