NTP Connection refused

[scryptkiddy]

Hey all,

Here are the symptoms.

1. On the CLI when restarting ntpd:
   

   # /etc/rc.d/ntpd restart[/CMD]
   ntpd not running? (check /var/run/ntpd.pid).
   Starting ntpd.

2. /var/log/messages contains:
   

   Sep 17 01:28:21 MYSERVER ntpd[48666]: ntpd 4.2.6p5@1.2349-o Thu Feb 21 00:50:01 UTC 2013 (1)
   Sep 17 01:28:21 MYSERVER kernel: pid 48667 (ntpd), uid 0: exited on signal 11

3. On the CLI when trying ntpq(1):
   

   # ntpq -c as[/CMD]
   ntpq: read: Connection refused

Here is /etc/rc.conf's ntp section:

ntpdate_hosts="127.0.0.1"
ntpdate_enable="YES"
ntpd_enable="YES"

I do not know why the previous admin set ntpdate_hosts to local host.

Here is /etc/ntp.conf:

server 204.34.198.40 #navy tock
server 204.34.198.41 #navy tick

The server is running FBSD FreeBSD 64bit, 8.3-RELEASE. I turned off the firewall, no change in behavior. What else can I look at to determine the issue with ntp?

SK

 

[SirDice]

Try those servers with the ntpdate(8) command to see if they actually respond. Make sure the ntpd(8) daemon isn't running and ntpdate 204.34.198.40.

 

[adri]

/var/log/messages contains:

Sep 17 01:28:21 MYSERVER ntpd[48666]: ntpd 4.2.6p5@1.2349-o Thu Feb 21 00:50:01 UTC 2013 (1)
Sep 17 01:28:21 MYSERVER kernel: pid 48667 (ntpd), uid 0: exited on signal 11

As you can see from the log, ntpd starts and then terminates with a segmentation fault. Since ntpd isn't running, all connections are refused, because no program is listening on port 123. Try to find out, why ntpd terminates with signal 11.

 

[scryptkiddy]

Try those servers with the ntpdate(8) command to see if they actually respond. Make sure the ntpd(8) daemon isn't running and ntpdate 204.34.198.40.

Well that part works, I tried the first IP:

[CMD]MYSERVER# ntpdate 192.5.41.42[/CMD]
17 Sep 18:42:23 ntpdate[58060]: adjust time server 192.5.41.42 offset 0.483958 sec

So if ntpdate(8) works but ntpd(8) will not start, what should I do? I guess I could put ntpdate(8) on a crontab :\

SK

 

[wblock@]

It's not necessary to run both, and they will conflict. Use just ntpd(8):

/etc/rc.conf

ntpd_enable="YES"
ntpd_sync_on_start="YES"

 

[scryptkiddy]

Just for clarity then.

Now I have this for the ntp(8) section of /etc/rc.conf:

NTP_SERVER="127.0.0.1"
ntpdate_hosts="${NTP_SERVER}"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
#ntpdate_enable="YES"

I cannot get to the ntp(8) servers (getting status rejected for all peers, different issue), but ntp(8) is running now. I had put the ntpdate_enable option in there because I remember reading that it would allow you to syncntp(8) on boot.

Please help me understand, thanks!

 

[wblock@]

None of that other stuff is needed, just the two lines shown in post #5.

Rejects could be due to firewall issues, or maybe the systems listed in /etc/ntp.conf are not valid or have restrictions. It also takes a little time after startup (minutes) for ntpd(8) to become happy.

 

[scryptkiddy]

I cannot find the previous admins' documentation on the ntp(8) setup, but is there a reason to set the NTP_SERVER to localhost?

 

[wblock@]

No. Or rather, that's just setting a variable. Is that variable used anywhere else in the file?

 

[scryptkiddy]

Not in /etc/rc.conf. The only line that references the variable is the one below it for the ntpdate_hosts variable.

 

[scryptkiddy]

None of that other stuff is needed, just the two lines shown in post #5.

Rejects could be due to firewall issues, or maybe the systems listed in /etc/ntp.conf are not valid or have restrictions. It also takes a little time after startup (minutes) for ntpd(8) to become happy.

Sorry amigo, I think I'm swimming backwards now. I put just the two lines in /etc/rc.conf, but couldn't get ntpd(8) to start. It returned errors listed in OP, signal 11.

So I went back and edited /etc/rc.conf and put in what I had in post#6 since I did have ntpd(8) working then. Now it still returns signal 11.

What did I foul up?

