今天使用虚拟你需要同步时间结果报错了。系统RHEL6.4。报错如下
# ntpdate asia.pool.ntp.org 8 Aug 06:00:11 ntpdate[7451]: no server suitable for synchronization found
出现问题后检查防火墙是否关闭
# service iptables status iptables: Firewall is not running.
结果是关闭的
使用-d查看原因
# ntpdate -d asia.pool.ntp.org 8 Aug 05:55:05 ntpdate[7400]: ntpdate [email protected] Thu May 13 14:38:23 UTC 2010 (1) Looking for host asia.pool.ntp.org and service ntp host found : bera.learn.ac.lk transmit(192.248.1.162) transmit(27.114.150.13) transmit(120.88.46.10) transmit(157.7.203.102) receive(192.248.1.162) transmit(192.248.1.162) receive(157.7.203.102) transmit(157.7.203.102) receive(157.7.203.102) transmit(157.7.203.102) receive(120.88.46.10) transmit(120.88.46.10) receive(157.7.203.102) transmit(157.7.203.102) receive(120.88.46.10) transmit(120.88.46.10) receive(192.248.1.162) transmit(192.248.1.162) transmit(27.114.150.13) receive(120.88.46.10) transmit(120.88.46.10) transmit(157.7.203.102) receive(192.248.1.162) transmit(192.248.1.162) receive(120.88.46.10) transmit(120.88.46.10) transmit(27.114.150.13) receive(192.248.1.162) transmit(192.248.1.162) transmit(27.114.150.13) transmit(27.114.150.13) 27.114.150.13: Server dropped: no data server 192.248.1.162, port 123 stratum 2, precision -19, leap 00, trust 000 refid [192.248.1.162], delay 0.57085, dispersion 0.00000 transmitted 4, in filter 4 reference time: d792e8a1.e443f4ea Mon, Aug 11 2014 15:00:49.891 originate timestamp: d792e90d.f6534dec Mon, Aug 11 2014 15:02:37.962 transmit timestamp: d78e7440.05071cd0 Fri, Aug 8 2014 5:55:12.019 filter delay: 0.64255 0.57982 0.57956 0.57085 0.00000 0.00000 0.00000 0.00000 filter offset: 292045.6 292045.6 292045.6 292045.6 0.000000 0.000000 0.000000 0.000000 delay 0.57085, dispersion 0.00000 offset 292045.669938 server 27.114.150.13, port 123 stratum 0, precision 0, leap 00, trust 000 refid [27.114.150.13], delay 0.00000, dispersion 64.00000 transmitted 4, in filter 4 reference time: 00000000.00000000 Thu, Feb 7 2036 14:28:16.000 originate timestamp: 00000000.00000000 Thu, Feb 7 2036 14:28:16.000 transmit timestamp: d78e7441.7eccc431 Fri, Aug 8 2014 5:55:13.495 filter delay: 0.00000 0.00000 0.00000 0.00000 0.00000 0.00000 0.00000 0.00000 filter offset: 0.000000 0.000000 0.000000 0.000000 0.000000 0.000000 0.000000 0.000000 delay 0.00000, dispersion 64.00000 offset 0.000000 server 120.88.46.10, port 123 stratum 2, precision -21, leap 00, trust 000 refid [120.88.46.10], delay 0.40349, dispersion 0.00000 transmitted 4, in filter 4 reference time: d792e1d9.fc2eb479 Mon, Aug 11 2014 14:31:53.985 originate timestamp: d792e90d.a75fc42e Mon, Aug 11 2014 15:02:37.653 transmit timestamp: d78e743f.d624447e Fri, Aug 8 2014 5:55:11.836 filter delay: 0.40744 0.40784 0.40349 0.40726 0.00000 0.00000 0.00000 0.00000 filter offset: 292045.6 292045.6 292045.6 292045.6 0.000000 0.000000 0.000000 0.000000 delay 0.40349, dispersion 0.00000 offset 292045.627397 server 157.7.203.102, port 123 stratum 3, precision -17, leap 00, trust 000 refid [157.7.203.102], delay 0.08058, dispersion 8.00000 transmitted 4, in filter 4 reference time: d792e2dd.06f9d551 Mon, Aug 11 2014 14:36:13.027 originate timestamp: d792e90c.bc5d0818 Mon, Aug 11 2014 15:02:36.735 transmit timestamp: d78e743f.15508c16 Fri, Aug 8 2014 5:55:11.083 filter delay: 0.10025 0.08405 0.08058 0.00000 0.00000 0.00000 0.00000 0.00000 filter offset: 292045.6 292045.6 292045.6 0.000000 0.000000 0.000000 0.000000 0.000000 delay 0.08058, dispersion 8.00000 offset 292045.680068 8 Aug 05:55:14 ntpdate[7400]: step time server 120.88.46.10 offset 292045.627397 sec
以上信息证明网络没有问题。还是继续查看本机问题。突然在官网查到了
The behavior of notrust changed between versions 4.1 and 4.2.
In 4.1 (and earlier) notrust meant "Don't trust this host/subnet for time".
In 4.2 (and later) notrust means "Ignore all NTP packets that are not cryptographically authenticated." This forces remote time servers to authenticate themselves to your (client) ntpd
查看下版本信息
# ntpd --version ntpd - NTP daemon program - Ver. 4.2.4p8
原因找到了
找配置文件
# vim /etc/ntp.conf # For more information about this file, see the man pages # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). driftfile /var/lib/ntp/drift # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery #发现了将这两行修改或注释 # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 restrict -6 ::1
我将这两行注释掉了
再次测试ntp
# ntpdate asia.pool.ntp.org 11 Aug 15:13:14 ntpdate[7477]: step time server 211.233.84.186 offset 292045.698832 sec 成功了
# 1. 关于权限设定部分
# 权限的设定主要以 restrict 这个参数来设定,主要的语法为:
# restrict IP mask netmask_IP parameter
# 其中 IP 可以是软件地址,也可以是 default ,default 就类似 0.0.0.0
# 至于 paramter 则有:
# ignore :关闭所有的 NTP 联机服务
# nomodify:表示 Client 端不能更改 Server 端的时间参数,不过,
# Client 端仍然可以透过 Server 端来进行网络校时。
# notrust :该 Client 除非通过认证,否则该 Client 来源将被视为不信任网域
# noquery :不提供 Client 端的时间查询
# notrap :不提供trap这个远程事件登入
# 如果 paramter 完全没有设定,那就表示该 IP (或网域)“没有任何限制”
restrict default nomodify notrap noquery # 关闭所有的 NTP 要求封包
restrict 127.0.0.1 #这是允许本级查询
restrict 192.168.0.1 mask 255.255.255.0 nomodify
#在192.168.0.1/24网段内的服务器就可以通过这台NTP Server进行时间同步了
# 2. 上层主机的设定
# 要设定上层主机主要以 server 这个参数来设定,语法为:
# server [IP|HOST Name] [prefer]
# Server 后面接的就是我们上层 Time Server 啰!而如果 Server 参数
# 后面加上 perfer 的话,那表示我们的 NTP 主机主要以该部主机来作为
# 时间校正的对应。另外,为了解决更新时间封包的传送延迟动作,
# 所以可以使用 driftfile 来规定我们的主机
# 在与 Time Server 沟通时所花费的时间,可以记录在 driftfile
# 后面接的文件内,例如下面的范例中,我们的 NTP server 与
# cn.pool.ntp.org联机时所花费的时间会记录在 /etc/ntp/drift文件内