DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th August 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default Local NTPd Server "bad peer"

Hi all,

I can't seem to figure out what the problem is. I'm trying to have one of my OpenBSD (4.5) boxes act as a local NTP server. The box will fetch the time from the net and serve out to devices inside my network.

The time seems accurate on this box. (BSD1)

I have connected a second OpenBSD box (4.5) and directed it to use the first box as its NTP peer and get the follow error.

Code:
Dec 13 15:34:57 BSD2 ntpd[13067]: bad peer 192.168.244.1 (192.168.244.1)
Note: The time is clearly wrong (pay no attention to it)

These two machines are on the same subnet (192.168.244.0/24) similar to the below

Internet <-> BSD1 <-> Switch <-> BSD2

BSD1 would also be the Gateway.

ntpd.conf on BSD1 is:
Code:
listen on 192.168.244.1

server 0.ca.pool.ntp.org
server 1.ca.pool.ntp.org
server 2.ca.pool.ntp.org
Am I missing something which will allow other hosts to connect to it?

Is there authentication?


Please let me know,
Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 19th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Are your PF rules blocking the ntp traffic? If you use a block all as your default, you'll need something similar to:
Code:
pass log proto {udp tcp} from any to any port ntp
pass log proto {udp tcp} from any port ntp to any
Reply With Quote
  #3   (View Single Post)  
Old 20th August 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by plexter View Post
The time seems accurate on this box. (BSD1)
Assuming you have daemonized ntpd by not specifying the -d switch in /etc/rc.conf.local, the daemon will log to /var/log/daemon. Depending upon the accuracy of the system's crystal:
  • you should find a running commentary of what adjustments are being made to keep the system in sync in the log file. If you are using the -d switch, all logging should be seen on the console.
  • Until the system is in sync (only adjustments of the order of hundredths of a second are being made...), your local time server will not serve time out to clients.

    Some motherboards have horrible crystals or cannot hold an accurate time once powered off. This is why there is the -s switch which simply sets the time at boot-time. If you elect to use this switch, recognize that the system clock may dramatically jump which may have negative effects on any scheduled cron jobs.

    I have an old sparc64 system that I use as a time server. The first time I configured it, it took over a day for it to proclaim itself synchronized such that it would serve out time updates to clients.
Specifying the -v switch may provide more salient information.
Quote:
Internet <-> BSD1 <-> Switch <-> BSD2

BSD1 would also be the Gateway.

ntpd.conf on BSD1 is:
Code:
listen on 192.168.244.1

server 0.ca.pool.ntp.org
server 1.ca.pool.ntp.org
server 2.ca.pool.ntp.org
This doesn't look right. If BSD1 is getting NTP updates from the Internet, why are you specifying a private RFC1918 address?
Quote:
Am I missing something which will allow other hosts to connect to it?
You haven't provided any information about the clients' configuration.
Quote:
Is there authentication?
No.

You should become familiar with the ntpd(8) & ntpd.conf(5) manpages. Likewise, there has been a number of discussions on misc@ about "bad peer" proclamations:

http://marc.info/?l=openbsd-misc&w=2...d+bad+peer&q=b

Be forewarned that the syntax of ntpd.conf has changed over the last several releases, so read the oldest threads with caution.
Reply With Quote
  #4   (View Single Post)  
Old 20th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by ocicat View Post
... This doesn't look right. If BSD1 is getting NTP updates from the Internet, why are you specifying a private RFC1918 address?
To the best of my understanding, the "listen" directive is used when ntpd(8) will be used to provide local time services. It does not listen, and acts only as a client, by default. The "server" directives are to obtain time from the upstream servers on the internet, when ntpd acts in "client mode".
Reply With Quote
  #5   (View Single Post)  
Old 20th August 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Hi all,

Thanks for the replies.

I'm a little confused by what was written above. I'm pretty sure the whole idea of listen is to allow incoming connections. Otherwise how do you setup an NTP server?

I've adjusted my PF rules and I believe perhaps that they were conflicting.
I now have a new "error", although from reading online I don't think its really an "error".

Code:
Aug 20 13:28:44 BSD2 ntpd[16325]: reply from 192.168.244.1: not synced, next query 3259s
I believe this confirms there is communication anyhow.

I tried manually setting the clock but that didn't resolve the "errors".


Any comments?

Thanks!
Reply With Quote
  #6   (View Single Post)  
Old 20th August 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

What's hard to understand? before any NTP server can serve clients.. it first must be totally synchronized with another time source, whether that's a remote server or a local timedelta sensor.. it doesn't mater.

This is the kind of daemon that you simply ignore.. the time will be updated incrementally.

