configure the ntp server
TRANSCRIPT
154
Quick HOWTO : Ch24 : The NTPQuick HOWTO : Ch24 : The NTPQuick HOWTO : Ch24 : The NTPQuick HOWTO : Ch24 : The NTP
ServerServerServerServer
From Linux Home Networking
ContentsContentsContentsContents
1 Introduction
2 Download and Install The NTP Package
3 The /etc/ntp.conf File
4 Managing the ntpd Server
5 Testing And Troubleshooting NTP
5.1 Verifying NTP is Running
5.2 Doing An Initial Synchronization
5.3 Determining If NTP Is Synchronized Properly
5.4 Your Linux NTP clients cannot Synchronize Properly
5.5 Fedora Core 2 File Permissions
6 Configuring Cisco Devices To Use An NTP Server
6.1 Cisco IOS
6.2 CATOS
7 NTP Security
7.1 Firewalls and NTP
7.2 NTP Authentication
8 Configuring A Windows NTP Client
9 Conclusion
IntroductionIntroductionIntroductionIntroduction
The Network Time Protocol (NTP) is a protocol used to help synchronize yourLinux system's clock with an accurate time source. There are that allow thegeneral public to synchronize with them. They are divided into two types:
ShareShareMore
HomeHomeHomeHomePurchase PDFsForumsAbout
Quick HOWTO : Ch24 : The NTP Server - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...
1 of 8 12/04/2014 5:42 AM
Stratum 1: NTP sites using an atomic clock for timing.
Stratum 2: NTP sites with slightly less accurate time sources.
It is good practice to have at least one server on your network be the localtime server for all your other devices. This makes the correlation of systemevents on different systems much easier. It also reduces Internet bandwidthusage due to NTP traffic and reduces the need to manage firewall rules foreach NTP client on your network. Sometimes, not all your servers will haveInternet access; in such cases you'll need a central server that all can access.
For a list of available Stratum 1 and 2 servers consult http://www.ntp.org/
Download and Install The NTPDownload and Install The NTPDownload and Install The NTPDownload and Install The NTP
PackagePackagePackagePackage
Most RedHat and Fedora Linux software products are available in the RPMformat. Downloading and installing RPMs isn't hard. If you need a refresher,Chapter 6, "Installing Linux Software", has all the details.
When searching for the file, remember that the NTP RPM's filename usuallystarts with the word ntp followed by a version number as inntp-4.1.2-5.i386.rpm.
The /etc/ntp.conf FileThe /etc/ntp.conf FileThe /etc/ntp.conf FileThe /etc/ntp.conf File
The /etc/ntp.conf file is the main configuration file for Linux NTP in which youplace the IP addresses of the stratum 1 and stratum 2 servers you want touse. Here are the steps to create a configuration file using a pair of sampleInternet-based NTP servers:
1) First we specify the servers you're interested in:
server otherntp.server.org # A stratum 1 server at server.orgserver ntp.research.gov # A stratum 2 server at research.gov
2) Restrict the type of access you allow these servers. In this example theservers are not allowed to modify the run-time configuration or query yourLinux NTP server.
restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noqueryrestrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery
The mask 255.255.255.255 statement is really a subnet mask limiting accessto the single IP address of the remote NTP servers.
3) If this server is also going to provide time for other computers, such asPCs, other Linux servers and networking devices, then you'll have to definethe networks from which this server will accept NTP synchronization requests.You do so with a modified restrict statement removing the noquery keywordto allow the network to query your NTP server. The syntax is:
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
Other Linux Home Networking TopicsOther Linux Home Networking TopicsOther Linux Home Networking TopicsOther Linux Home Networking Topics
Introduction to Networking
Linux Networking
Simple Network Troubleshooting
Troubleshooting Linux with Syslog
Installing Linux Software
The Linux Boot Process
Configuring the DHCP Server
Linux Users and sudo
Windows, Linux and Samba
Sharing Resources with Samba
Samba Security and Troubleshooting
Linux Wireless Networking
Linux Firewalls Using iptables
Linux FTP Server Setup
Telnet, TFTP and xinetd
Secure Remote Logins and File Copying
Configuring DNS
Dynamic DNS
The Apache Web Server
Configuring Linux Mail Servers
Monitoring Server Performance
Advanced MRTG For Linux
The NTP Server
Network-Based Linux Installation
Linux Software RAID
Expanding Disk Capacity
Managing Disk Usage with Quotas
Remote Disk Access with NFS
Configuring NIS
Centralized Logins Using LDAP and RADIUS
Controlling Web Access with Squid
Modifying the Kernel to Improve
Performance
Basic MySQL Configuration
Quick HOWTO : Ch24 : The NTP Server - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...
