Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Oct 2017 06:51:55 -1000
From:      Kent Kuriyama <kent.kuriyama@gmail.com>
To:        "Ronald F. Guilmette" <rfg@tristatelogic.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: Another 11.1-RELEASE install minor annoyance (ntpd)
Message-ID:  <CACArijD0LgS731K7Xdh%2BOcQ1Cicx0k9yzBKiVniW74b2WosmUA@mail.gmail.com>
In-Reply-To: <3967.1507825257@segfault.tristatelogic.com>
References:  <CACArijC-urzJYRuA9TanUjan5EFRcStMr=rQ%2BgmcRD_KO6gzAA@mail.gmail.com> <3967.1507825257@segfault.tristatelogic.com>

next in thread | previous in thread | raw e-mail | index | archive | help
The danger of enabling ntpdate (or configuring ntpd to accept large time
deltas) is that you are putting a great deal of trust in the ntp time
source.  If the time source is off, in-correct time will be propagated to
your entire network.

This actually happened to a large Windows enterprise.  The GPS linked ntp
server freaked out and advanced 17 years into the future.  Because the
Windows domain controllers were configured to blindly accept the ntp server
time, everyone's clock was advanced 17 years.  This caused all kinds of
problems since certificates were now considered expired.

Enabling ntpdate must be done knowing what the possible consequences are.
In my case I don't run a large enterprise ;-).

On Thu, Oct 12, 2017 at 6:20 AM, Ronald F. Guilmette <rfg@tristatelogic.com>
wrote:

>
> In message <CACArijC-urzJYRuA9TanUjan5EFRcStMr=rQ+
> gmcRD_KO6gzAA@mail.gmail.com>
> Kent Kuriyama <kent.kuriyama@gmail.com> wrote:
>
> >What is happening is that your system clock is so far off that ntpd starts
> >up and then shutdown because the time delta is too great.
> >
> >I just enable ntpdate.  In /etc/rc.conf I have the lines:
> >
> >ntpdate_enable="YES"
> >ntpdate_flags="-b"     # Causes ntpdate to step the time regardless of
> delta
> >
> >Reboot the system, this should fix your problem.
>
>
> Ah, yep.  That certainly cleared up the problem.  Thanks.
>
>
> P.S. One cannot help but wonder why ntpdate isn't enabled by default,
> since it is clearly so useful.  Should I file a formal PR to make this
> suggestion?
>



-- 
Kent, kent.kuriyama@gmail.com
(858) 522 9582



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACArijD0LgS731K7Xdh%2BOcQ1Cicx0k9yzBKiVniW74b2WosmUA>