3

I have a Snow Leopard Server box running on a private LAN with no Internet access. If you can avoid ever doing this, you should, as not having an Internet connection has brought us hours and hours of headaches.

Anyway, our most recent headache is that Open Directory users can't authenticate with Kerberos as the client computers' individual clocks drift from the server's clock. So the server also needs to be an NTP server.

I cannot figure out how to configure the server so that it will respond to client requests in a way that they trust. Here's what a query looks like from a client machine:

$ ntpdate -q 192.168.1.250
server 192.168.1.250, stratum 16, offset 8.010421, delay 0.02605
 2 Sep 16:32:23 ntpdate[346]: no server suitable for synchronization found

Here are my configuration files on the server:

/etc/ntp.conf

server 192.168.1.250
fudge 127.0.0.1 stratum 8 refid NIST

/etc/ntp-restrict.conf

restrict 127.0.0.1
restrict -6 ::1
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

includefile /private/etc/ntp.conf

Update

This is the configuration that I went with.

These 2 files are configured, and the NTP service is turned on in Server Admin under the General tab, and these 2 files are configured thusly:

/etc/ntp.conf

server 127.127.1.1
fudge 127.127.1.1 stratum 8 refid NIST

/etc/ntp-restrict.conf

restrict default notrust nomodify
restrict 127.127.1.1 mask 255.255.0.0 nomodify
restrict 192.168.1.0 mask 255.255.255.0 nomodify
includefile /private/etc/ntp.conf

Then the clients are configured to point to this server by name. It works perfectly.

Justin Force
  • 338
  • 1
  • 5
  • 14

2 Answers2

4

IIRC, ntpdate is used to set times, but ntpd is used to maintain the time on a system.

Look in Server Admin --> --> Settings for the NTP on/off check box. Don't worry about the config files.

If you can't get a solution from the GUI, then the following website might help: http://docsrv.sco.com/NET_tcpip/ntpT.no_inet.html

Good luck.

Data Scavenger
  • 477
  • 3
  • 9
  • The GUI doesn't work AT ALL. I'm not sure how familiar you are with Snow Leopard Server, but all of the graphical administrative tools are severely, severely broken. We have several tickets open with Apple, but they don't seem very interested in fixing it. As a general rule of thumb, don't expect any box that you check or button that you click to actually do anything on your Snow Leopard server. – Justin Force Sep 03 '10 at 15:34
  • The link that you provided looks very promising. Thanks! – Justin Force Sep 03 '10 at 15:36
  • 2
    Glad that link helped. FWIW, I actually manage hundreds of Macs in schools for about 12-13 years. Today, I use MacOS X Server version 10.6 (a.k.a. Snow Leopard) on numerous servers. The Advanced admin GUI works well for what its designed to do. If you start using the CLI instead, then you have to keep using the CLI. The GUI just doesn't know about the changes that you made. So I generally discourage Unix-background sysadmins from doing this. For your long term sanity, you may want to reinstall & select the Advanced admin GUI. That works well for me. Either way, good luck! – Data Scavenger Sep 03 '10 at 16:21
  • I don't know what you mean by "Advanced admin GUI." Somebody else ran the install. I asked him if this sounded familiar, and he doesn't remember coming across it after a dozen or so installations. Thanks. – Justin Force Sep 03 '10 at 18:59
  • Ultimately, I relied on something very similar to the link that you provided. It definitely set me on the path to a solution that worked for me. I'll update my question with the relevant information when I get a chance. Thanks! – Justin Force Sep 04 '10 at 05:05
  • When MacOS X Server is first installed, it runs through a setup wizard, configures itself, and reboots. One of the settings (since 10.4 or 10.5, I can't recall) is to pick the administrator's "level," so to speak. "Advanced" gives you the most tools and complexity. There are two other levels, as I recall. I've never used them, though. The problem is that you only get asked this once. If you have Advanced, then you get Workgroup Manager and Server Admin. BTW, for more documentation, check this URL: http://www.apple.com/server/macosx/resources/documentation.html Hope that helps. – Data Scavenger Sep 05 '10 at 02:49
2

@sidewaysmilk;

[edit]
Oops, somewhat mis-read the question.

Per http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html , a server labeled Stratum 16 = "a stratum of 16 indicates the remote peer is unsynchronized". If you explicitly trust 192.168.1.250, I'm fairly certain you will first have to use ntpd, and second ntp.conf will need a fudge for that server.

Something as simple as;
fudge 192.168.1.250 stratum 1

then either restart ntpd; or stop it, run

ntpd -q

and then starting it should do the trick. (See also, man ntpd under -g.)

[edit2]
I can't format well in comments, so I'm editing this in and will comment again to bump the thread;

The fudge line is actually all you have to add in addition to what you already have.

/etc/ntp.conf

server 192.168.1.250
fudge 127.0.0.1 stratum 8 refid NIST

You want to add another fudge relative to the server you defined, so just add this line to the /etc/ntp.conf file, it's position should be relatively irrelevant, bottom of the file should be fine.

fudge 192.168.1.250 stratum 1

This will tell ntpd that you don't care what ntp thinks, the server 192.168.1.250 will be considered a stratum 1 (which, IIRC, a server will have to be stratum 3 or higher in order to be automatically sync'ed with).

You can leave ntp-restrict.conf as-is.

@Data Scavenger;

ntpdate is deprecated. The old way of doing ntp was to cron ntpdate every hour. The new way can be done manually like that, but should be done via ntpd, which has the skew tick timer that will learn how your clock doesn't keep up, and send in ticks (or remove ticks) to compensate.

VxJasonxV
  • 911
  • 1
  • 16
  • 29