2 of 8 12/04/2014 5:42 AM
In this case the mask statement has been expanded to include all 255possible IP addresses on the local network.
4) We also want to make sure that localhost (the universal IP address used torefer to a Linux server itself) has full access without any restricting keywords:
restrict 127.0.0.1
5) Save the file and restart NTP for these settings to take effect. You can nowconfigure other Linux hosts on your network to synchronize with this newmaster NTP server in a similar fashion.
Managing the ntpd ServerManaging the ntpd ServerManaging the ntpd ServerManaging the ntpd Server
Managing the ntpd daemon is easy to do, but the procedure differs betweenLinux distributions. Here are some things to keep in mind.
Firstly, different Linux distributions use different daemon management
systems. Each system has its own set of commands to do similar
operations. The most commonly used daemon management systems
are SysV and Systemd.
1.
Secondly, the daemon name needs to be known. In this case the name
of the daemon is ntpdntpdntpdntpd.
2.
Armed with this information you can know how to:
Start your daemons automatically on booting1.
Stop, start and restart them later on during troubleshooting or when a
configuration file change needs to be applied.
2.
For more details on this, please take a look at the "Managing Daemons"section of Chapter 6 "Installing Linux Software"
NoteNoteNoteNote: Remember to configure your daemon to start automatically upon yournext reboot.
Testing And Troubleshooting NTPTesting And Troubleshooting NTPTesting And Troubleshooting NTPTesting And Troubleshooting NTP
After configuring and starting NTP, you should test it to make sure it isworking. Here are some guidelines you can follow to get NTP workingcorrectly.
Verifying NTP is RunningVerifying NTP is RunningVerifying NTP is RunningVerifying NTP is Running
To test whether the NTP process is running use the command
[root@bigboy tmp]# pgrep ntpd
LHN Linux Forums - Latest ThreadsLHN Linux Forums - Latest ThreadsLHN Linux Forums - Latest ThreadsLHN Linux Forums - Latest Threads
Linux (Mint) can't access Fedora Server
(Linux - Hardware, Networking & Security) I
have a fresh LinuxMint (Ubuntu variant)
install on my laptop, and need to access the
music files on my Vortexbox appliance
running Fedora. I can...
Problem with Cisco EHWIC-4ESG (General
Chat) Just wondering if the EHWIC-4ESG
(URL be used in a Cisco 800 router.I want to
add at least one...
Ubuntu 12.04 LTS Setting Up Network
between Xp/7 and Ubuntu 12.04LTS (Linux -
Hardware, Networking & Security) i am a
Absolute Newbie at Linux i would like to
have it where the windows computers see
and transfer files with the linux box and see
and transfer...
Cisco Catalyst 2960X Ethernet Switch
(General Chat) "I want to buy Catalyst
2960-X series switches like WS-C2960X-
24PS-L,WS-C2960X-24PD-L, buy I'm not
very well know about c2960x series. Can
someone...
Linux vpn client (Linux - Software,
Applications & Programming) Our company
has one vpn server,it is CISCO2901/K9
router. We can conntect it with cisco vpn
tools in windows machine.But about linux
client, we have...
