Re: NTP synchronized: no

[Rick Stevens <ricks@xxxxxxxxxxxxxx>]

On 09/08/2015 10:52 AM, Patrick Dupre wrote:
> Hello,
>
> I am not sure to understand.
> The previous conclusion was that the firewall did not let me go through.
> Now, I have:
>                   :::*                                5704/chronyd
> [root@Homere ~]# netstat -pna | grep :123
> udp        0      0 193.49.194.196:35562    210.173.160.27:123      ESTABLISHED 5704/chronyd
> udp        0      0 193.49.194.196:60225    210.173.160.57:123      ESTABLISHED 5704/chronyd
> udp        0      0 193.49.194.196:36218    210.173.160.87:123      ESTABLISHED 5704/chronyd
> udp        0      0 193.49.194.196:36803    178.32.54.53:123        ESTABLISHED 5704/chronyd
> udp        0      0 193.49.194.196:57367    62.210.85.244:123       ESTABLISHED 5704/chronyd
> udp        0      0 0.0.0.0:123             0.0.0.0:*                           5704/chronyd
> udp        0      0 193.49.194.196:57601    91.121.169.20:123       ESTABLISHED 5704/chronyd
> udp        0      0 193.49.194.196:34907    195.83.66.158:123       ESTABLISHED 5704/chronyd
> udp6       0      0 :::123                  :::*                                5704/chronyd
>
> timedatectl
>        Local time: Tue 2015-09-08 19:46:24 CEST
>    Universal time: Tue 2015-09-08 17:46:24 UTC
>          RTC time: Tue 2015-09-08 17:46:24
>          Timezone: Europe/Paris (CEST, +0200)
>       NTP enabled: yes
> NTP synchronized: yes
>   RTC in local TZ: no
>        DST active: yes
>   Last DST change: DST began at
>                    Sun 2015-03-29 01:59:59 CET
>                    Sun 2015-03-29 03:00:00 CEST
>   Next DST change: DST ends (the clock jumps one hour backwards) at
>                    Sun 2015-10-25 02:59:59 CEST
>                    Sun 2015-10-25 02:00:00 CET
>
> traceroute -p 123 -U 123.204.45.116
> traceroute to 123.204.45.116 (123.204.45.116), 30 hops max, 60 byte packets
>   1  cisco-dk.univ-littoral.fr (193.49.194.1)  1.768 ms  1.944 ms  2.151 ms
>   2  192.168.168.203 (192.168.168.203)  0.317 ms  0.417 ms  0.486 ms
>   3  * * *
>   4  * * *
>
> It does not looks like that the connection with the time server is established.
> However, it says:
> NTP synchronized: yes
>
> On the other side, the machine is 10 s beyond http://www.worldtimeserver.com/

To see what chronyd is doing, run "chronyc -n sources" as the root
user. Don't rely on what netstat is telling you.

Here's what I see:

[root@prophead ~]# chronyc -n sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* 132.163.4.101                 1  10   377   316  +5458us[+5379us] +/- 
  32ms
^- 104.41.150.68                 2  10   357   806  -8917us[-8979us] +/- 
  91ms
^+ 192.155.90.13                 2  10   377   912    -12ms[  -12ms] +/- 
  67ms
^- 198.211.106.151               2   9   377   486    -12ms[  -12ms] +/- 
  81ms

From the chrony docs, the first two columns ("M" and "S") mean:

'M'
     This indicates the mode of the source.  '^' means a server, '='
     means a peer and '#' indicates a locally connected reference clock.

'S'
     This column indicates the state of the sources.  '*' indicates the
     source to which 'chronyd' is currently synchronised.  '+' indicates
     acceptable sources which are combined with the selected source.
     '-' indicates acceptable sources which are excluded by the
     combining algorithm.  '?' indicates sources to which connectivity
     has been lost or whose packets don't pass all tests.  'x' indicates
     a clock which 'chronyd' thinks is is a falseticker (i.e.  its time
     is inconsistent with a majority of other sources).  '~' indicates a
     source whose time appears to have too much variability.  The '?'
     condition is also shown at start-up, until at least 3 samples have
     been gathered from it.


In my case, they're all servers ("M" all show "^") and I'm currently 
sync'd to 132.163.4.101 (the "*" under "S"). The second and fourth
servers listed are "acceptable sources" but excluded based on the
combining algorithms. The third item is acceptable on its own.

Another useful version is "chronyc activity":

[root@prophead ~]# chronyc activity
200 OK
4 sources online
0 sources offline
0 sources doing burst (return to online)
0 sources doing burst (return to offline)
0 sources with unknown address

So I see four sources online and available.

As others have said, if you're in a university setting it is entirely
possible that they want you to use THEIR NTP servers, not ones wild on
the net. They may very well block UDP port 123 on their firewalls so 
your best bet is to ask the admins which NTP servers are available to
you.

On my corporate firewall, I block NTP for most of my users, but I have
NTP services running on my DNS cache servers. That's what the people
behind my firewall get access to (and what's configured to be returned
on DHCP requests from them).

> > Sent: Tuesday, September 08, 2015 at 7:42 PM
> > From: "John Pilkington" <J.Pilk@xxxxxxxxx>
> > To: users@xxxxxxxxxxxxxxxxxxxxxxx
> > Subject: Re: NTP synchronized: no
> >
> > On 08/09/15 18:02, Rick Stevens wrote:
> > > On 09/08/2015 03:27 AM, John Pilkington wrote:
> > > > On 08/09/15 10:52, Ed Greshko wrote:
> > > > > On 09/08/15 17:29, Patrick Dupre wrote:
> > > > > > I cannot synchronize the date:
> > > > > > My undestanding is that it should be set by:
> > > > > > timedatectl set-ntp yes
> > > > > >
> > > > > > Here, the results of some commands:
> > > > > >
> > > > > > netstat -a |grep ntp
> > > > > > udp        0      0 localhost.localdo:51314 ns346276.ip-94-23-3:ntp
> > > > > > ESTABLISHED
> > > > > > udp        0      0 localhost.localdo:39994 tomia.ordimatic.net:ntp
> > > > > > ESTABLISHED
> > > > > > udp        0      0 localhost.localdo:45035 ntp.tuxfamily.net:ntp
> > > > > > ESTABLISHED
> > > > > > udp        0      0 localhost.localdo:49209 host3.nuagelibre.or:ntp
> > > > > > ESTABLISHED
> > > > > > warning, got bogus l2cap line.
> > > >
> > > > That looks different: here's mine.
> > > >
> > > > [john@HP_Box ~]$ netstat -a | grep ntp
> > > > udp        0      0 0.0.0.0:ntp             0.0.0.0:*
> > > > udp6       0      0 [::]:ntp                [::]:*
> > > > [john@HP_Box ~]$ netstat -a | grep 323
> > > > udp        0      0 localhost:323           0.0.0.0:*
> > > > udp6       0      0 localhost:323           [::]:*
> > > > plus a few irrelevant responses.
> > > >
> > > > but ...grep 123 shows nothing that looks relevant.
> > > >
> > > > Quoting from the faq:
> > > >
> > > > Perhaps you have a firewall set up in a way that blocks packets on port
> > > > 323/udp.  You need to amend the firewall configuration in this case.
> > >
> > > ntp is UDP port 123 as is shown in your output. By default, netstat
> > > will translate port numbers to services found in your /etc/services
> > > file. If you want to verify it, try "netstat -apn | grep :123" and you
> > > should see something on that port:
> > >
> > > [root@prophead ~]# netstat -pna | grep :123
> > > ...
> > > udp        0      0 192.168.1.50:58156      104.41.150.68:123
> > > ESTABLISHED 841/chronyd
> > > ...
> > >
> > > So you can see that chronyd is connected to 104.41.150.68 via UDP port 123.
> >
> > Thanks Rick.  On my system, ( which does have a working chrony setup)  I
> > see:
> >
> > $ uname -a
> > Linux HP_Box 3.10.0-229.11.1.el7.x86_64 #1 SMP Wed Aug 5 14:37:37 CDT
> > 2015 x86_64 x86_64 x86_64 GNU/Linux
> >
> > [john@HP_Box ~]$ netstat -pna | grep :123
> > (Not all processes could be identified, non-owned process info
> >    will not be shown, you would have to be root to see it all.)
> > udp        0      0 0.0.0.0:123             0.0.0.0:*
> >           -
> > udp6       0      0 :::123                  :::*
> >           -
> > [john@HP_Box ~]$ su
> > Password:
> > [root@HP_Box john]# netstat -pna | grep :123
> > udp        0      0 0.0.0.0:123             0.0.0.0:*
> >           692/chronyd
> > udp6       0      0 :::123                  :::*
> >           692/chronyd
> > [root@HP_Box john]# netstat -pna | grep :323
> > udp        0      0 127.0.0.1:323           0.0.0.0:*
> >           692/chronyd
> > udp6       0      0 ::1:323                 :::*
> >           692/chronyd
> > [root@HP_Box john]# exit
> > exit
> > [john@HP_Box ~]$
> >
> >
> >
> >
> >
> > --
> > users mailing list
> > users@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe or change subscription options:
> > https://admin.fedoraproject.org/mailman/listinfo/users
> > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> > Have a question? Ask away: http://ask.fedoraproject.org


--
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-  BASIC is the Computer Science version of `Scientific Creationism' -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org