[CentOS] NTP on CentOS 3.4

Tue Apr 19 16:47:14 UTC 2005
Steve Huff <shuff at vecna.org>

as a side note: if you use Red Hat's GUI tools to set up time 
synchronization, they do it wrong.  here are some excerpts from 
/etc/ntp.conf on a 3.4 system (and the problem persists in 4):

--- begin paste ---

# Prohibit general access to this service.
restrict default ignore
restrict www.xxx.yyy.zzz mask nomodify notrap noquery


# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

# restrict mytrustedtimeserverip mask nomodify notrap 
# server mytrustedtimeserverip


# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
server www.xxx.yyy.zzz
fudge stratum 10

--- end paste ---

(the ip address of our timeserver has been replaced by www.xxx.yyy.zzz)

first off, the Undisciplined Local Clock configuration is wrong - it 
should be, which is the instruction that tells ntp to fail 
over to the local machine's hardware clock (set down at stratum 10 so 
that it'll only be used if the machine can't reach any of the real 
timeservers).  Red Hat has broken this functionality, for no good 
reason that i can tell; with their config, ntp stops working if the 
machine can't get to its timeservers.

second, in the first section is the wrong place to put the security 
restrict line for the timeserver.  it should be down in the second 
section, "OUR TIMESERVERS" (replace mytrustedserverip with the ip 
address of the time server, and repeat that pair of lines for each 

i continue to be mystified by Red Hat's behavior in this case; it seems 
like it would have taken just as much effort to get it right as to get 
it wrong.  hmm.


If this were played upon a stage now, I could condemn it as an 
improbable fiction. - Fabian, Twelfth Night, III,v