"synchronisation lost" errors for Solaris NTP server


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
Operating Systems Solaris "synchronisation lost" errors for Solaris NTP server
# 8  
You should consider installing chrony and doing a comparative test.

See this thread:

NTP synchronised problem in our Centos 7.6 node

The person having issue (above) with ntpd decided to move to chrony due to security considerations (the right decision in my view).

In all my servers, I have disabled ntpd for the same reason (security) and I only run chrony on all servers these days.

ntpd has a very bad and buggy track record (see discussion referenced above).

PS: What version of ntpd are you currently running? I went back and reread all the posts in this thread and did not see the version mentioned.

Code:
ntpq --version

Seems to me the first question to answer is the version of ntp you are running. Lots of people (I have seen over the years) are running obsolete versions, buggy versions, flawed versions, or all of the above.
# 9  
It is NTP v3.

It is production NTP server, so being little more caution before changing anything.

In last part of message, it again reported same lost yesterday. Does it say that, that time is dragging behind by approx second and then NTP service reset it, to bring it back ? Or in absense of any diagnostic tool (like chrony), it is difficult to say this statement ?

Code:
ntp-serv10 # pkginfo -l | grep -i ntp
   PKGINST:  SUNWntpr
      NAME:  NTP, (Root)
      DESC:  Network Time Protocol v3, NTP Daemon and Utilities (xntpd)
   PKGINST:  SUNWntpu
      NAME:  NTP, (Usr)
      DESC:  Network Time Protocol v3, NTP Daemon and Utilities (xntpd)
ntp-serv10 # pkginfo -l SUNWntpr
   PKGINST:  SUNWntpr
      NAME:  NTP, (Root)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.9.0,REV=2002.04.06.15.27
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Network Time Protocol v3, NTP Daemon and Utilities (xntpd)
    PSTAMP:  crash20020406153653
  INSTDATE:  Sep 20 2006 17:11
   HOTLINE:  Please contact your local service provider
    STATUS:  completely installed
     FILES:       17 installed pathnames
                   8 shared pathnames
                   4 linked files
                  10 directories
                   1 executables
                   9 blocks used (approx)

ntp-serv10 # pkginfo -l SUNWntpu
   PKGINST:  SUNWntpu
      NAME:  NTP, (Usr)
  CATEGORY:  system
      ARCH:  sparc
   VERSION:  11.9.0,REV=2002.04.06.15.27
   BASEDIR:  /
    VENDOR:  Sun Microsystems, Inc.
      DESC:  Network Time Protocol v3, NTP Daemon and Utilities (xntpd)
    PSTAMP:  leo20040603152123
  INSTDATE:  Sep 20 2006 17:11
   HOTLINE:  Please contact your local service provider
    STATUS:  completely installed
     FILES:        9 installed pathnames
                   4 shared pathnames
                   4 directories
                   5 executables
                 938 blocks used (approx)

ntp-serv10 # cat /var/adm/messages | grep -i ntp
Dec 11 11:54:33 ntp-serv10 xntpd[15247]: [ID 854739 daemon.info] synchronized to 192.168.70.16, stratum=1
Dec 11 14:52:01 ntp-serv10 xntpd[15247]: [ID 774427 daemon.notice] time reset (step) 0.999041 s
Dec 11 14:52:01 ntp-serv10 xntpd[15247]: [ID 204180 daemon.info] synchronisation lost
Dec 11 14:56:54 ntp-serv10 xntpd[15247]: [ID 854739 daemon.info] synchronized to 172.28.34.204, stratum=1
Dec 11 14:56:53 ntp-serv10 xntpd[15247]: [ID 774427 daemon.notice] time reset (step) -1.003380 s
Dec 11 14:56:53 ntp-serv10 xntpd[15247]: [ID 204180 daemon.info] synchronisation lost
Dec 11 15:01:34 ntp-serv10 xntpd[15247]: [ID 854739 daemon.info] synchronized to 192.168.70.16, stratum=1


Last edited by Neo; 12-13-2019 at 08:54 AM.. Reason: Code Tags, not Quote Tags, Please See YT Video on this: https://youtu.be/4BuPvWJV__k
# 10  
Quote:
Originally Posted by solaris_1977
It is NTP v3.

It is production NTP server, so being little more caution before changing anything.
That is all the reason to move to chrony. Production servers should have software which is less vulnerable.

See the many NTP security vulnerabilities here:

Code:
https://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html

Having servers in production is not a good reason to run insecure code when you could be running much more secure code that works the same or better.

Also, based on my experience, there are no issues cutting over to chrony from ntpd, especially if your version of ntp is keeping time correctly, and even if it was not, chrony is designed to slowly bring system time into compliance.

See also:

NTP NTP : CVE security vulnerabilities, versions and detailed report

Code:
https://www.cvedetails.com/product/3682/NTP-NTP.html?vendor_id=2153

# 11  
NTP might be the least of the security issues here.

Running such an outdated and unpatched version of Solaris (17 years old!) in production is quite unreasonable. There are certainly hundreds of major vulnerabilities on that server. Moreover, assuming a firewall is protecting the server and NTP is the only visible service, you might have issues compiling a recent version of chrony for Solaris 9 anyway.
This User Gave Thanks to jlliagre For This Post:
# 12  
Yes, this internal server, not exposed to internet. It is only NTP service which is open to GPS clock.
I am planning migrate NTP services to RHEL 7.8, which can give better capabilities for handling and troubleshooting.
But we are in change-freeze right now, so can't proceed till January first week.
My concern was more of a managerial concern. Monitoring team scans messages and as soon as they see messages like below, they created a ticket and management gets panic "oh, so our NTP server is dragging time by 1 second and it can impact its 100s of client?".
Code:
ntp-serv10 # cat /var/adm/messages | grep -i ntp | tail -10
Dec 12 17:05:55 ntp-serv10 xntpd[15247]: [ID 774427 daemon.notice] time reset (step) -1.003699 s
Dec 12 17:05:55 ntp-serv10 xntpd[15247]: [ID 204180 daemon.info] synchronisation lost
Dec 12 17:10:31 ntp-serv10 xntpd[15247]: [ID 854739 daemon.info] synchronized to 172.28.34.204, stratum=1
Dec 12 17:11:16 ntp-serv10 xntpd[15247]: [ID 854739 daemon.info] synchronized to 192.168.70.16, stratum=1
Dec 13 01:39:01 ntp-serv10 xntpd[15247]: [ID 774427 daemon.notice] time reset (step) 0.999076 s
Dec 13 01:39:01 ntp-serv10 xntpd[15247]: [ID 204180 daemon.info] synchronisation lost
Dec 13 01:43:54 ntp-serv10 xntpd[15247]: [ID 854739 daemon.info] synchronized to 192.168.70.16, stratum=1
Dec 13 01:43:53 ntp-serv10 xntpd[15247]: [ID 774427 daemon.notice] time reset (step) -1.003393 s
Dec 13 01:43:53 ntp-serv10 xntpd[15247]: [ID 204180 daemon.info] synchronisation lost
Dec 13 01:49:14 ntp-serv10 xntpd[15247]: [ID 854739 daemon.info] synchronized to 192.168.70.16, stratum=1
ntp-serv10 #

BTW, 172.28.42.204 clock was showing disp as 16000 and then it set to 0.70 by itself and now again I see it at 16000
Code:
ntp-serv10 # ntpq -p
     remote           refid      st t when poll reach   delay   offset    disp
==============================================================================
*sea-gps-clock1. .GPS.            1 u  144 1024  377     1.42   -1.026    1.54
 172.28.42.204   .GPS.            1 u  758 1024    0    40.77    0.211 16000.0
+172.28.34.204   .GPS.            1 u  397 1024  375    77.09   -0.831    0.40
ntp-serv10 #
ntp-serv10 # ntpq -p
     remote           refid      st t when poll reach   delay   offset    disp
==============================================================================
*sea-gps-clock1. .GPS.            1 u   70 1024  377     1.56   -0.568    0.89
+172.28.42.204   .GPS.            1 u  278 1024  377    40.56   -0.500    0.70
+172.28.34.204   .GPS.            1 u  323 1024  367    79.24    0.702    0.60
ntp-serv10 #

# 13  
Quote:
Originally Posted by jlliagre
NTP might be the least of the security issues here.

Running such an outdated and unpatched version of Solaris (17 years old!) in production is quite unreasonable. There are certainly hundreds of major vulnerabilities on that server. Moreover, assuming a firewall is protecting the server and NTP is the only visible service, you might have issues compiling a recent version of chrony for Solaris 9 anyway.
Well stated.

Let me be more to the point.

It is a total waste of time to be replying to anyone who is running a 17 year old OS (with a seriously flawed and out-of-date version of NTP), which could be replaced in a day for free with a modern OS (more secure, more reliable, not seriously flawed, and do a much better job for a NTP application).

The original poster is wasting our time, showing a lack of concern for our time, to ask us to sort out a problem on a 17 year old operating system (and not telling us before hand the version(s) they are running), which could be replaced by any "normal" system admin in less than a hour (for free, and do a better and more reliable job).

This is why I wish everyone here at unix.com would slow down (including myself at times) and stop answering questions from posters until the posters first describe the operation system, version numbers, etc. Some here are good at this, some of us are good at this sometimes and then forgot to ask, others seem to like to bypass the "understanding" phase and just post answers without any concern for the user's OS, versions, etc.

Everyone here (including me sometimes, but not often) needs to slow down and ask people who post questions to describe the OS, version, etc. before providing "quick" answers to questions. Jumping to "answers" before having the "right understanding" is not teaching people how to solve problems, it is contributing to the problem (in my view).

Perhaps I need to change the forum rules and make this a posting requirement in 2020?

Editorial Comment:

As a side note, the reason that most computers are hacked with ransomware or other easily acquired malware (easily purchased on the dark web) is that they are running unpatched, antiquated systems and obsolete code. Every system admin, organization and company must keep their computer operating systems up-to-date, fully patched and upgraded to the latest versions. This is very basic. Do not run vulnerable, obsolete code and antiquated operating systems. Update your operation systems, update your apps, make and maintain backups (onsite and offsite). Manage your IT systems, please.
# 14  
It was stated in post#1 that the OS is Solaris 9, and we all know it's outdated.
Later it was stated that it is not hooked to the Internet, so there is no direct threat.
It is pointless to further ride that dead horse.

There is equal config for 3 input devices and only one gets wrong. If the fault would be on the Solaris box then all 3 would be wrong - but it's one.
I keep saying this one input device is wrong.
If there is no alert on other systems then it's perhaps because their ntpd/chronyd is more fault tolerant.
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #746
Difficulty: Medium
The Z80 is an 8-bit microprocessor introduced by Zilog.
True or False?

9 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Bash script - Print an ascii file using specific font "Latin Modern Mono 12" "regular" "9"

Hello. System : opensuse leap 42.3 I have a bash script that build a text file. I would like the last command doing : print_cmd -o page-left=43 -o page-right=22 -o page-top=28 -o page-bottom=43 -o font=LatinModernMono12:regular:9 some_file.txt where : print_cmd ::= some printing... (1 Reply)
Discussion started by: jcdole
1 Replies

2. UNIX for Dummies Questions & Answers

"Help with bash script" - "License Server and Patch Updates"

Hi All, I'm completely new to bash scripting and still learning my way through albeit vey slowly. I need to know where to insert my server names', my ip address numbers through out the script alas to no avail. I'm also searching on how to save .sh (bash shell) script properly.... (25 Replies)
Discussion started by: profileuser
25 Replies

3. Solaris

Printer configuration Migration from Solaris 10 "LP" to Solaris 11 "CUPS"

Need to find a way to import an LP printers.conf file to CUPS. I have some new Solaris 11.1 boxes that need to have 300 printers added. (0 Replies)
Discussion started by: os2mac
0 Replies

4. Shell Programming and Scripting

awk command to replace ";" with "|" and ""|" at diferent places in line of file

Hi, I have line in input file as below: 3G_CENTRAL;INDONESIA_(M)_TELKOMSEL;SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL My expected output for line in the file must be : "1-Radon1-cMOC_deg"|"LDIndex"|"3G_CENTRAL|INDONESIA_(M)_TELKOMSEL"|LAST|"SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL" Can someone... (7 Replies)
Discussion started by: shis100
7 Replies

5. AIX

"too big" and "not enough memory" errors in shell script

Hi, This is odd, however here goes. There are several shell scripts that run in our production environment AIX 595 LPAR m/c, which has sufficient memory 14GB (physical memory) and horsepower 5CPUs. However from time to time we get the following errors in these shell scripts. The time when these... (11 Replies)
Discussion started by: jerardfjay
11 Replies

6. UNIX for Advanced & Expert Users

All alias in .profile lost when "script" command is called

Hi, I was trying to call "script <an ip add>" command from .profile file to log everything whenever anyone logs in to this user. I did the following at the end of .profile. 1) Extracted the IP address who logged in 2) Called script < ip add> . The problem I am facing is all, aliases etc. written... (3 Replies)
Discussion started by: amicon007
3 Replies

7. Linux

NTP treshold "synchronisation lost"

does anyone know how to change the treshold of 128ms in NTP. in order to ignore these alarms: Oct 27 14:44:15 rt1 ntpd: synchronisation lost Oct 27 15:08:25 rt1 ntpd: time reset 0.688591 s Oct 27 15:08:25 rt1 ntpd: synchronisation lost Oct 27 15:28:45 rt1 ntpd: time reset 0.462257 s (0 Replies)
Discussion started by: modcan
0 Replies

8. UNIX for Dummies Questions & Answers

Can you force local NTP server to be accepted as "suitable"?

Is there some way to force the NTP server on a brand-new install to be "suitable" to sync other servers from? (I'm more concerned with synchronization between machines, and less concerned with what the actual time they sync to is) For example, whenever I install fresh from the Fedora DVDs and... (0 Replies)
Discussion started by: jjinno
0 Replies

9. Filesystems, Disks and Memory

Restoring back files from "lost+found" directory

Hi Friends, How can I Restore the Files present under "lost+found" Directory of a FileSystem (in Solaris & Tru64 OS) to their original Locations. Now-a-days I am loosing lots of files in 2 of my Machines, One running Solaris8 and other Tru64(Digital) Unix. Thanx in... (1 Reply)
Discussion started by: dhasarath
1 Replies

Featured Tech Videos