On Fri, Mar 23, 2012 at 18:35, <schern...@stny.rr.com> wrote: > [root@HMC1MCP7-/etc/ntp]ln -s ntpkey_IFFkey_HMCLXRF3.3541500807 > ntpkey_iff_HMCLXRF3 > [root@HMC1MCP7-/etc/ntp]ln -s ntpkey_host_HMC1MCP7 ntpkey_iff_HMC1MCP7
4.2.4 crypto_ident() tries to retrieve the IFF group key from filename ntpkey_iff_ISSUER first (which I think would be ntpkey_iff_HMCLXRF3 here), and if that fails, it falls back on ntpkey_iff_HOSTNAME (which would be ntpkey_iff_HMC1MCP7 here). Given that you saw behavior change to TC when you removed the client link ntpkey_iff_HMC1MCP7, and that ntpkey_IFFkey_HMCLXRF3.3541500807 actually contains the IFF group key encrypted using the client password, I suggest you try on the client ln -s ntpkey_IFFkey_HMCLXRF3.3541500807 ntpkey_iff_HMC1MCP7 and see if that allows it to authenticate the server. It would be better if the ntpkey_iff_ISSUER name worked, of course. As you can see, configuring Autokey is intricate and troubleshooting can be tedious. The good news is in 4.2.6 and later there's been some simplification so that in more cases the client configuration is the same across potentially many clients. The bad news is it's not backwards compatible with 4.2.4, so we need a new HOWTO-type document for 4.2.6-and-later Autokey configuration. Good luck, Dave Hart _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions