This is on a Raspberry Pi 3 with Raspberry Pi OS Bookworm 64 Bit,
ie. Debian 12. I have uninstalled systemd-timesyncd and installed
ntpsec, then have commented out the 4 NTP servers {0,1,2,3}.debian.pool.ntp.org, and instead added my own server with

server -6 my-ntp.my-domain

When I call ntpdate my-ntp.my-domain manually it steps the time as
expected. But then, ntpd doesn't sync the local clock to the NTP
server, although it seems to consider that server's clock stable:

$ ntpq -p
remote refid st t when poll reach delay offset jitter
=================================================================================
+my-ntp.my-domain 237.17.204.95 2 u 29 64 377 0.4696 -0.0378 0.0196
$ ntpstat
unsynchronised
polling server every 1 s

I usually see a '*' in the first row to indicate that the local clock
is in sync with that server. The ntpq(8) man page says about +:

+ │ included by the combine algorithm

In /var/log or with journalctl I don't see any hint what might be the
reason. When I let it run, the offset as shown by ntpq grows over
time.

Steve

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Steve Keller wrote:

This is on a Raspberry Pi 3 with Raspberry Pi OS Bookworm 64 Bit,
ie. Debian 12. I have uninstalled systemd-timesyncd and installed
ntpsec, then have commented out the 4 NTP servers {0,1,2,3}.debian.pool.ntp.org, and instead added my own server with

server -6 my-ntp.my-domain

When I call ntpdate my-ntp.my-domain manually it steps the time as
expected. But then, ntpd doesn't sync the local clock to the NTP
server, although it seems to consider that server's clock stable:

$ ntpq -p
remote refid st t when poll reach delay offset jitter
=================================================================================
+my-ntp.my-domain 237.17.204.95 2 u 29 64 377 0.4696 -0.0378 0.0196
$ ntpstat
unsynchronised
polling server every 1 s

I usually see a '*' in the first row to indicate that the local clock
is in sync with that server. The ntpq(8) man page says about +:

+ │ included by the combine algorithm

In /var/log or with journalctl I don't see any hint what might be the
reason. When I let it run, the offset as shown by ntpq grows over
time.

Does it work without the -6 option?

Does it work if you bring back the pool servers?

-dsr-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Dan Ritter <dsr@randomstring.org> writes:

Does it work without the -6 option?

No, the same problem. And ntpq shows that IPv6 is also used, when -6
isn't given. But, my NTP server is used by other hosts in the network
and that works fine.

Does it work if you bring back the pool servers?

Yes, it does. I get many NTP servers (much more than the 4 pool
entries), one marked wirh '*', some with '+', some with '#', and a few
with '-'.

Can the problem be caused by Debian's change from ntp to ntpsec? Do I
need to install keys for my NTP server? Quite unusual, that no log
messages appear in the logs.

Steve

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Steve Keller wrote:

Dan Ritter <dsr@randomstring.org> writes:

Does it work without the -6 option?

No, the same problem. And ntpq shows that IPv6 is also used, when -6
isn't given. But, my NTP server is used by other hosts in the network
and that works fine.

Does it work if you bring back the pool servers?

Yes, it does. I get many NTP servers (much more than the 4 pool
entries), one marked wirh '*', some with '+', some with '#', and a few
with '-'.

Can the problem be caused by Debian's change from ntp to ntpsec? Do I
need to install keys for my NTP server? Quite unusual, that no log
messages appear in the logs.

pools don't support ntpsec keys, so that's probably on the right
track.

You should also check whether you have a firewall on this host
blocking NTP from your local network. It would be strange, but
not impossible.

-dsr-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Apologies to all, I previously replied to the wrong email.



Steve,


I was not even aware of the move from NTP to NTPsec. Thanks for
posting. I should [fully] read the release notes.

https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#changes-to-packages-that-set-the-system-clock
5.1.2. Changes to packages that set the system clock
The ntp package, which used to be the default way to set the system
clock from a Network Time Protocol (NTP) server, has been replaced by
ntpsec.



When I did a bit of research I found this comment which seems similar
to your issue (well at least to me it does):


https://forums.debian.net/viewtopic.php?t=156136
/etc/ntpsec/ntp.conf


Re: NTPSec: no servers found error despite finding the server
#3 Post by michael_S » 2023-09-26 13:54
Solved the problem for me. The cause behind this behaviour is the
following line in /etc/ntpsec/ntp.conf
Code: Select all
tos minclock 4 minsane 3

The option minsane 3 implies to (my understanding) that the ntpd wants
at least 3 "good" NTP servers, i.e. servers that somewhat agree. I
changed this to
Code: Select all
tos minclock 4 minsane 2

And now it works for me with 2 NTP servers available. If you only have
a single NTP server, change this to 1 should work - but it naturally
there won't be any redundancy in there.
Last edited by michael_S on 2023-09-26 13:55, edited 1 time in total.


https://docs.ntpsec.org/latest/miscopt.html
minsane _minsane_

    Specify the number of servers used by the selection algorithm
as the minimum to set the system clock. The default is 1 for legacy
purposes; however, for critical applications the value should be
somewhat higher (e.g. 3) but less than minclock.



