Administration Guide Draft/NTP
Managing Network Time Server
What is NTP
The Network Time Protocol (NTP) allows the computer to synchronize the clock to that of an external authoritative time source and provide the accurate time to clients on the local network. Fedora provides this functionality through the
ntpd server. The
ntpd daemon and associated utilities are provided by the
ntp rpm package.
Installing NTP server
To install the Network Time Protocol Server, run:
su -c '/usr/bin/yum install ntp'
Configuring the NTP server
The configuration of the NTP server is managed through:
/etc/sysconfig/ntp:: Configuration file for the
ntpd daemon start-up options.
/etc/ntp.conf:: The main configuration file for the server and client.
/etc/ntp/:: Contains the remaining files necessary to set the server up.
Before configuring the NTP server and starting the
ntpd daemon, it is important to perform initial time synchronization of the system clock. The reason is that the
ntpd daemon will not perform the initial synchronization at start up time if the system clock deviates from the real, accurate time too much.
To synchronize the system time to that of the public ntp server pool, run:
su -c '/usr/sbin/ntpdate -b pool.ntp.org'
Admonition("Note","pool.ntp.org is the project that manages a cluster of publicly available time servers across the world. Its clever DNS round-robin setup greatly reduces the load on individual time servers and aids in reducing the bandwidth cost for the operators and users by utilizing
pgeodns data. It is likely that the response to the
ntpdate command above will come from the geographically close time server.")
The NTP server provides a resource to the remote systems and clients, which implies enforcing of certain security measures. Access control parameters are adjustable and defined in the
/etc/ntp.conf file using the following format:
restrict <ipaddress or FQDN> <netmask> parameter
The most commonly used parameters are:
ignore:: Deny all packets and queries kod:: Send Kiss-Of-Death packet on access violation nomodify:: Deny ntpq / ntpdc queries that attempt to modify the server notrap:: Deny control message trap service noquery:: Deny all ntpq / ntpdc queries noserve:: Deny all queries - except ntpq / ntpdc notrust:: Deny access unless cryptographically authenticated nopeer:: Deny all packets that attempt to establish a peer association
Admonition("Tip","Omit all parameters to grant the full access to NTP server.")
To allow full control to the localhost, add the following entry:
The default configuration file has the pool of time servers listed:
server 0.fedora.pool.ntp.org dynamic server 1.fedora.pool.ntp.org dynamic server 2.fedora.pool.ntp.org dynamic
Admonition("Note","The listed servers are used in this guide. Consider changing the default entries to public servers that are available in your country or region to ensure faster response and help better network load handling.")
Restrict the listed servers from querying or modifying the local NTP server:
restrict 0.fedora.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery restrict 1.fedora.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery restrict 2.fedora.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
Allow clients from the internal subnet to query the server (adjust the subnet address, if needed):
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
Complete the configuration file with the following entries:
server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10 driftfile /var/lib/ntp/drift broadcastdelay 0.008 keys /etc/ntp/keys
The entries above provide the following:
server:: Specifies that a server is running on the host (own local clock) fudge:: Passes additional information to the clock driver stratum 10:: Manually sets the Stratum the server should operate at (1-15) driftfile:: Specifies the location of the file that holds calculated clock frequency offset broadcastdelay:: Sets the propagation delay from the server when broadcasting keys:: Store a list of keys needed for any cryptographic links
Admonition("Note","Stratum levels define the distance from the reference clock in the NTP hierarchy. Stratum 0 are reference clocks assumed to operate with very little or "zero-delay" and synchronize their clock to UTC over GPS, long wave radio, or similar links. They cannot be used on the network and are attached to Stratum 1 servers directly, for example through RS-232 serial port. Stratum 1 servers provide time synchronization over network links to Stratum 2 servers and so on, to Stratum 15. The higher the Stratum level is, the less accurate is the time source, estimated to be in a range of 10 - 100 ms per Startum level.")
Admonition("Tip","When determining the stratum of your server, firstly consider who you are providing time to? If you are only using the system for yourself and passing it on to a few workstations, then your stratum can be safely left at 10. If you are using the system for a large scale network, then plan your time servers and strata effectively.")
To start the NTP server, run:
su -c '/sbin/service ntpd start'
To enable the NTP server at boot time, run:
su -c '/sbin/chkconfig ntpd on'
By default, the
ntpd daemon logs messages to the system log -
/var/log/messages. The alternate log file may be specified in the
...and must be writable by
To test the proper operation of the NTP server, run:
The initial output of the command is similar to:
remote refid st t when poll reach delay offset jitter ============================================================================== 220.127.116.11 .INIT. 16 u - 64 0 0.000 0.000 0.000 18.104.22.168 .INIT. 16 u - 64 0 0.000 0.000 0.000 22.214.171.124 .INIT. 16 u - 64 0 0.000 0.000 0.000 127.127.1.0 .LOCL. 10 l - 64 1 0.000 0.000 0.001
Running the same command again after a few seconds should produce the output similar to:
remote refid st t when poll reach delay offset jitter ============================================================================== 126.96.36.199 188.8.131.52 3 u 20 64 1 208.157 14.189 0.001 184.108.40.206 220.127.116.11 2 u 20 64 1 22.891 13.406 0.001 18.104.22.168 22.214.171.124 2 u 20 64 1 145.721 8.078 0.001 127.127.1.0 .LOCL. 10 l 20 64 1 0.000 0.000 0.001
The above output shows a properly synchronised time server drawing from NTP pool allocated sources. Notice that the local server is running at a stratum of 10.
Admonition("Tip","The clients on the local network will not be able to use the service until the
.LOCL. time is stable. This may take up to 15 minutes upon the start of the
man 8 ntpd
man 5 ntp.conf
man 5 ntp_acc
man 5 ntp_auth
man 5 ntp_mon
man 5 ntp_clock
man 5 ntp_misc