Norihan Talib Here! (General Chat) Hello
Everyone my name is Norihan Talib i joined
this forum to make new connections on
friends see you all on the boards Penipu
Dr. Obaid Busit Legal Consultants! new
member post.. (General Chat) Hello to all
forum members.... I am Dr. Obaid Busit new
member here! Hope everyone is fine and
enjoy being here! Regards Dr. Obaid Busit
hani dalqamouni here! (General Chat) hello
everybody! i am hani dalqamouni... i am
new to this forum annd i am happy to join
here to meet new friends and to sahre
interests with you...
Best way to know Cisco Catalyst 24-Port
Network Switch WS-C2960-24TC-L (Linux -
Hardware, Networking & Security) Cisco
2960-S switches are the leading fixed-
configuration Layer 2 edge access switches
and 2960-S most ports are GE.The Catalyst
2960-S Series...
Quick HOWTO : Ch24 : The NTP Server - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...
3 of 8 12/04/2014 5:42 AM
You should get a response of plain old process ID numbers.
Doing An Initial SynchronizationDoing An Initial SynchronizationDoing An Initial SynchronizationDoing An Initial Synchronization
If the time on the local server is very different from that of its primary timeserver your NTP daemon will eventually terminate itself leaving an errormessage in the /var/log/messages file. You should run the ntpdate -ucommand to force your server to become instantly synchronized with its NTPservers before starting the NTP daemon for the first time. The ntpdatecommand doesn't run continuously in the background, you will still have torun the ntpd daemon to get continuous NTP updates.
Take a look at some sample output of the ntpdate command in which a serverwhose initial time was set to midnight, was correctly set to 8:03 am.
The date was originally set to midnight which was verified by using the
date command.
[root@smallfry tmp]# dateThu Aug 12 00:00:00 PDT 2004[root@smallfry tmp]#
The ntpdate command is run three times to synchronize smallfry's clock
to server 192.168.1.100, but it must be run while the ntpd process is
stopped. So you'll have to stop ntpd, run ntpdate and then start ntpd
again.
[root@smallfry tmp]# systemctl stop ntpd.service[root@smallfry tmp]# ntpdate -u 192.168.1.100Looking for host 192.168.1.100 and service ntphost found : bigboy.my-site.com12 Aug 08:03:38 ntpdate[2472]: step time server 192.168.1.100 offset 28993.084943 sec[root@smallfry tmp]# ntpdate -u 192.168.1.100Looking for host 192.168.1.100 and service ntphost found : bigboy.my-site.com12 Aug 08:03:40 ntpdate[2472]: step time server 192.168.1.100 offset 2.467652 sec[root@smallfry tmp]# ntpdate -u 192.168.1.100Looking for host 192.168.1.100 and service ntphost found : bigboy.my-site.com12 Aug 08:03:42 ntpdate[2472]: step time server 192.168.1.100 offset 0.084943 sec[root@smallfry tmp]# systemctl start ntpd.service[root@smallfry tmp]#
The date is now corrected.
[root@smallfry tmp]# dateThu Aug 12 08:03:45 PDT 2004[root@smallfry tmp]#
Determining If NTP Is Synchronized ProperlyDetermining If NTP Is Synchronized ProperlyDetermining If NTP Is Synchronized ProperlyDetermining If NTP Is Synchronized Properly
Use the ntpq command to see the servers with which you are synchronized. Itprovided you with a list of configured time servers and the delay, offset andjitter that your server is experiencing with them. For correct synchronization,the delay and offset values should be non-zero and the jitter value should beunder 100.
[root@bigboy tmp]# ntpq -p
hello..Robert Didiana here.. (General Chat)
iam glad to be a part of this forum it seems
like a pretty cool community that is ran here
and I can tell there's good administration
just by...
Jack Rafael Gorodezky Mirsky newbie here!
(General Chat) My name is Jack Rafael
Gorodezky as you can see i am a new
member of the forum. I am interested to
meet new like minded people Kind
regards,...
Quick HOWTO : Ch24 : The NTP Server - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...
4 of 8 12/04/2014 5:42 AM
Here is some sample output of the command:
remote refid st t when poll reach delay offset jitter==============================================================================-jj.cs.umb.edu gandalf.sigmaso 3 u 95 1024 377 31.681 -18.549 1.572 milo.mcs.anl.go ntp0.mcs.anl.go 2 u 818 1024 125 41.993 -15.264 1.392-mailer1.psc.edu ntp1.usno.navy. 2 u 972 1024 377 38.206 19.589 28.028-dr-zaius.cs.wis ben.cs.wisc.edu 2 u 502 1024 357 55.098 3.979 0.333+taylor.cs.wisc. ben.cs.wisc.edu 2 u 454 1024 347 54.127 3.379 0.047-ntp0.cis.strath harris.cc.strat 3 u 507 1024 377 115.274 -5.025 1.642*clock.via.net .GPS. 1 u 426 1024 377 107.424 -3.018 2.534ntp1.conectiv.c 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00
Your Linux NTP clients cannot SynchronizeYour Linux NTP clients cannot SynchronizeYour Linux NTP clients cannot SynchronizeYour Linux NTP clients cannot Synchronize
ProperlyProperlyProperlyProperly
A telltale sign that you haven't got proper synchronization is when all theremote servers have jitter, delay and reach values of 0. In some olderversions of Fedora, the jitter values will be 4000.
remote refid st t when poll reach delay offset jitter=============================================================================LOCAL(0) LOCAL(0) 10 l - 64 7 0.000 0.000 0.008ntp-cup.externa 0.0.0.0 16 u - 64 0 0.000 0.000 0.000snvl-smtp1.trim 0.0.0.0 16 u - 64 0 0.000 0.000 0.000nist1.aol-ca.tr 0.0.0.0 16 u - 64 0 0.000 0.000 0.000
This could be caused by the following:
Older versions of the NTP package that don't work correctly if you use
the DNS name for the NTP servers. In these cases you will want to use
the actual IP addresses instead.
A firewall blocking access to your Stratum 1 and 2 NTP servers. This
could be located on one of the networks between the NTP server and its
time source, or firewall software such as iptables could be running on
the server itself.
The notrust nomodify notrap keywords are present in the restrict
statement for the NTP client. In some versions of the Fedora Core 2's
implementation of NTP, clients will not be able to synchronize with a
Fedora Core 2 time server unless the notrust nomodify notrap keywords
are removed from the NTP client's restrict statement.
In this example the restrict statement has only the client network
defined without any keywords and the configuration line that works with
other NTP versions has been commented out:
# -- CLIENT NETWORK -------#restrict 172.16.1.0 mask 255.255.255.0 notrust nomodify notraprestrict 172.16.1.0 mask 255.255.255.0
Fedora Core 2 File PermissionsFedora Core 2 File PermissionsFedora Core 2 File PermissionsFedora Core 2 File Permissions
Quick HOWTO : Ch24 : The NTP Server - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...
5 of 8 12/04/2014 5:42 AM
All the Fedora/RedHat NTP daemons write temporary files to the /etc/ntpdirectory. Unfortunately, in Fedora Core 2, the permissions on this directorydon't allow writing of temporary files. Instead you have to set the group andowner of the directory to be ntp.
[root@bigboy tmp]# chown ntp:ntp /etc/ntp
If you don't, you'll get errors like this in the /var/log/messages file.
Aug 12 00:29:45 smallfry ntpd[2097]: can't open /etc/ntp/drift.TEMP: Permission denied
Configuring Cisco Devices To Use AnConfiguring Cisco Devices To Use AnConfiguring Cisco Devices To Use AnConfiguring Cisco Devices To Use An
NTP ServerNTP ServerNTP ServerNTP Server
You can use NTP to synchronize time on a variety of devices includingnetworking equipment. I have included the necessary NTP commands for avariety of Cisco Systems products because it is one of the most popularmanufacturers of networking equipment and would feature in the overallarchitectures of many home office/small office (SOHO) environments andcorporate departments.
