NTP services "authorization"?
I have recently enabled NTP on a G5 Xserve with Mac OS X 10.4.8 Server. I have a firewall rule in place to allow this server to use time-c.timefreq.boardrdoc.gov through our corporate firewall as a time server from outside of our corporate campus. (This is the same time server that the Windows servers are using.) I have ten or so workstations and a couple of other Mac OS X servers pointing to the Xserve for network time for testing. When I first set this up, all the workstation seemed to be getting their network time just fine.
Unfortunately, at some point last week, two or three days after setting it up, the Xserve simply stopped putting out the NTP services even though it's still checked "on". On my workstation, for example, I would see a message similar to this in my System.log:
Apr 9 08:37:28 WORKSTATIONID ntpdate[97]: no server suitable for synchronization found
My computer did start to drift a bit off the corporate network time. I did a search here in the Discussions and found that, like some other folks, it seemed I had two ntpd processes running on the server. The second process was initiated by the /System/Library/StartupItems/NetworkTime/ folder. I put it in the Trash and restarted the server and for two days everything was fine. The Xserve was serving up network time for the clients. However, there are now five ntpd services running on the server and it is not serving up network time for the clients pointing to it.
It seems that the Xserve is demoting itself or de-authorizing itself as an NTP server if it doesn't get a "quick" reply from it's own time server (I would find a message in the System.log similar to the one above). If I change the network time option on the server to point to an internal time server and restart the server, it then becomes a valid time server for the clients who do catch-up to network time. But, if I leave the server pointing to that external time server (I only have access to that one through the firewall), after a couple of days the Xserve gives up and stops serving network time for the clients pointed to it.
Does anyone have some general time server advice for my Xserve? Or advice about keeping the service running? Or restarting the service without having to restart the server while I'm testing different options?
-Doug
I previously made a post on this issue and got some feedback. Needless to say after reading about others dealing with what is a neglected issue by apple I think I have a fix that works. I have setup my network this way for about 2 months now with no kerberos drift problems and all seems well in NTP land.
It is fairly simple just DON'T turn on the update time setting on the server. That means in both the SA under "Date & Time" and/or under System Preferences the "Set date & time automatically" should NOT be checked on the server! The only thing that should be on is in SA is the NTP check box. Now how this effects which time server you are syncing to i.e. time.apple.com etc. I'm not sure. I assume I'm using the last server listed as the entire in the "Set date & time automatically" box. I'm sure you could also edit the ntp.conf to set the correct server on your own as well.
Anyway since I have done this my Mac OS X Server time has stayed right on and all my clients point to my Mac OS X Server to get there time on the LAN. I have a JPG screenshot with VNC to the server and a client from my Laptop. In the screenshot the top most date & time is the client. The middle D&T is the Server and the bottom is my laptops. As you can see all 3 times are in sync. Both my laptop and I believe the server are both getting the ntp time from time.apple.com. The client is pointed to the server. On the Mac OS X server only 1 ntpd process is running as it should be. The only thing I can't seem to verify is the system.log on the server I don't see any ntpd entries but the time is right on. On the client log shows fine "13 Apr 16:18:43 ntpdate[3753]: step time server 192.168.1.2 offset -0.907011 sec"
I hope this helps.
Similar Messages
-
ISE 1.1.2 patch 8 NTP Service failing
Hi all,
after a recent upgrade of my ISE deployment from 1.1.1 patch 3 to 1.1.2 patch 8, the NTP service on the ISE now crashes at regular intervals.
Can I have some help debugging this issue? I would like to check the logs but there are so many that I am not sure which one to turn debugging on.
Also, just wanted to know if anyone has seen this issue before or knows if this is a known issue when runing 1.1.2 patch 8.
Thanks everyone!
MarioYou cannot install a patch whose version is lower than the patch that is currently installed on ISE. Similarly, you cannot roll back changes of a lower version patch if a higher version is currently installed on Cisco ISE.
For NTP Configuration, you please check the below link
http://www.cisco.com/en/US/docs/security/ise/1.1/cli_ref_guide/ise_cli_app_a.html#wp2267226
http://www.cisco.com/en/US/docs/security/ise/1.1.1/upgrade_guide/upgrade.html -
NTP Service on Domain Controller have problem with cisco switch
Hello!