 

[scryptkiddy]

I was doing some troubleshooting to determine why ntpd(8) will not start and received some interesting results. Here are the /etc/rc.conf entries:

ntpd_enable="YES"
ntpd_sync_on_start="YES"

When I edit the /etc/rc.d/ntpd shell script and add the debugging flag "-d" to the rc_flags variable and start it I get:

[CMD]MYSERVER# /etc/rc.d/ntpd start[/CMD]
Starting ntpd.
ntpd 4.2.6p5@1.2349-o Thu Feb 21 00:50:01 UTC 2013 (1)
17 Sep 20:53:39 ntpd[58377]: logging to file /var/log/ntpd.log
17 Sep 20:53:39 ntpd[58377]: proto: precision = 1.118 usec
event at 0 0.0.0.0 c01d 0d kern kernel time sync enabled
Finished Parsing!!
17 Sep 20:53:39 ntpd[58377]: ntp_io: estimated max descriptors: 11095, initial socket boundary: 20
17 Sep 20:53:39 ntpd[58377]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
17 Sep 20:53:39 ntpd[58377]: Listen and drop on 1 v6wildcard :: UDP 123
17 Sep 20:53:39 ntpd[58377]: Listen normally on 2 bce0 150.137.11.160 UDP 123
restrict: op 1 addr <my.servers.ip.here> mask 255.255.255.255 mflags 00003000 flags 00000001
17 Sep 20:53:39 ntpd[58377]: Listen normally on 3 lo0 fe80::1 UDP 123
restrict: op 1 addr fe80::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags 00003000 flags 00000001
17 Sep 20:53:39 ntpd[58377]: Listen normally on 4 lo0 ::1 UDP 123
restrict: op 1 addr ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff mflags 00003000 flags 00000001
17 Sep 20:53:39 ntpd[58377]: Listen normally on 5 lo0 127.0.0.1 UDP 123
restrict: op 1 addr 127.0.0.1 mask 255.255.255.255 mflags 00003000 flags 00000001
17 Sep 20:53:39 ntpd[58377]: peers refreshed
17 Sep 20:53:39 ntpd[58377]: Listening on routing socket on fd #26 for interface updates
key_expire: at 0 associd 19712
peer_clear: at 0 next 1 associd 19712 refid INIT
event at 0 192.5.41.42 8011 81 mobilize assoc 19712
newpeer: <my.servers.ip.here>->192.5.41.42 mode 3 vers 4 poll 6 10 flags 0x1 0x1 ttl 0 key 00000000
key_expire: at 0 associd 19713
peer_clear: at 0 next 2 associd 19713 refid INIT
event at 0 204.34.198.40 8011 81 mobilize assoc 19713
...

Checking the process table:

[CMD]MYSERVER# ps -auxwww | grep -i ntpd[/CMD]
root            80931  0.0  0.0  8344  2200   0  S+    7:51PM   0:00.00 /bin/sh /etc/rc.d/ntpd start
root            80936  0.0  0.0 15308  7208   0  S+    7:51PM   0:00.01 /usr/sbin/ntpd -g -c /etc/ntp.conf -d -p /var/run/ntpd.pid -f /var/db/ntpd.drift -l /var/log/ntpd.log

But when I remove the debugging flag and start ntpd(8) without the debug flag, back to signal 11.

Thoughts?

 

[wblock@]

That's the port version, net/ntp, rather than the one in base. What version of FreeBSD is running?

 

[junovitch@]

There is absolutely no reason for ntpdate() to use 127.0.0.1. If you look at /etc/rc.d/ntpd you'll find this:

# REQUIRE: DAEMON ntpdate cleanvar devfs

This tells you that ntpdate() will always run before the ntpd() daemon is started. The idea being that time is already set close enough when ntpd() gets started to maintain it. On boot ntpdate() will never be able to find anything listening on the loopback.

Anyways, back to the regular scheduled programming, how about giving net/openntpd a try? Add your servers in /usr/local/etc/ntpd.conf, enable in /etc/rc.conf with this:

openntpd_enable="YES"

Then start with # service openntpd start

 

[junovitch@]

That's the port version, net/ntp, rather than the one in base. What version of FreeBSD is running?

Good eye. He mentioned 8.3-RELEASE in his first post. 4.2.4p8 is the default in 9.1-RELEASE and I would guess it's the same. Perhaps removing the add on port and using the base system ntpd() would be a solution.

 

[scryptkiddy]

Correct, I'm using the port.

MYSERVER# pkg_info | grep ntp
ntp-4.2.6p5_2       The Network Time Protocol Distribution

MYSERVER# ntpd --version
ntpd 4.2.6p5
ntpd 4.2.6p5@1.2349-o Thu Feb 21 00:50:01 UTC 2013 (1)

MYSERVER# which ntpd
/usr/sbin/ntpd

I'd rather not install another port when the ntpd(8) port works for other servers (for uniformity).

Any other ideas?

 

[wblock@]

Install sysutils/bsdadminscripts and run pkg_libchk.

 

[scryptkiddy]

Will do, I have to go to lunch, then a few meetings. I'll come back and do that and update you when done.

 

[kpa]

Post your list of network interfaces, output of ifconfig is enough. The ntpd(8) daemon has an unfortunate feature that causes it to bind on every single available network interface and there's no way to control which interfaces it should attach to.

 

[scryptkiddy]

Install sysutils/bsdadminscripts and run pkg_libchk.

Okay, completed. Is there something in here that will help me troubleshoot the problem?

 

[wblock@]

Did it complain about any missing libraries?

 

[scryptkiddy]

It did not.

Here is the last of the output:

...
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rcstatus
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rcstop
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rcrestart
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rconestart
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rconestatus
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rconestop
hardlinking: /usr/local/sbin/rcstart -> /usr/local/sbin/rconerestart
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portbuild
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portclean
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portfetch
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portpackage
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portconfig-recursive
hardlinking: /usr/local/sbin/portconfig -> /usr/local/sbin/portfetch-recursive
===>   Registering installation for bsdadminscripts-6.1.1_4

===>>> Installation of sysutils/bsdadminscripts (bsdadminscripts-6.1.1_4) complete

===>>> Exiting
MYSERVER# rehash

 

[wblock@]

After installing it, you have to run pkg_libchk.

 

[scryptkiddy]

Wow... I need caffeine. I missed that in your post, my apologies.

It has completed, there is a list, nothing in there about ntp(8) however:

cclient-2007f,1: /usr/local/lib/libc-client4.so.9 misses libssl.so.7
cclient-2007f,1: /usr/local/lib/libc-client4.so.9 misses libcrypto.so.7
flow-tools-0.68_7: /usr/local/bin/flow-capture misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-cat misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-dscan misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-expire misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-export misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-fanout misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-filter misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-gen misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-header misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-import misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-mask misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-merge misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-nfilter misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-print misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-receive misses libwrap.so.5
libwww-5.4.0_4: /usr/local/bin/w3c misses libssl.so.7
flow-tools-0.68_7: /usr/local/bin/flow-report misses libwrap.so.5
libwww-5.4.0_4: /usr/local/bin/w3c misses libcrypto.so.7
flow-tools-0.68_7: /usr/local/bin/flow-send misses libwrap.so.5
libwww-5.4.0_4: /usr/local/bin/webbot misses libssl.so.7
libwww-5.4.0_4: /usr/local/bin/webbot misses libcrypto.so.7
flow-tools-0.68_7: /usr/local/bin/flow-split misses libwrap.so.5
libwww-5.4.0_4: /usr/local/bin/www misses libssl.so.7
flow-tools-0.68_7: /usr/local/bin/flow-stat misses libwrap.so.5
libwww-5.4.0_4: /usr/local/bin/www misses libcrypto.so.7
flow-tools-0.68_7: /usr/local/bin/flow-tag misses libwrap.so.5
flow-tools-0.68_7: /usr/local/bin/flow-xlate misses libwrap.so.5
libwww-5.4.0_4: /usr/local/lib/libmd5.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libmd5.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libpics.so.0 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libpics.so.0 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwapp.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwapp.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwcache.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwcache.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwcore.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwcore.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwdir.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwdir.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwfile.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwfile.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwftp.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwftp.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwgopher.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwgopher.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwhtml.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwhtml.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwhttp.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwhttp.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwinit.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwinit.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwmime.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwmime.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwmux.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwmux.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwnews.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwnews.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwssl.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwssl.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwstream.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwstream.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwtelnet.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwtelnet.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwtrans.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwtrans.so.1 misses libcrypto.so.7
tripwire-2.4.2.2_2: /usr/local/sbin/tripwire misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwutils.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwutils.so.1 misses libcrypto.so.7
tripwire-2.4.2.2_2: /usr/local/sbin/twadmin misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwxml.so.1 misses libssl.so.7
tripwire-2.4.2.2_2: /usr/local/sbin/twprint misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwxml.so.1 misses libcrypto.so.7
tripwire-2.4.2.2_2: /usr/local/sbin/siggen misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwzip.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libwwwzip.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libxmlparse.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libxmlparse.so.1 misses libcrypto.so.7
libwww-5.4.0_4: /usr/local/lib/libxmltok.so.1 misses libssl.so.7
libwww-5.4.0_4: /usr/local/lib/libxmltok.so.1 misses libcrypto.so.7

 

[SirDice]

I'm wondering why it's looking for a few libraries. Did you build from ports or did you use packages? Both libcrypto and libssl are from OpenSSL. But I'm not sure where those versions come from. FreeBSD 9.x has version .6 for both. So it's either looking for the security/openssl port libraries or the packages where intended for 10-CURRENT. The libwrap version might be ok for 8.3, 9-STABLE has it as version 6.