as a side note: if you use Red Hat's GUI tools to set up time
synchronization, they do it wrong. here are some excerpts from
/etc/ntp.conf on a 3.4 system (and the problem persists in 4):
--- begin paste ---
# Prohibit general access to this service.
restrict default ignore
restrict www.xxx.yyy.zzz mask 255.255.255.255 nomodify notrap noquery
...
# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap
noquery
# server mytrustedtimeserverip
...
# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server www.xxx.yyy.zzz
fudge 127.127.1.0 stratum 10
--- end paste ---
(the ip address of our timeserver has been replaced by www.xxx.yyy.zzz)
first off, the Undisciplined Local Clock configuration is wrong - it
should be 127.127.1.0, which is the instruction that tells ntp to fail
over to the local machine's hardware clock (set down at stratum 10 so
that it'll only be used if the machine can't reach any of the real
timeservers). Red Hat has broken this functionality, for no good
reason that i can tell; with their config, ntp stops working if the
machine can't get to its timeservers.
second, in the first section is the wrong place to put the security
restrict line for the timeserver. it should be down in the second
section, "OUR TIMESERVERS" (replace mytrustedserverip with the ip
address of the time server, and repeat that pair of lines for each
timeserver).
i continue to be mystified by Red Hat's behavior in this case; it seems
like it would have taken just as much effort to get it right as to get
it wrong. hmm.
-steve
---
If this were played upon a stage now, I could condemn it as an
improbable fiction. - Fabian, Twelfth Night, III,v