I have Windows Server 2008 R2 SP1 Domain Controller with NTP services
The windows opertion system clients get NTP time ok.
There are problem with cisco switch, can't get time from NTP.
Can anybody help me to fix problem?
C:\Users\Sysuser>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 1800 (Local)
MaxPosPhaseCorrection: 1800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NTP (Policy)
NtpServer: 10.7.0.4 (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
Cisco config and errors
CISCO1#show ntp ass det
10.7.0.7 configured, insane, invalid, stratum 3
ref ID 10.7.0.4, time D5BC850F.C8400AB2 (15:50:39.782 MSK Mon Aug 19 2013)
our mode client, peer mode server, our poll intvl 1024, peer poll intvl 1024
root delay 62.50 msec, root disp 11128.04, reach 377, sync dist 11218.796
delay 6.06 msec, offset -467951.1096 msec, dispersion 56.49
precision 2**6, version 3
org time D5BC8864.F79C33A7 (16:04:52.967 MSK Mon Aug 19 2013)
rcv time D5BC8A38.EBDECB39 (16:12:40.921 MSK Mon Aug 19 2013)
xmt time D5BC8A38.EA5173BE (16:12:40.915 MSK Mon Aug 19 2013)
filtdelay = 6.06 5.87 3.23 7.90 6.41 5.17 13.03 3.43
filtoffset = -467951 -467905 -467936 -467885 -467764 -467816 -467707 -467697
filterror = 0.02 15.64 31.27 46.89 62.52 78.14 93.75 93.78Hi,
>>I gave log on as a service right to this account in Default Domain Controllers Policy but unfortunately it was not enough
Based on your description, we can try to grant this account Allow log on locally
user right in the default domain controller policy to see if it helps.
The policy setting is:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally
Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809(v=ws.10).aspx#feedback
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Ntp service depends on dns but is started too soon
Given servers defined in /etc/inet/ntp.conf, the service starts interactively (svcadm enable ntp) with an initial ntpdate call to set the clock.
However, this fails on boot up as the servers are not found unless defined in /etc/inet/hosts. As a consequence, there can be a significant initial offset from the RTC, which corrupts the clock drift value and takes hours longer to stabilise.
This implies that the ntp service is being started too soon before dns whereas it should be started after dns.I would check to see if this is still true in the most recent releases of Solaris Express. If it is, you can log a bug about it.
For your existing machines, you could probably create a dependency on milestone/name-services for the ntp service and see if that fixes it.
Darren -
NTP synchronized without NTP service
Dear,
We have a setup where 2 DC's receive their clock from a GPS clock. Then our 2 core switches (C3650 running on 15.0.(2) ) receive their clock from these DC's. It all seems to work fine. However, when I turn of the ntp service on both DC's our two core routers still remain synchronized. That is, when a look at the ntp association both peers keep their original state (i.e. sys.peer and candidate). Furthermore the ntp status also indicates that the clock is synchronized with the same stratum as before (referencing to on of the DC's). When I turn on debugging i do receive a ntp_receive message indicating that:
NTP Core(DEBUG): ntp_receive: peer is 0x00000000, next action is 3
I assume that this means that there's a problem with the peer seeing that normally the address is filled in and the next action is.
My question here. How come the two core switches still think they are synchronized? Does it take more time for the update (although i waited until they missed several poll intervals).
Thanks in advance,
MaartenHi ,
Please check the timezone on the acs server and make sure it is same as AD server. Use command "show timezones" to get the list of timezones.
Regards,
~JG
Do rate helpful posts -
I had to change the NTP server due the time. change how do I reset the NTP services on ccm 7?
You can use the command "utils ntp restart".
Hope this helps.
Brandon -
Which Cisco router for NTP service
Hello,
I'm looking for deploying NTP service for multi-customer (in Datacenter).
So, I take a look at Cisco routers list and I saw that some router doesn't have hardware-clock / internal-clock ; for example 2600 series.
I'm looking for a "cheap" but good solution to provide NTP :
- "Cheap" : that's why I take a look at routers, and not directly NTP appliance.
- "Good" : something that can provide time to 300+ end-devices.
Cisco 800 series got hardware-clock, if I read good. But this is the cheapest router, so I don't feel confident.