Please let me know if the above solves your problem?


George.


https://docs.ntpsec.org/latest/quick.html





On Monday, 23-09-2024 at 22:21 Steve Keller wrote:


This is on a Raspberry Pi 3 with Raspberry Pi OS Bookworm 64 Bit,
ie. Debian 12.  I have uninstalled systemd-timesyncd and installed
ntpsec, then have commented out the 4 NTP servers {0,1,2,3}.debian.pool.ntp.org, and instead added my own server with

  server -6 my-ntp.my-domain

When I call ntpdate my-ntp.my-domain manually it steps the time as expected.  But then, ntpd doesn't sync the local clock to the NTP
server, although it seems to consider that server's clock stable:

  $ ntpq -p
       remote             refid      st t when
poll reach   delay   offset   jitter   =================================================================================
  +my-ntp.my-domain  237.17.204.95    2 u   29  
64  377   0.4696  -0.0378   0.0196
  $ ntpstat
  unsynchronised
     polling server every 1 s

I usually see a '*' in the first row to indicate that the local clock
is in sync with that server.  The ntpq(8) man page says about +:

  +    │ included by the combine algorithm

In /var/log or with journalctl I don't see any hint what might be the reason.  When I let it run, the offset as shown by ntpq grows over
time.

Steve

<html>
<head>
<style type="text/css">
body,p,td,div,span{
font-size:13px; font-family:Arial, Helvetica, sans-serif;
};
body p{
margin:0px;
}
</style>
</head>
<body><div>Apologies to all, I previously replied to the wrong email.<br></div><div><br></div><div>Steve,</div><div><br></div><div>I was not even aware of the move from NTP to NTPsec. Thanks for posting. I should [fully] read the release notes.<br><br><a
target="_blank" class="blue" href="https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#changes-to-packages-that-set-the-system-clock">https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#
changes-to-packages-that-set-the-system-clock</a><br><b>5.1.2. Changes to packages that set the system clock</b><br>The
ntp package, which used to be the default way to set the system clock
from a Network Time Protocol (NTP) server, has been replaced by ntpsec. <br></div><div><br></div><div>When I did a bit of research I found this comment which seems similar to your issue (well at least to me it does):</div><div><br></div><div><a target="_
blank" class="blue" href="https://forums.debian.net/viewtopic.php?t=156136">https://forums.debian.net/viewtopic.php?t=156136</a></div><div>/etc/ntpsec/ntp.conf</div><div><br></div><div><b>Re: NTPSec: no servers found error despite finding the server</b><

#3 Post by michael_S » 2023-09-26 13:54<br>Solved the problem for me. The cause behind this behaviour is the following line in /etc/ntpsec/ntp.conf<br>Code: Select all<br>tos minclock 4 minsane 3 <br><br><b id="ext-gen960">The option minsane 3

implies to (my understanding) that the ntpd wants at least 3 "good" NTP servers</b>, i.e. servers that somewhat agree. I changed this to<br>Code: Select all<br>tos minclock 4 minsane 2 <br><br>And now it works for me with 2 NTP servers available. <b>If
you only have a single NTP server, change this to 1 should work </b>- but it naturally there won't be any redundancy in there.<br>Last edited by michael_S on 2023-09-26 13:55, edited 1 time in total. <br></div><div><br><a target="_blank" class="blue"
href="https://docs.ntpsec.org/latest/miscopt.html">https://docs.ntpsec.org/latest/miscopt.html</a><br>minsane <b><i>minsane</i></b><br><br>&nbsp;&nbsp;&nbsp;
Specify the number of servers used by the selection algorithm as the
minimum to set the system clock. The default is 1 for legacy purposes; however, for critical applications the value should be somewhat higher
(e.g. 3) but less than minclock.<br><br><br></div><div>Please let me know if the above solves your problem?</div><div><br></div><div>George.</div><div><br></div><div>https://docs.ntpsec.org/latest/quick.html</div><div><br><br></div><br><br>On Monday, 23-
09-2024 at 22:21 Steve Keller wrote:<br><blockquote style="border:0;border-left: 2px solid #22437f; padding:0px; margin:0px; padding-left:5px; margin-left: 5px; ">This is on a Raspberry Pi 3 with Raspberry Pi OS Bookworm 64 Bit,<br>
ie. Debian 12.&nbsp;&nbsp;I have uninstalled systemd-timesyncd and installed<br>
ntpsec, then have commented out the 4 NTP servers<br> {0,1,2,3}.debian.pool.ntp.org, and instead added my own server with<br>

&nbsp;&nbsp;server -6 my-ntp.my-domain<br>

When I call ntpdate my-ntp.my-domain manually it steps the time as<br> expected.&nbsp;&nbsp;But then, ntpd doesn't sync the local clock to the NTP<br> server, although it seems to consider that server's clock stable:<br>