You can use rdate(8) with the -n argument (..SNTP protocol) for immediate updates.. but if you're losing a lot of time, then it seems likely that the clock battery is dying and you'll need to replace it.

Last edited by BSDfan666; 20th August 2009 at 05:58 PM.
Reply With Quote
  #7   (View Single Post)  
Old 20th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

ntpd(8) makes very small clock adjustments, unless you start it with the -s parameter. Two excerpts from the man page:
Quote:
-S Do not set the time immediately at startup. This is the de-
fault.

-s Set the time immediately at startup. Allows for a large time
correction, eliminating the need to run rdate(8).
.
.
.
ntpd uses the adjtime(2) system call to correct the local system time
without causing time jumps. Adjustments of 32ms and greater are logged
using syslog(3). The threshold value is chosen to avoid having local
clock drift thrash the log files. Should ntpd be started with the -d or
-v option, all calls to adjtime(2) will be logged.

After the local clock is synchronized, ntpd adjusts the clock frequency
using the adjfreq(2) system call to compensate for systematic drift.
The "error" message says that the clocks are not (yet) synced, and that another attempt will be made in 55 minutes.

If you want instant synchronization, use -s, or, as bsdfan and the man page say, use rdate.
Reply With Quote
  #8   (View Single Post)  
Old 20th August 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Quote:
What's hard to understand?
I'm confused about all this talk about the listen address. I had always left it unused unless attempting to serve out like I am now.

I already am running NTP as follows:
Code:
ntpd_flags="-s"
And I have rebooted my system.

Quote:

before any NTP server can serve clients.. it first must be totally synchronized with another time source, whether that's a remote server or a local timedelta sensor.. it doesn't mater.
Isn't that the point of this? (which has been running just fine for quite a long time)

Code:
server 0.ca.pool.ntp.org
server 1.ca.pool.ntp.org
server 2.ca.pool.ntp.org

I tried manually using rdate first on the NTP Server and than on the BSD2 machine.

on BSD1 came back with about 20 lines of:
(rdate -ncv 0.ca.pool.ntp.org)

rdate: Invalid cookie received, packet rejected

and ended with:

rdate: adjust local clock by 36.102187 seconds

on BSD2 it seemed to just fail:
(rdate -ncv 192.168.244.1)

rdate: Ignoring NTP server with alarm flag set
rdate: Unable to get a reasonable time estimate

Thanks for your help.
Reply With Quote
  #9   (View Single Post)  
Old 20th August 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by plexter View Post
Quote:
Originally Posted by BSDfan666
before any NTP server can serve clients.. it first must be totally synchronized with another time source, whether that's a remote server or a local timedelta sensor.. it doesn't mater.
Isn't that the point of this? (which has been running just fine for quite a long time)
The original problem posed was that local clients didn't have the same time as your local time server. Thus they are not synchronized with the time server they are supposedly configured to receive updates from.

If the local time server is not synchronized with the upstream time servers, the local time server will also not be providing any NTP updates to your local clients -- hence it is not surprising that the clients may be exhibiting the wrong time if the local time server itself is not synchronized or configured correctly.

No log messages has been posted from /var/log/daemon, so it is anyone's guess as to the current state of your local time server.
Reply With Quote
Old 21st August 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

My /etc/hostname.fxp1
Code:
inet 192.168.2.1 255.255.255.0 192.168.2.255 \
 media 100baseTX mediaopt full-duplex \
 group inside description "SoHo LAN"
inet alias 192.168.2.2 255.255.255.255 NONE
inet alias 192.168.2.3 255.255.255.255 NONE
Personal preference is that, .1 is the gateway, .2 is my DNS listener, and .3 is my NTP listener. Obviously, they can all run on on .1, but I like to silt them out and write pf.conf rules accordingly. Therefore, ...

My /etc/rc.conf.local
Code:
ntpd_flags="-s"
My /etc/ntpd.conf
Code:
# $OpenBSD: ntpd.conf,v 1.8 2007/07/13 09:05:52 henning Exp $
# sample ntpd configuration file, see ntpd.conf(5)
listen on 192.168.2.3  # my LAN
listen on 127.0.0.1
listen on 192.168.3.3  # my WiFi
listen on 192.168.7.3  # my VoIP and DMZ
#
server 0.ca.pool.ntp.org
server 1.ca.pool.ntp.org
server 2.ca.pool.ntp.org
server 3.ca.pool.ntp.org
# -
It sync's with outside time servers (<>..ca.pool.ntp.org) and then serves time to local clients that sync to the .3 addresses.

Your /etc/pf.conf must PASS OUT on INTERNET interface UDP-NTP with state and PASS IN on LAN interface UDP-NTP with state from itself. Please post your pf.conf.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.