> What's the "best" router for NTP server ?
> Please, could you share your experiences, opinions ?
Thanks,
Have a nice day.Cisco 800 series apparently got internal clock, could it do the job correctly?
Rick and I have answered this question already.
Depends on the router, you can instruct the router to regularly update the hardware clock using the command "ntp update-calendar".
If you really insist on a router, an 800 router, then you can get all your device to sync to your router and your router gets sync somewhere in the internet.
Make sure you have the following commands:
ntp server <NTP server>
ntp update-calendar
Note: You can have multiple NTP server IP addresses. And the command above are hyperlinks.
Warning: DO NOT be tempted to use the command "ntp master". -
Web services Authorization in CE 7.1 EHP 1
Hi All,
We are looking for information on the below mentioned with respect to CE 7.1 EHP 1 pack level.
1. Web service for adding, updating, deleting and displaying data from ABAP table.
2. Authorization to be implemented in Web dynpro Java for 2 types of users - one with add/update/delete feature and other with only display feature. (Use of Actions here).
Thanks for your help.
Regards,
Shaileshdone
-
ISG service authorization question
Hi everybody! Need you help!
I can't figure out how to authorize services for different PPPoE users (binded to diferent Virtual Template/bba-groups) on different RADIUS-servers..
I'v got the following config (some lines are removed):
#2 radius-groups
aaa group server radius PPPOE
server name PPPOE
aaa group server radius test_PPPOE
server name test_PPPOE
# AAA
aaa authentication login default local
aaa authentication ppp PPPOE group PPPOE
aaa authentication ppp test_PPPOE group test_PPPOE
aaa authorization network PPPOE group PPPOE
aaa authorization network test_PPPOE group test_PPPOE
aaa authorization subscriber-service default group PPPOE
aaa authorization subscriber-service test_PPPOE group test_PPPOE
aaa accounting network PPPOE start-stop group PPPOE
aaa accounting network test_PPPOE start-stop group test_PPPOE
# 2 bba-groups
bba-group pppoe PPPOE
virtual-template 1
bba-group pppoe test_PPPOE
virtual-template 2
# 2 virtual templates
interface Virtual-Template1
ip unnumbered Loopback10
peer default ip address pool PPPOE_POOL
ppp authentication chap pap PPPOE
ppp authorization PPPOE
ppp accounting PPPOE
interface Virtual-Template2
ip unnumbered Loopback11
peer default ip address pool PPPOE_POOL
ppp authentication chap pap test_PPPOE
ppp authorization test_PPPOE
ppp accounting test_PPPOE
Services are defined on 2 external RADIUS-servers.
Users binded with virtual-template1 (bba-group PPPOE) are authenticated and authorized by AAA method lists "PPPOE". Their services, recieved from external RADIUS server (aaa group server radius PPPOE) are authorized with defaul method list "aaa authorization subscriber-service default group PPPOE".
Users binded with virtual-template2 (bba-group test_PPPOE) are authenticated and authorized by AAA method lists "test_PPPOE". But i can't figure out how to authorize their services recieved from external RADIUS server (aaa group server radius test_PPPOE) with method list "aaa authorization subscriber-service test_PPPOE group test_PPPOE". What do i need to bind with it?
Will appreciate any help!
Thank you!Hello Raja Subramanian,
If you mark 0plant as authorizationRelevant all InfoCubes that have 0plant will also being checked for that authorization.
If you want to only restrict one InfoCube you have to do it separatly.
Let me give you a example:
You have InfoCubes:
A
B
C
D
All these four InfoCubes have 0plant inside. You mark 0plant as AuthorizationRelevant but you want to restrict only InfoCube B with values from 0plant, let's say 0plant value '110'. For the other Infocubes you don't want to restrict 0plant.
In that case you would create an authorization in RSECADMIN that will have 0TCAIPROV = 'B' and 0plant = '110'.
You would also create authorization for RSECADMIN for the others InfoProviders (it could be the same authorization for all the others or separate authorizations) with:
0TCAIPROV = 'A'
0TCAIPROV = 'C'
0TCAIPROV = 'D'
0plant = *
In this case everytime a user executes a query over B he would have to insert '110' as value for 0plant otherwise he would receive a lack of authorization. Everytime a user executes a query over A, C or D, he doesn't have to insert nothing in 0plant because he is allowed to see all the values for 0plant.
