Date: Thu, 12 Oct 2017 06:51:55 -1000 From: Kent Kuriyama <kent.kuriyama@gmail.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Another 11.1-RELEASE install minor annoyance (ntpd) Message-ID: <CACArijD0LgS731K7Xdh%2BOcQ1Cicx0k9yzBKiVniW74b2WosmUA@mail.gmail.com> In-Reply-To: <3967.1507825257@segfault.tristatelogic.com> References: <CACArijC-urzJYRuA9TanUjan5EFRcStMr=rQ%2BgmcRD_KO6gzAA@mail.gmail.com> <3967.1507825257@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The danger of enabling ntpdate (or configuring ntpd to accept large time deltas) is that you are putting a great deal of trust in the ntp time source. If the time source is off, in-correct time will be propagated to your entire network. This actually happened to a large Windows enterprise. The GPS linked ntp server freaked out and advanced 17 years into the future. Because the Windows domain controllers were configured to blindly accept the ntp server time, everyone's clock was advanced 17 years. This caused all kinds of problems since certificates were now considered expired. Enabling ntpdate must be done knowing what the possible consequences are. In my case I don't run a large enterprise ;-). On Thu, Oct 12, 2017 at 6:20 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote: > > In message <CACArijC-urzJYRuA9TanUjan5EFRcStMr=rQ+ > gmcRD_KO6gzAA@mail.gmail.com> > Kent Kuriyama <kent.kuriyama@gmail.com> wrote: > > >What is happening is that your system clock is so far off that ntpd starts > >up and then shutdown because the time delta is too great. > > > >I just enable ntpdate. In /etc/rc.conf I have the lines: > > > >ntpdate_enable="YES" > >ntpdate_flags="-b" # Causes ntpdate to step the time regardless of > delta > > > >Reboot the system, this should fix your problem. > > > Ah, yep. That certainly cleared up the problem. Thanks. > > > P.S. One cannot help but wonder why ntpdate isn't enabled by default, > since it is clearly so useful. Should I file a formal PR to make this > suggestion? > -- Kent, kent.kuriyama@gmail.com (858) 522 9582
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACArijD0LgS731K7Xdh%2BOcQ1Cicx0k9yzBKiVniW74b2WosmUA>