Last edited by s2scott; 21st August 2009 at 11:03 PM.
Reply With Quote
Old 21st August 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Note, as has been mentioned, the ntp daemon will NOT start serving time UNLESS and UNTIL it is sync's AND the DRIFT PRECISION (aka. CLOCK DISCIPLINE) self-adjusts to some very tight tolerance (stability).

http://www.openbsd.org/faq/faq6.html#OpenNTPD, reads, in part,

Quote:
When you have ntpd(8) listening, it may happen that other machines still can't synchronize to it! A freshly started ntpd(8) daemon (for example, if you just restarted it after modifying ntpd.conf) refuses to serve time information to other clients until it adjusts its own clock to a reasonable level of stability first. When ntpd(8) considers its own time information stable, it announces it by a "clock now synced" message in /var/log/daemon. Even if the system clock is pretty accurate in the beginning, it can take up to 10 minutes to get in sync, and hours or days if the clock is not accurately set at the start.
More info on the openNTP implementation in the openBSD distro at, http://www.advogato.org/person/dtuck....html?start=52.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Old 20th August 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

The listen option allows you to select which interface you wish to listen on.. it accepts * as a wildcard for all interfaces, or the IPv4/IPv6 address of a single interface.

If the system you call BSD1 is 192.168.224.1, then the correct option would be listen on 192.168.244.1.

Now all hosts on your subnet can add server 192.168.244.1 except for BSD1, get it?

Hope that helps...

EDIT: I'd also recommend trying to find a local NTP server, perhaps your ISP has one.. or a local college/university.

Last edited by BSDfan666; 20th August 2009 at 11:01 PM.
Reply With Quote
Old 25th August 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Hi all. Thanks for your input.

I'll start from the earlier posts first. (will post new configs...etc at the end)

BSDfan666:

In regards to the listen address...etc I have had all of that set already.

I had modified my NTP servers to be "more" local however I don't see this as being beneficial over a round-robin relay "server 0.ca.pool.ntp.org"

ocicat:

Quote:
If the local time server is not synchronized with the upstream time servers, the local time server will also not be providing any NTP updates to your local clients -- hence it is not surprising that the clients may be exhibiting the wrong time if the local time server itself is not synchronized or configured correctly.
This brings me to notice the following (since I've been away) the BSD1 machine (ntp server) seems to have a time of exactly 1 hour behind. It almost seems like the timezone is incorrect yet I have reset both BSD1 and BSD2 to Canada Eastern and even rebooted. Still show's the clock 1 hour behind and NTP says syncronizing with ntp server. (see below)

Quote:
No log messages has been posted from /var/log/daemon, so it is anyone's guess as to the current state of your local time server.
I have been posting my /var/log/daemon (relevant) since my first post. However if something lacks please feel free to ask.

s2scott:

Thanks your configs look pretty much the same as mine when I started with the exception of your interfaces.

Configs and Logs:


[BSD1]

/etc/ntpd.conf
Code:
listen on 192.168.244.1

server  128.100.56.135     #tick.utoronto.ca
server  128.100.100.128    #tock.utoronto.ca
server  136.159.2.254      #subitaneous.cpsc.ucalgary.ca
server  128.233.3.101      #tock.usask.ca
server  128.233.3.100      #tick.usask.ca
/var/log/daemon (filtered)
I've noticed daemon is getting fairly cluttered. Is it possible to send NTP to it's own log?

Recent Logs of synchronization:
Code:
Aug 25 13:09:17 BSD1 ntpd[24780]: peer 128.100.100.128 now valid
Aug 25 13:13:20 BSD1 ntpd[27339]: adjusting local clock by 4309.229700s
Aug 25 13:13:51 BSD1 ntpd[27339]: adjusting local clock by 4309.074970s
Aug 25 13:18:06 BSD1 ntpd[27339]: adjusting local clock by 4307.826573s

...

Note this seems to be fairly constant and has been going all weekend with no noticeable difference in the actual time

Aprox system date related to logs (minute/sec maybe slightly off)

# date
Tue Aug 25 13:19:50 EDT 2009

Actual time is Tue Aug 25 14:xx:xx EDT 2009
I believe in order to get anything else working properly, BSD1 will first need to be working correctly. However I do not understand what could be causing it to be exactly 1 hour behind! Ideas?

Thanks for your help!
Reply With Quote
Old 25th August 2009
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 564
Thanked 14 Times in 13 Posts
Default

Quote:
what could be causing it to be exactly 1 hour behind! Ideas?
Daylight Savings Time is always a good candidate for a 1-hour glitch ... provided it is off in the right direction. Check out config and its timezone command.
Reply With Quote
Old 25th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

It doesn't appear to be *exactly* an hour off, at least by your log: 4309 seconds is close to 1 hr 11 min.
Reply With Quote
Old 26th August 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Thanks for your replies.

Quote:

Check out config and its timezone command.
I'm not sure what you mean. "config" ? If you mean by setting the timezone via
Code:
/usr/share/zoneinfo
Than I believe (to the best of my knowledge) this is done. I've set to Canada Eastern. However if I also need to set Daylight Savings I am not sure how. Could you please elaborate?

Quote:
It doesn't appear to be *exactly* an hour off, at least by your log: 4309 seconds is close to 1 hr 11 min.
The 11 minutes could be do to delay between checking configs...etc. I was not really intending on precision.

However 1 h or 1h 11m is still not good in either case. lol

I'm curious on investigating this time zone/daylight settings more. If there are further settings than specifying my zone than those must be the cause.

Thanks!
Reply With Quote
Old 26th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Solve one problem at a time. Lets get your local server synced properly, which is only one of your problems:

Step 1: Get your system you want acting as a time server into sync, at once. a) Stop your ntpd client, b) restart ntpd, and use the -s option to sync immediately.

# pkill ntpd
# ntpd -s

Step 2: Check your local time

$ date

Step 3: Are you still running with the wrong time now? One hour off? Minutes off? Multiple hours off?
If you are exactly one hour off, you likely have a timezone problem. Confirm you are using the correct timezone file:

$ ls -l /etc/localtime

If /etc/localtime is a symbolic link to the correct timezone file, but your timezone is still off, you can adjust timezone interpretation in the kernel. As previously recommended, read the timezone section of the config(8) man page.
If the time is still incorrect after ntpd -s, but something other than exactly one hour, please let us know.
Reply With Quote
Old 26th August 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Thanks for the reply.

I have done as indicated.

On BSD1:

killing and running ntpd seems to have helped. I did on both, waiting a bit before running on BSD2.

/var/log/daemon
Code:
Aug 26 12:18:51 BSD1 ntpd[24780]: ntp engine exiting
Aug 26 12:18:51 BSD1 ntpd[27339]: Terminating
Aug 26 12:18:58 BSD1 ntpd[6422]: listening on 192.168.244.1
Aug 26 12:18:58 BSD1 ntpd[6422]: ntp engine ready
Aug 26 13:23:58 BSD1 ntpd[20099]: set local clock to Wed Aug 26 13:23:58 EDT 2009 (offset 3899.397859s)
Aug 26 13:24:20 BSD1 ntpd[6422]: peer 128.100.56.135 now valid
Aug 26 13:24:22 BSD1 ntpd[6422]: peer 128.100.100.128 now valid
Aug 26 13:24:23 BSD1 ntpd[6422]: peer 136.159.2.254 now valid
Aug 26 13:28:57 BSD1 ntpd[6422]: 3 out of 5 peers valid
Aug 26 13:28:57 BSD1 ntpd[6422]: bad peer 128.233.3.101 (128.233.3.101)
Aug 26 13:28:57 BSD1 ntpd[6422]: bad peer 128.233.3.100 (128.233.3.100)
Aug 26 13:29:33 BSD1 ntpd[6422]: clock is now synced
date = Wed Aug 26 13:29:51 EDT 2009

BSD2:

/var/log/daemon
Code:
Aug 26 13:31:59 BSD2 ntpd[2659]: ntp engine exiting
Aug 26 13:32:06 BSD2 ntpd[24777]: ntp engine ready
Aug 26 13:32:58 BSD2 ntpd[1217]: set local clock to Wed Aug 26 13:32:58 EDT 2009 (offset 51.747407s)
I also verified ls -l /etc/localtime and all seemed accurate.

I will keep any eye on this for the next little while to see if the changes "stick" this time. :P

Thanks for all your help! Glad the time is finally working.
Reply With Quote
Old 26th August 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Glad to learn things are working for you now.

You know, had you tried -s on the 20th, as recommended, you'd have had this working last week.
Reply With Quote
Old 26th August 2009
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Well come to think of it, why isn't "-s" working as normal? I have always had it in my rc.conf.local. Should it not be applied at boot? I've rebooted several times.

Code:
ntpd_flags="-s"
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Opera Port - conflicting pkgs in "make install" IronForge OpenBSD Packages and Ports 5 29th October 2009 05:10 AM
Fixed "xinit" after _7 _8, "how" here in case anyones' "X" breaks... using "nvidia" jb_daefo Guides 0 5th October 2009 09:31 PM
"Thanks" and "Edit Tags". diw Feedback and Suggestions 2 29th March 2009 12:06 AM
Scripted sysinstall fails with "Command 'system' failed" PeterSteele FreeBSD Installation and Upgrading 0 13th November 2008 11:31 PM


All times are GMT. The time now is 09:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick