On Thu, Dec 21, 2023 at 02:51:50PM -0500, gene heskett wrote: > can us see your /etc/ntpsec/ntp.conf? And, do you have a > /var/log/ntpsec subdir ownwd by ntpsec:ntpsec?
unicorn:~$ ls -ld /var/log/ntpsec /etc/ntpsec/ntp.conf ls: cannot access '/var/log/ntpsec': No such file or directory -rw-r--r-- 1 root root 1922 Jan 16 2023 /etc/ntpsec/ntp.conf My ntp.conf file was migrated from a Debian 11 /etc/ntp.conf file, with whatever adjustments the ntp -> ntpsec transition scripts did to it. Should be very generic, but here you go. ============================================================================== # /etc/ntpsec/ntp.conf, configuration for ntpd; see ntp.conf(5) for help driftfile /var/lib/ntpsec/ntp.drift leapfile /usr/share/zoneinfo/leap-seconds.list # To enable Network Time Security support as a server, obtain a certificate # (e.g. with Let's Encrypt), configure the paths below, and uncomment: # nts cert CERT_FILE # nts key KEY_FILE # nts enable # You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging. #statsdir /var/log/ntpsec/ #statistics loopstats peerstats clockstats #filegen loopstats file loopstats type day enable #filegen peerstats file peerstats type day enable #filegen clockstats file clockstats type day enable # This should be maxclock 7, but the pool entries count towards maxclock. tos maxclock 11 # Comment this out if you have a refclock and want it to be able to discipline # the clock by itself (e.g. if the system is not connected to the network). tos minclock 4 minsane 3 # Specify one or more NTP servers. # Public NTP servers supporting Network Time Security: # server time.cloudflare.com nts # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: <https://www.pool.ntp.org/join.html> pool 0.debian.pool.ntp.org iburst pool 1.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst pool 3.debian.pool.ntp.org iburst # Access control configuration; see /usr/share/doc/ntpsec-doc/html/accopt.html # for details. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict default kod nomodify nopeer noquery limited # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 ============================================================================== Now let's look for logs. unicorn:/var/log$ sudo grep ntpsec * [...] syslog.1:2023-12-16T15:01:52.641110-05:00 unicorn ntpd[815]: statistics directory /var/log/ntpsec/ does not exist or is unwriteable, error No such file or directory Well, look at that. I wonder why the ntpsec package didn't create that. Let's take a look at <https://bugs.debian.org/ntpsec> and see if there's already a report for it. Here we go: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049424> "ntpsec: Missing /var/log/ntpsec is logged as an error" So I guess one's expected to create this themselves, but only if they care enough to do it...? Weird.
