Solved sendto: Operation not permitted - OpenNTPD

[Ben]

Hi,

I set up OpenNTPD with the following config:

listen on 127.0.0.1

server 0.de.pool.ntp.org
server 1.de.pool.ntp.org
server 2.de.pool.ntp.org
server 3.de.pool.ntp.org

I can start OpenNTPD but I get error messages in /var/log/messages:

Jan 17 20:16:56 btx03 ntpd[4527]: dispatch_imsg in main: pipe closed
Jan 17 20:16:56 ABC ntpd[4548]: sendto: Operation not permitted
Jan 17 20:17:56 ABC ntpd[4548]: sendto: Operation not permitted
Jan 17 20:19:55 ABC last message repeated 2 times
Jan 17 20:22:56 ABC last message repeated 3 times
Jan 17 20:23:10 ABC ntpd[4549]: dispatch_imsg in main: pipe closed

When I run ntpd I get the following output:

listening on 127.0.0.1 
ntp engine ready
sendto: Operation not permitted

I disabled the firewall but it doesn't help. Any idea what could be wrong? I am running FreeBSD 10.1.

Thanks.

 

[getopt]

Please post files /etc/ntp.conf and /usr/local/etc/ntpd.conf also output of grep ntp /etc/rc.conf.

 

[Ben]

/etc/rc.conf

openntpd_enable="YES"
openntpd_flags="-sv"

/usr/local/etc/ntpd.conf

listen on 127.0.0.1

server 0.de.pool.ntp.org
server 1.de.pool.ntp.org
server 2.de.pool.ntp.org
server 3.de.pool.ntp.org

/etc/ntp.conf

#
# $FreeBSD: releng/10.1/etc/ntp.conf 259974 2013-12-27 23:09:40Z delphij $
#
# Default NTP servers for the FreeBSD operating system.
#
# Don't forget to enable ntpd in /etc/rc.conf with:
# ntpd_enable="YES"
#
# The driftfile is by default /var/db/ntpd.drift, check
# /etc/defaults/rc.conf on how to change the location.
#

#
# The following three servers will give you a random set of three
# NTP servers geographically close to you.
# See http://www.pool.ntp.org/ for details. Note, the pool encourages
# users with a static IP and good upstream NTP servers to add a server
# to the pool. See http://www.pool.ntp.org/join.html if you are interested.
#

# The option `iburst' is used for faster initial synchronization.
#
server 0.freebsd.pool.ntp.org iburst
server 1.freebsd.pool.ntp.org iburst
server 2.freebsd.pool.ntp.org iburst
#server 3.freebsd.pool.ntp.org iburst

#
# If you want to pick yourself which country's public NTP server
# you want sync against, comment out the above servers, uncomment
# the next ones and replace CC with the country's abbreviation.
# Make sure that the hostnames resolve to a proper IP address!
#
# server 0.CC.pool.ntp.org iburst
# server 1.CC.pool.ntp.org iburst
# server 2.CC.pool.ntp.org iburst

#
# Security:
#
# By default, only allow time queries and block all other requests
# from unauthenticated clients.
#
# See http://support.ntp.org/bin/view/Support/AccessRestrictions
# for more information.
#
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
#
# Alternatively, the following rules would block all unauthorized access.
#
#restrict default ignore
#restrict -6 default ignore
#
# In this case, all remote NTP time servers also need to be explicitly
# allowed or they would not be able to exchange time information with
# this server.
#
# Please note that this example doesn't work for the servers in
# the pool.ntp.org domain since they return multiple A records.
#
#restrict 0.pool.ntp.org nomodify nopeer noquery notrap
#restrict 1.pool.ntp.org nomodify nopeer noquery notrap
#restrict 2.pool.ntp.org nomodify nopeer noquery notrap
#
# The following settings allow unrestricted access from the localhost
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0

#
# If a server loses sync with all upstream servers, NTP clients
# no longer follow that server. The local clock can be configured
# to provide a time source when this happens, but it should usually
# be configured on just one server on a network. For more details see
# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
# The use of Orphan Mode may be preferable.
#
#server 127.127.1.0
#fudge 127.127.1.0 stratum 10

 

[Ben]

I think it's related to my IPv6 config. There is no way to switch off IPv6 support in OpenNTPD, right?

EDIT: Seems I could fix it by fixing my IPv6 configuration.

 

[junovitch@]

So was that purely rc.conf fixes for IPv6 then? Or was it IPv6 elsewhere in your network? I don't see any specific way to turn off IPv6 either. The only workaround I could have thought of is to only configure NTP servers that server over IPv4 so that no attempt is made to connect over an IPv6 address.

 

[kpa]

As far as I know the proper way to stop applications from trying to use IPv6 is to set all interfaces (except lo0) to IFDISABLED state. This can be done by not using settings like
ipv6_activate_all_interfaces="YES" or by explicitly adding ifdisabled to the ifconfig_<if>_ipv6 setting.

 

[getopt]

For disabling IPv6 I have this in /etc/rc.conf

 > grep ipv6 /etc/rc.conf
ipv6_network_interfaces="none"
ipv6_activate_all_interfaces="NO"

 

[Ben]

Well, I don't want to disable IPv6 in general, just for OpenNTPd.

Maybe you can do this by providing servers which are only reachable by IPv4, but as I follow the recommendation to use the ntpd.org-pools I can't really choose.

I had an error in my rc.conf which had to be fixed. Now I don't see any errors at the moment, just timeouts about IPv6 as there seems is still some firewall issue. But the error above seems to be gone for the moment.

Thanks for your help!