ntp, dhcpclient and other stuff

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ntp, dhcpclient and other stuff

dalek
      When you connect to a dhcp server form a linux box, the client
will read (if you provide) a lot of interesting stuff. For instance,
in the dhcpclient.leases you would see

lease {
  interface "eth0";
  fixed-address 10.0.0.164;
  option subnet-mask 255.255.255.0;
  option routers 10.0.0.1;
  option dhcp-lease-time 14400;
  option dhcp-message-type 5;
  option domain-name-servers 10.0.0.1;
  option dhcp-server-identifier 10.0.0.1;
  option dhcp-renewal-time 7200;
  option ntp-servers 10.0.0.1,10.0.0.11;
  option broadcast-address 10.0.0.255;
  option dhcp-rebinding-time 12600;
  option domain-name "in.domain.com";
  renew 1 2014/02/10 04:58:43;
  rebind 1 2014/02/10 06:51:23;
  expire 1 2014/02/10 07:21:23;
}

If we stick to ntp, client here knows there are 2 ntp servers dhcp
knows of, and will configure itself to use it. Now it seems the OSX
equivalent is a interface-specif xml file in
/private/var/db/dhcpclient/leases. I looked at mine and, by
comparison, is rather sparse.

From looking at systemsetup -getnetworktimeserver, it seems that it is
not reading ntp info from dhcp. Why? If you have an OSX server box
doing the authentication, shouldn't it also pass the ntp server it
wants to use (maybe itself) so everyone is in sync within 5minutes of
each other?

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ntp, dhcpclient and other stuff

dalek
On Fri, Feb 14, 2014 at 12:08 AM, Craig Kabis <[hidden email]> wrote:
> /etc/ntp.conf
>
> This matches what is set in System Preferences > Date & Time > Set date and
> time automatically
>
      But, that limits the option to the Apple ntp servers unless you
either manually edit /etc/ntp.conf or use systemsetup to do the same.
If you are using kerberos/open directory that might not be good
enough. i.e. sometimes you do want to use the ntp being provided by
dhcp since hopefully you set the dhcp/dns/ntp/etc server up properly.

>
> On Thu, Feb 13, 2014 at 11:35 PM, Mauricio Tavares <[hidden email]>
> wrote:
>>
>> When you connect to a dhcp server form a linux box, the client
>> will read (if you provide) a lot of interesting stuff. For instance,
>> in the dhcpclient.leases you would see
>>
>> lease {
>> interface "eth0";
>> fixed-address 10.0.0.164;
>> option subnet-mask 255.255.255.0;
>> option routers 10.0.0.1;
>> option dhcp-lease-time 14400;
>> option dhcp-message-type 5;
>> option domain-name-servers 10.0.0.1;
>> option dhcp-server-identifier 10.0.0.1;
>> option dhcp-renewal-time 7200;
>> option ntp-servers 10.0.0.1,10.0.0.11;
>> option broadcast-address 10.0.0.255;
>> option dhcp-rebinding-time 12600;
>> option domain-name "in.domain.com";
>> renew 1 2014/02/10 04:58:43;
>> rebind 1 2014/02/10 06:51:23;
>> expire 1 2014/02/10 07:21:23;
>> }
>>
>> If we stick to ntp, client here knows there are 2 ntp servers dhcp
>> knows of, and will configure itself to use it. Now it seems the OSX
>> equivalent is a interface-specif xml file in
>> /private/var/db/dhcpclient/leases. I looked at mine and, by
>> comparison, is rather sparse.
>>
>> From looking at systemsetup -getnetworktimeserver, it seems that it is
>> not reading ntp info from dhcp. Why? If you have an OSX server box
>> doing the authentication, shouldn't it also pass the ntp server it
>> wants to use (maybe itself) so everyone is in sync within 5minutes of
>> each other?
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Macos-x-server mailing list ([hidden email])
>> Help/Unsubscribe/Update your Subscription:
>>
>> https://lists.apple.com/mailman/options/macos-x-server/craigkabis%40gmail.com
>>
>> This email sent to [hidden email]
>
>

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ntp, dhcpclient and other stuff

Andreas Schenk-3
Hi Mauricio,

On 14 Feb 2014, at 17:32, Mauricio Tavares <[hidden email]> wrote:
> On Fri, Feb 14, 2014 at 12:08 AM, Craig Kabis <[hidden email]> wrote:
>> /etc/ntp.conf
>>
>> This matches what is set in System Preferences > Date & Time > Set date and
>> time automatically
>>
>      But, that limits the option to the Apple ntp servers unless you
> either manually edit /etc/ntp.conf or use systemsetup to do the same.

No, you can put any value into this field. You can use your own ntp without any problem.

> If you are using kerberos/open directory that might not be good
> enough. i.e. sometimes you do want to use the ntp being provided by
> dhcp since hopefully you set the dhcp/dns/ntp/etc server up properly.

Well, what you want is to use your own ntp. Not necessarily the one provided by DHCP.
On OS X, you can either use the GUI to point the client to your own ntp server or you can use the CLI:
systemsetup -setnetworktimeserver
DHCP is one way to give network info from a central place to the clients.
At this time, OS X does not use DHCP to receive NTP-Server info.

IMHO this is a good thing, because in OD/AD environments, you probably will/should have a system in place
to set this remotely using ssh, ARD, scripting or other management systems.

