Administration Guide Draft/NTP

What is NTP
The Network Time Protocol (NTP) allows the computer to synchronize the clock to that of an external authoritative time source and provide the accurate time to clients on the local network. Fedora provides this functionality through the  server. The  daemon and associated utilities are provided by the   rpm package.

Installing NTP server
To install the Network Time Protocol Server, run:

su -c '/usr/bin/yum install ntp'

Configuring the NTP server
The configuration of the NTP server is managed through:

/etc/sysconfig/ntp:: Configuration file for the  daemon start-up options. /etc/ntp.conf:: The main configuration file for the server and client. /etc/ntp/:: Contains the remaining files necessary to set the server up.

Before configuring the NTP server and starting the  daemon, it is important to perform initial time synchronization of the system clock. The reason is that the  daemon will not perform the initial synchronization at start up time if the system clock deviates from the real, accurate time too much.

To synchronize the system time to that of the public ntp server pool, run:

su -c '/usr/sbin/ntpdate -b pool.ntp.org'

Admonition("Note","pool.ntp.org is the project that manages a cluster of publicly available time servers across the world. Its clever DNS round-robin setup greatly reduces the load on individual time servers and aids in reducing the bandwidth cost for the operators and users by utilizing  data. It is likely that the response to the   command above will come from the geographically close time server.")

Access Controls
The NTP server provides a resource to the remote systems and clients, which implies enforcing of certain security measures. Access control parameters are adjustable and defined in the  file using the following format:

restrict  parameter

The most commonly used parameters are:

ignore:: Deny all packets and queries kod:: Send Kiss-Of-Death packet on access violation nomodify:: Deny ntpq / ntpdc queries that attempt to modify the server notrap:: Deny control message trap service noquery:: Deny all ntpq / ntpdc queries noserve:: Deny all queries - except ntpq / ntpdc notrust:: Deny access unless cryptographically authenticated nopeer:: Deny all packets that attempt to establish a peer association

Admonition("Tip","Omit all parameters to grant the full access to NTP server.")

/etc/ntp.conf
To allow full control to the localhost, add the following entry:

restrict 127.0.0.1

The default configuration file has the pool of time servers listed:

server 0.fedora.pool.ntp.org dynamic server 1.fedora.pool.ntp.org dynamic server 2.fedora.pool.ntp.org dynamic

Admonition("Note","The listed servers are used in this guide. Consider changing the default entries to public servers that are available in your country or region to ensure faster response and help better network load handling.")

Restrict the listed servers from querying or modifying the local NTP server:

restrict 0.fedora.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery restrict 1.fedora.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery restrict 2.fedora.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery

Allow clients from the internal subnet to query the server (adjust the subnet address, if needed):

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Complete the configuration file with the following entries:

server         127.127.1.0     # local clock fudge          127.127.1.0 stratum 10 driftfile      /var/lib/ntp/drift broadcastdelay 0.008 keys           /etc/ntp/keys

The entries above provide the following:

server:: Specifies that a server is running on the host (own local clock) fudge:: Passes additional information to the clock driver stratum 10:: Manually sets the Stratum the server should operate at (1-15) driftfile:: Specifies the location of the file that holds calculated clock frequency offset broadcastdelay:: Sets the propagation delay from the server when broadcasting keys:: Store a list of keys needed for any cryptographic links

Admonition("Note","Stratum levels define the distance from the reference clock in the NTP hierarchy. Stratum 0 are reference clocks assumed to operate with very little or "zero-delay" and synchronize their clock to UTC over GPS, long wave radio, or similar links. They cannot be used on the network and are attached to Stratum 1 servers directly, for example through RS-232 serial port. Stratum 1 servers provide time synchronization over network links to Stratum 2 servers and so on, to Stratum 15. The higher the Stratum level is, the less accurate is the time source, estimated to be in a range of 10 - 100 ms per Startum level.")

Admonition("Tip","When determining the stratum of your server, firstly consider who you are providing time to? If you are only using the system for yourself and passing it on to a few workstations, then your stratum can be safely left at 10. If you are using the system for a large scale network, then plan your time servers and strata effectively.")

To start the NTP server, run:

su -c '/sbin/service ntpd start'

To enable the NTP server at boot time, run:

su -c '/sbin/chkconfig ntpd on'

By default, the  daemon logs messages to the system log -. The alternate log file may be specified in the :

logfile /var/log/ntpd.log

...and must be writable by  user.

To test the proper operation of the NTP server, run:

/usr/sbin/ntpq -pn

The initial output of the command is similar to:

remote          refid      st t when poll reach   delay   offset  jitter

=
================================================================= 66.118.163.120 .INIT. 16 u   -   64    0    0.000    0.000   0.000 202.135.38.18  .INIT. 16 u   -   64    0    0.000    0.000   0.000 208.113.193.10 .INIT. 16 u   -   64    0    0.000    0.000   0.000 127.127.1.0    .LOCL. 10 l   -   64    1    0.000    0.000   0.001

Running the same command again after a few seconds should produce the output similar to:

remote          refid      st t when poll reach   delay   offset  jitter

=
================================================================= 66.118.163.120 198.82.1.202     3 u   20   64    1  208.157   14.189   0.001 202.135.38.18  131.203.16.6     2 u   20   64    1   22.891   13.406   0.001 208.113.193.10 132.239.1.6      2 u   20   64    1  145.721    8.078   0.001 127.127.1.0    .LOCL. 10 l  20   64    1    0.000    0.000   0.001

The above output shows a properly synchronised time server drawing from NTP pool allocated sources. Notice that the local server is running at a stratum of 10.

Admonition("Tip","The clients on the local network will not be able to use the service until the  time is stable. This may take up to 15 minutes upon the start of the   daemon.")

Related Website

 * http://www.pool.ntp.org

Installed Documentation

 * Installed Documentation