carton at Ivy.NET
Mon Apr 27 17:14:35 EDT 2009
>>>>> "ms" == Marco Scoffier <marco at metm.org> writes:
ms> trying to figure out how to do the same on FreeBSD and it was
rdate works with a simple server built into inetd
ntpdate works with ntp servers but cannot be run while ntpd is
running. FreeBSD ships with init scripts to run it automatically
the -g option of ntpd avoids the bashfulness you describe and thus the
need for ntpdate, but was buggy on some versions of ntpd in my
experience. in /etc/rc.conf:
or the rather silly but equivalent:
ntpd also has problems if bind is not available when it starts. It's
supposed to spawn a thread to keep retrying the lookups in the
background and reconfigure ntpd over the ntpdc command channel when
nameservice becomes available, but there are two problems with this:
* I can't confirm -g continues to work in that case. -g is supposed
to apply once, at boot, but preserve sanity checking for
whacked-out servers after boot. You can see how a naive
implementation would mess this up.
* ntpd uses UDP and needs to control its source address, so it binds
to individual interfaces. If not all your interfaces are up before
ntpd starts, that's a problem. bind has code to watch the routing
socket and rebind interfaces that appear, but often gets fucked up
because of privilege dropping.
* if you try to ``lock down'' your ntpd by enabling all kinds of
fancy security, you'll deny access to the background DNS process.
You have to allow passwordless admin access to 127.0.0.1 for the
background dns resolver trick to work.
restrict default nomodify
restrict 127.0.0.1 # no restrictions. needs 'modify' permission
# so ntpd_initres works.
restrict 192.168.2.1 nomodify notrust nopeer #untrusted ci$co client
With all this together I've not gotten the whole damn thing to work
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 304 bytes
Desc: not available
More information about the talk