&nbsp;&nbsp;$ ntpq -p<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; remote&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; refid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;st t when poll reach&nbsp;&nbsp; delay&nbsp;&nbsp; offset&nbsp;&nbsp; jitter<br>
&nbsp;&nbsp;=================================================================================<br>
&nbsp;&nbsp;+my-ntp.my-domain&nbsp;&nbsp;237.17.204.95&nbsp;&nbsp;&nbsp;&nbsp;2 u&nbsp;&nbsp; 29&nbsp;&nbsp; 64&nbsp;&nbsp;377&nbsp;&nbsp; 0.4696&nbsp;&nbsp;-0.0378&nbsp;&nbsp; 0.0196<br>
&nbsp;&nbsp;$ ntpstat <br>
&nbsp;&nbsp;unsynchronised<br>
&nbsp;&nbsp;&nbsp;&nbsp; polling server every 1 s<br>

I usually see a '*' in the first row to indicate that the local clock<br>
is in sync with that server.&nbsp;&nbsp;The ntpq(8) man page says about +:<br>

&nbsp;&nbsp;+&nbsp;&nbsp;&nbsp;&nbsp;│ included by the combine algorithm<br>

In /var/log or with journalctl I don't see any hint what might be the<br> reason.&nbsp;&nbsp;When I let it run, the offset as shown by ntpq grows over<br>
time.<br>

Steve</blockquote></body></html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Steve Keller <keller.steve@gmx.de> writes:

When I call ntpdate my-ntp.my-domain manually it steps the time as
expected. But then, ntpd doesn't sync the local clock to the NTP
server, although it seems to consider that server's clock stable:

$ ntpq -p
remote refid st t when poll reach delay offset jitter
=================================================================================
+my-ntp.my-domain 237.17.204.95 2 u 29 64 377 0.4696 -0.0378 0.0196
$ ntpstat
unsynchronised
polling server every 1 s

In Debian 12 the default /etc/ntpsec/ntp.conf file contains the lines

# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 4 minsane 3

which means ntpd needs at least 3 servers to choose from. If you
haven't changed that line and you have only one server configured like
your output shows, you can never get synchronisation.

urs

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 9/23/24 13:24, Steve Keller wrote:

Dan Ritter <dsr@randomstring.org> writes:

Does it work without the -6 option?

No, the same problem. And ntpq shows that IPv6 is also used, when -6
isn't given. But, my NTP server is used by other hosts in the network
and that works fine.

Does it work if you bring back the pool servers?

Yes, it does. I get many NTP servers (much more than the 4 pool
entries), one marked wirh '*', some with '+', some with '#', and a few
with '-'.

Can the problem be caused by Debian's change from ntp to ntpsec? Do I
need to install keys for my NTP server? Quite unusual, that no log
messages appear in the logs.

Steve

I personally am running ntpsec here, making this box a level 2 src, and
have redirected most of my machines to it. Nut as a client, ntpsec fails
as it cannot slam the correct time at bootup, apparently only adjust
drift. So clients should be using chrony, which can force time into sync
while booting.

ntpsec bug? IDK, but thats what I found here.

.

Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Sep 24, 2024 at 01:27:14 -0400, gene heskett wrote:

I personally am running ntpsec here, making this box a level 2 src, and have redirected most of my machines to it. Nut as a client, ntpsec fails as it cannot slam the correct time at bootup, apparently only adjust drift. So clients should be using chrony, which can force time into sync while
booting.

It works for everyone else.

hobbit:~$ ps -ef | grep ntpsec
ntpsec 855 1 0 Aug31 ? 00:01:50 /usr/sbin/ntpd -p /run/ntpd.pid -c /etc/ntpsec/ntp.conf -g -N -u ntpsec:ntpsec
greg 575861 1226 0 07:04 pts/14 00:00:00 grep ntpsec

hobbit:~$ man ntpd
[...]
-g, --panicgate
Allow the first adjustment to be big. This option may appear an
unlimited number of times.

Normally, ntpd exits with a message to the system log if the offset
exceeds the panic threshold, which is 1000 s by default. This
option allows the time to be set to any value without restriction;
however, this can happen only once. If the threshold is exceeded
after that, ntpd will exit with a message to the system log. This
option can be used with the -q and -x options. See the tinker
configuration file directive for other options.

Maybe your NON-DEBIAN system configured something differently. We
don't know, because we run Debian here on this mailing list.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 9/24/24 07:07, Greg Wooledge wrote:

hobbit:~$ man ntpd
[...]
-g, --panicgate
Allow the first adjustment to be big. This option may appear an
unlimited number of times.

This isn't mentioned in my ntpsec docs. IMO it should be the default.

Thank for the advisory Greg.

Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Many thanks to Urs and George.

In Debian 12 the default /etc/ntpsec/ntp.conf file contains the lines

# Comment this out if you have a refclock and want it to be able to discipline
# the clock by itself (e.g. if the system is not connected to the network).
tos minclock 4 minsane 3

which means ntpd needs at least 3 servers to choose from. If you
haven't changed that line and you have only one server configured like
your output shows, you can never get synchronisation.

That is exactly the change I needed. I commented out the whole line and sync now works.

Steve

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)