Setting the time based on DHCP info could be a security concern, because a rogue DHCP Server could cause the client
to use a rogue NTP Server, causing Bad Things (tm) to happen.

HTH,
Andreas


I know you think you understand what you thought I said, but I am not sure, you realize that what you heard is not what I meant. (Alan Greenspan)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Andreas Schenk
Apple Certified Master Trainer IT 2013
Apple Certified Support Professional 10.9
Apple Certified Technical Coordinator 10.9
Apple Certified System Administrator 10.6
Xsan 2 Administrator
ATSP • AEM
mobil +49 151 15675667 • [hidden email]

Autorisierter Apple Service Provider • Apple Reparaturservices
Mitglied im Apple Consultants Network • consultants.apple.com/de

Apfelwerk GmbH & Co. KG • Bahnhofstraße 82 • 70806 Kornwestheim •
Amtsgericht Stuttgart • HRA 725992 • www.apfelwerk.de

Persönlich haftende Gesellschafterin • Apfelwerk Verwaltungs-GmbH •
Kornwestheim • Amtsgericht Stuttgart • HRB 736206 • Geschäftsführer
Hannes Gnad • Roger Haller • Thomas Kemmer • Andreas Schenk
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ntp, dhcpclient and other stuff

dalek
On Sat, Feb 15, 2014 at 6:56 AM, Andreas Schenk
<[hidden email]> wrote:

> Hi Mauricio,
>
> On 14 Feb 2014, at 17:32, Mauricio Tavares <[hidden email]> wrote:
>> On Fri, Feb 14, 2014 at 12:08 AM, Craig Kabis <[hidden email]> wrote:
>>> /etc/ntp.conf
>>>
>>> This matches what is set in System Preferences > Date & Time > Set date and
>>> time automatically
>>>
>>      But, that limits the option to the Apple ntp servers unless you
>> either manually edit /etc/ntp.conf or use systemsetup to do the same.
>
> No, you can put any value into this field. You can use your own ntp without any problem.
>
      But that is still a manual solution.

>> If you are using kerberos/open directory that might not be good
>> enough. i.e. sometimes you do want to use the ntp being provided by
>> dhcp since hopefully you set the dhcp/dns/ntp/etc server up properly.
>
> Well, what you want is to use your own ntp. Not necessarily the one provided by DHCP.
> On OS X, you can either use the GUI to point the client to your own ntp server or you can use the CLI:
> systemsetup -setnetworktimeserver

      Well, first you probably want to know if you are using a ntp
server to begin with

systemsetup -getusingnetworktime

Then

systemsetup -getnetworktimeserver
  or
ntpq -p

should tell you which ntp it is using. But, I was hoping for something
a bit more automagic. :)

> DHCP is one way to give network info from a central place to the clients.
> At this time, OS X does not use DHCP to receive NTP-Server info.
>
      Ok, that's what I wanted to know.

> IMHO this is a good thing, because in OD/AD environments, you probably will/should have a system in place
> to set this remotely using ssh, ARD, scripting or other management systems.
>
      Even though ansible and puppet popped into my mind, I think i
see what you mean. But, sometimes that is not feasible.

> Setting the time based on DHCP info could be a security concern, because a rogue DHCP Server could cause the client
> to use a rogue NTP Server, causing Bad Things (tm) to happen.
>
      But, that is the case with everything. Which is why you can (as
far as ntp is concerned; implementation is up to, well, the
implementer) do ntp with certs if you want. IMHO, you should be able
to select what you want, going from full static implementation to
fully dynamic one (Bonjour?). After all, the server can do some
filtering based on stuff as simple as mac filtering while the client
should be able to do some stuff on its side.

Also, what if the client is a laptop? At home you might want to use
some ntp server without kerberos/OD (relying on cache to login locally
or even just a local account), while at work you want to use the work
ntp so it can talk to the KDC. Yes, you might know you need to change
the ntp, but what about another user like maybe your boss?

If you are concerned about rogue dhcp servers, what if the said server
does mac/ip spoofing and arp poisoning? In that case, just entering
the ip is not good enough; it is about as bad as relying on the SSID
alone to connect to a wifi network.

> HTH,
> Andreas
>
>
> I know you think you understand what you thought I said, but I am not sure, you realize that what you heard is not what I meant. (Alan Greenspan)
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Andreas Schenk
> Apple Certified Master Trainer IT 2013
> Apple Certified Support Professional 10.9
> Apple Certified Technical Coordinator 10.9
> Apple Certified System Administrator 10.6
> Xsan 2 Administrator
> ATSP * AEM
> mobil +49 151 15675667 * [hidden email]
>
> Autorisierter Apple Service Provider * Apple Reparaturservices
> Mitglied im Apple Consultants Network * consultants.apple.com/de
>
> Apfelwerk GmbH & Co. KG * Bahnhofstraße 82 * 70806 Kornwestheim *
> Amtsgericht Stuttgart * HRA 725992 * www.apfelwerk.de
>
> Persönlich haftende Gesellschafterin * Apfelwerk Verwaltungs-GmbH *
> Kornwestheim * Amtsgericht Stuttgart * HRB 736206 * Geschäftsführer
> Hannes Gnad * Roger Haller * Thomas Kemmer * Andreas Schenk
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]