Please assign points,
Diogo. -
Could someone please tell me the CLI command to restart the ntpd service on OS X? I am not referring to the GUI method using "Date and Time". I need to remotely restart the ntpd service via command line.
I modified the /etc/ntp.conf and /etc/hostconfig to properly configure our NTP server, but I can't seem to identify the proper syntax to restart the service from the command line. I tried using killall, but it seems to check user processes instead of system processes by default. I have a feeling I'm missing something obvious here...I had tried that, but I get the error "no matching processes were found". Perhaps I had already killed it and it was no longer running...
I also tried "SystemStarter restart NetworkTime". This appears to work, but if sent via ARD as a "Send UNIX command", it fails.
Anyway, the "killall ntpd" works, so I think I'm just losing my mind... Thanks. -
How to setup high availability and high precision Local NTP Service in Server2008R2?
Hi guys,
We have some servers on VMs, and we hope that the error between 2 server's clock MUST be smaller than 1 sec.
For some reason, these servers can't access the internet. So, we suggest that we should setup some local NTP servers.
For example, we want servers[10.10.10.1~10.10.10.6] to be the NTP server, and all clocks on servers[10.10.10.1~10.10.10.120] are synchronized automatically. How can we config NTP servers and clients?
And when some NTP server's system clock changed suddenly(e.g. when some physical machine is down, and we move the VM onto a new one. The system clock may change.) How can we detected the change and fix the error?
BTW, it says that "The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such." (http://technet.microsoft.com/en-us/library/cc773263(v=ws.10).aspx).
Can we still use W32TIME? Because Non-microsoft software may cause a VERY LONG term examination in our company, and we prefer a microsoft solution.
Sorry for the bad english.
Kind regards,
M.Sheng
AlexanderHi sjmind,
In domain environment, all computer clocks in an AD DS domain are synchronized with the time of an authoritative computer. Many factors can affect time synchronization on
a network.
An AD DS forest has a predetermined time synchronization hierarchy. The Windows Time service synchronizes time between computers within the hierarchy, with the most accurate
reference clocks at the top. Therefore it is impossible to use multi computer as the authority of time source.
You can refer the following KB to plan how to sync your domain computer time.
Configuring the Windows Time service to use an external time source
http://support.microsoft.com/kb/816042
Configuring a time source for the forest
http://technet.microsoft.com/en-us/library/cc784800(v=ws.10)
I’m glad to be of help to you!
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
SAP HR Administrative Services Authorization
Dear All,
Can you please guide me for the HRAS Authorizations.
I have selected the
P_ASRCONT authorization object
SAP_ASR_EMPLOYEE
SAP_ASR_MANAGER
But still when I pprocess the form, it doesnt go to the next level.
But When I give SAP_ALL, the form is processing.
Please guide which objects am I missing.
Regards,
PoornimaaHi,
I don't know the objects by heart and I don't have time to reproduce your scenario. There are plenty of ways to troubleshoot authorisations and in your case I would use authorisation trace (tcode ST01). Setup filtering with your test user-id so reading of the file is very easy.
Regards,
Saku -
Web service authorization problem
Hi everyone,
I am trying to call a web service that is located in SAP/R3 using XI.
I do success calling this WS using C#.
Now I want to use WebDynpro and having some dificulties.
When I execute the application,I get the following error :
Service call exception; nested exception is: java.net.ConnectException: Connection refused: connect
Can someone help with that issue ?
Thanks in advance.Hi David,
Please check this thread...
java.net.ConnectException: Connection refused: connect - Web Service
Hope it helps!
cheers,
Prashanth
P.S Please mark helpful answers -
Short Name for same user results in different service authorization
New to Mac Server. Not new to Unix, command line, or sys admin.
I have a Mini Server, with two users; me and my wife.
Both Accounts have two short names each: Initals+Lastname, and First Name only
With iChat on the server, my account can login using both short names.
Her account can only login to iChat using the Initals+Lastname, not First Name.
Actually her account can log in to iChat using any variation of short names (I've added extra ones), but not the short name of just her first name.
Both users have identical permissions everywhere I can see, both are authorized for iChat.
The short name works if I remove permissions on iChat (I don't want to do this)
Both users are OD users, not local. I only have an admin account for local access.
Here is a snippet of the Jabber log:
jabberd/c2s[40845]: [11] SASL authentication succeeded: mechanism=DIGEST-MD5; authzid=[email protected], TLS negotiated
jabberd/c2s[40845]: odauth_check_servicemembership: checking user "kaarinas" access for service "chat"
jabberd/c2s[40845]: odauth_check_servicemembership: mbrcheck_servicemembership returned 0
jabberd/c2s[40845]: odauth_check_servicemembership: user "kaarinas" is authorized to access service "chat"
jabberd/c2s[40845]: [11] SASL authentication succeeded: mechanism=DIGEST-MD5; authzid=[email protected], TLS negotiated
jabberd/c2s[40845]: odauth_check_servicemembership: checking user "kaarina" access for service "chat"
jabberd/c2s[40845]: odauth_check_servicemembership: mbrcheck_servicemembership returned 0
jabberd/c2s[40845]: odauth_check_servicemembership: user "kaarina" is not authorized to access service "chat"
I'm stumped as to why one short name would work, the other not. Looking for hints on how to hunt down and solve the problem.This isn't working for me. There was never a local "intern2" account, but I deleted the one in the ldap anyway, made and removed the local intern2 account. I then remade the intern2 account in the ldap directory(which increased the uid), rebooted the server, and the error remains the same as what you report.
Jun 8 13:36:00 server jabberd/c2s[212]: od_auth_check_service_membership: user "intern2" is not authorized to access service "chat"
There are 12 other accounts connected just fine. The issue is with this new intern account only.
Server 10.6.6. -
How to setup NTP service in server 2012 R2 to synch with an external NTP server
Server 2012 R2 Std as DC
I have looked at the blogs on setup and could not make sense of them. I did this easily on SBS2008 before I migrated to 2012 R2.
What is the process to establish the DC server 2012 R2 as the time source. Right now it is BIOS clock and I wish to move to NTP as the time source.
Thanks for your help
John LenzHi JohnLenz,
You can use the following command line and refer the following KB:
w32tm /config /syncfromflags:manual
w32tm /config /manualpeerlist:<IP_or_FQDN_of_the_time_source>
Note: please replace "<IP_or_FQDN_of_the_time_source>” with the IP address or FQDN of your NTP server.
Net stop w32time
Net start w32time
The related KB:
Synchronize the Time Server for the Domain Controller with an External Source
http://technet.microsoft.com/en-us/library/cc784553(v=ws.10).aspx
Configure the Time Source for the Forest
http://technet.microsoft.com/zh-cn/library/cc794937(v=ws.10).aspx
Configuring a time source for the forest
http://technet.microsoft.com/en-us/library/cc784800(v=ws.10).aspx
I’m glad to be of help to you!
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Maybe you are looking for
-
Is iCloud compatible with Windows 8.1 and Outlook 2013 Ver 15.0?
I have rcently updated Windows to 8.1 and Outlook 2013 to 15.0. Now iCloud is not providing any info to the Outlook Calendar, Contacts, Tasks, Notes, etc. The error message I get is "The set of folders cannot be opened. The information store could
-
Problems using iPhoto on an iBook G3
I have an iBook G3 with OSX 10.4.2. Frequently (two times!) it start erasing all the icons of my library of photographs, then, if I recharge the pictures in the library, I can see the icons again but near of it there is an "empty" icon with the same
-
I dropped my external HD on my hard tile floor and now the drive is not working properly. I have tried a repair in Disc Ultilies with First Aid with no such luck. It started to work then I got a message "Filesystem verify or repair failed" about 3-4
-
Jpegs display grossly oversaturated in LR3 but not LR2 on my intel iMac
I have Lightroom 2.6 running on my desktop and laptop machines and have no color issues. Ever since the beta of Lightroom 3 I have a color problem with jpegs on my iMac only. Jpegs, even those exported from Lightroom 3 from RAW files, are grossly ove
-
hello friends, I have a scenario where I have to write a BAPI that accepts an input and exports an internal table with several records. I am finding it difficult to define an internal table. When I try to define it in the EXPORT tab, it says that 'Oc