I have a Snow Leopard Server box running on a private LAN with no Internet access. If you can avoid ever doing this, you should, as not having an Internet connection has brought us hours and hours of headaches.
Anyway, our most recent headache is that Open Directory users can't authenticate with Kerberos as the client computers' individual clocks drift from the server's clock. So the server also needs to be an NTP server.
I cannot figure out how to configure the server so that it will respond to client requests in a way that they trust. Here's what a query looks like from a client machine:
$ ntpdate -q 192.168.1.250
server 192.168.1.250, stratum 16, offset 8.010421, delay 0.02605
2 Sep 16:32:23 ntpdate[346]: no server suitable for synchronization found
Here are my configuration files on the server:
/etc/ntp.conf
server 192.168.1.250
fudge 127.0.0.1 stratum 8 refid NIST
/etc/ntp-restrict.conf
restrict 127.0.0.1
restrict -6 ::1
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
includefile /private/etc/ntp.conf
Update
This is the configuration that I went with.
These 2 files are configured, and the NTP service is turned on in Server Admin under the General tab, and these 2 files are configured thusly:
/etc/ntp.conf
server 127.127.1.1
fudge 127.127.1.1 stratum 8 refid NIST
/etc/ntp-restrict.conf
restrict default notrust nomodify
restrict 127.127.1.1 mask 255.255.0.0 nomodify
restrict 192.168.1.0 mask 255.255.255.0 nomodify
includefile /private/etc/ntp.conf
Then the clients are configured to point to this server by name. It works perfectly.
-
IIRC, ntpdate is used to set times, but ntpd is used to maintain the time on a system.
Look in Server Admin --> --> Settings for the NTP on/off check box. Don't worry about the config files.
If you can't get a solution from the GUI, then the following website might help: http://docsrv.sco.com/NET_tcpip/ntpT.no_inet.html
Good luck.
sidewaysmilk : The GUI doesn't work AT ALL. I'm not sure how familiar you are with Snow Leopard Server, but all of the graphical administrative tools are severely, severely broken. We have several tickets open with Apple, but they don't seem very interested in fixing it. As a general rule of thumb, don't expect any box that you check or button that you click to actually do anything on your Snow Leopard server.sidewaysmilk : The link that you provided looks very promising. Thanks!Data Scavenger : Glad that link helped. FWIW, I actually manage hundreds of Macs in schools for about 12-13 years. Today, I use MacOS X Server version 10.6 (a.k.a. Snow Leopard) on numerous servers. The Advanced admin GUI works well for what its designed to do. If you start using the CLI instead, then you have to keep using the CLI. The GUI just doesn't know about the changes that you made. So I generally discourage Unix-background sysadmins from doing this. For your long term sanity, you may want to reinstall & select the Advanced admin GUI. That works well for me. Either way, good luck!sidewaysmilk : I don't know what you mean by "Advanced admin GUI." Somebody else ran the install. I asked him if this sounded familiar, and he doesn't remember coming across it after a dozen or so installations. Thanks.sidewaysmilk : Ultimately, I relied on something very similar to the link that you provided. It definitely set me on the path to a solution that worked for me. I'll update my question with the relevant information when I get a chance. Thanks!Data Scavenger : When MacOS X Server is first installed, it runs through a setup wizard, configures itself, and reboots. One of the settings (since 10.4 or 10.5, I can't recall) is to pick the administrator's "level," so to speak. "Advanced" gives you the most tools and complexity. There are two other levels, as I recall. I've never used them, though. The problem is that you only get asked this once. If you have Advanced, then you get Workgroup Manager and Server Admin. BTW, for more documentation, check this URL: http://www.apple.com/server/macosx/resources/documentation.html Hope that helps.From Data Scavenger -
@sidewaysmilk;
[edit]
Oops, somewhat mis-read the question.Per http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html , a server labeled Stratum 16 = "a stratum of 16 indicates the remote peer is unsynchronized". If you explicitly trust 192.168.1.250, I'm fairly certain you will first have to use ntpd, and second ntp.conf will need a fudge for that server.
Something as simple as;
fudge 192.168.1.250 stratum 1then either restart ntpd; or stop it, run
ntpd -qand then starting it should do the trick. (See also,
man ntpdunder -g.)[edit2]
I can't format well in comments, so I'm editing this in and will comment again to bump the thread;The
fudgeline is actually all you have to add in addition to what you already have./etc/ntp.conf
server 192.168.1.250
fudge 127.0.0.1 stratum 8 refid NISTYou want to add another fudge relative to the server you defined, so just add this line to the /etc/ntp.conf file, it's position should be relatively irrelevant, bottom of the file should be fine.
fudge 192.168.1.250 stratum 1
This will tell ntpd that you don't care what ntp thinks, the server 192.168.1.250 will be considered a stratum 1 (which, IIRC, a server will have to be stratum 3 or higher in order to be automatically sync'ed with).
You can leave
ntp-restrict.confas-is.@Data Scavenger;
ntpdate is deprecated. The old way of doing ntp was to cron ntpdate every hour. The new way can be done manually like that, but should be done via ntpd, which has the skew tick timer that will learn how your clock doesn't keep up, and send in ticks (or remove ticks) to compensate.
Data Scavenger : Thanks for the info about ntpdate's deprecation. Good to know.sidewaysmilk : How do I explicitly trust the server on the client? Or are you talking about the server?sidewaysmilk : I feel like your suggestion gets me really close to what I'm trying to do. Do you think you could put it all together in the necessary server and client configurations? I have very little experience administrating Mac Server and no experience administrating NTP. Thanks!VxJasonxV : Done (11 more to go.)From VxJasonxV
0 comments:
Post a Comment