Cisco IOSCisco IOSCisco IOSCisco IOS
To make your router synchronize with NTP servers with IP addresses192.168.1.100 and 192.168.1.201, use the commands:
ciscorouter> enablepassword: *********ciscorouter# config tciscorouter(config)# ntp update-calendarciscorouter(config)# ntp server 192.168.1.100ciscorouter(config)# ntp server 192.168.1.201ciscorouter(config)# exitciscorouter# wr mem
The ntp server command forms a server association with another system, andntp update-calendar configures the system to update its hardware clock fromthe software clock at periodic intervals.
CATOSCATOSCATOSCATOS
To make your router synchronize with NTP servers with IP addresses192.168.1.100 and 192.168.1.201, use the commands:
ciscoswitch> enablepassword: *********ciscoswitch# set ntp client enableciscoswitch# ntp server 192.168.1.100ciscoswitch# ntp server 192.168.1.201ciscoswitch# exit
The ntp server command forms a server association with another system, and
Quick HOWTO : Ch24 : The NTP Server - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...
6 of 8 12/04/2014 5:42 AM
set ntp client enable activates the NTP client.
NTP SecurityNTP SecurityNTP SecurityNTP Security
You should always be aware of how NTP can be affected by your network'ssecurity policy. Here are some common areas of concern.
Firewalls and NTPFirewalls and NTPFirewalls and NTPFirewalls and NTP
NTP servers communicate with one another using UDP with a destination portof 123. Unlike most UDP protocols, the source port isn't a high port (above1023), but 123 also. You'll have to allow UDP traffic on source/destinationport 123 between your server and the Stratum 1/2 server with which you aresynchronizing.
A sample Linux iptables firewall script snippet is in Appendix II, "Codes,Scripts, and Configurations".
NTP AuthenticationNTP AuthenticationNTP AuthenticationNTP Authentication
There may be cases where you want to not only restrict NTP synchronizationto specific networks but also to require a synchronization password. This isbeyond the scope of this book, but is covered in detail at the NTP websitewww.ntp.org.
Configuring A Windows NTP ClientConfiguring A Windows NTP ClientConfiguring A Windows NTP ClientConfiguring A Windows NTP Client
Windows clients that are part of an Active Directory domain automatically gettheir time synchronized from the domain server. If your client is not part of adomain you can add your new NTP server to your Windows client. Here'show:
Click on the time at the bottom right hand side of your screen.1.
Click on the "Internet Time" tab of the dialog box2.
Click the check box labeled "Automatically synchronize with an Internet
time server" and enter the name or IP address in the box underneath it.
3.
Click on the "Update Now" button4.
You will get a message saying "Your time has been successfully synchronized"when the operation is complete.
ConclusionConclusionConclusionConclusion
It is important that all the systems under your control have the same accuratetime. It can help to give a very clear indication of a chain of events thatinvolve multiple devices and it can also help in the synchronization of timesensitive-transactions.
Quick HOWTO : Ch24 : The NTP Server - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...
7 of 8 12/04/2014 5:42 AM
Having an NTP server on your local network can make this easier to do.Sometimes it isn't desirable for all your NTP clients to have access to theInternet to synchronize with stratum 1 and 2 servers, even when they allhave access there is the risk of them losing synchronization if the centralconnection to the Internet is lost. The maintenance of firewall rules formultiple NTP connections to the Internet can also be daunting especially if themanagement of the firewall is handled by another group.
A local NTP server can ensure that the clients all have the same time relativeto the server even when Internet connectivity is temporarily lost therebyreducing the problems of them being out of synchronization with each other.The firewall rules can also be greatly simplified. A local NTP server isfrequently a good thing to have for these reasons.
Retrieved from "http://www.linuxhomenetworking.com
/wiki/index.php?title=Quick_HOWTO_:_Ch24_:_The_NTP_Server&
oldid=4349"
This page was last modified on 10 August 2012, at 06:54.
Content is available under Attribution-NonCommercial-NoDerivs 2.5 .
Quick HOWTO : Ch24 : The NTP Server - Linux Home Networking http://www.linuxhomenetworking.com/wiki/index.php/Quick_H...
8 of 8 12/04/2014 5:42 AM