NTP Server Configuration

Introduction

Network Time Protocol (NTP) is a protocol for synchronising the clocks of computer systems over packet-switched, variable-latency data networks. A good description is available at http://en.wikipedia.org/wiki/Network_Time_Protocol.

The following guidance might be useful in helping to configure NTP on a Linux server.

My NTP Server Configuration

After experimentation I arrived at the following /etc/ntp.conf configuration file.

# Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default nomodify notrap noquery # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 # -- CLIENT NETWORK ------- # Permit systems on this network to synchronize with this # time service. Do not permit those systems to modify the # configuration of this service. Also, do not use those # systems as peers for synchronization. restrict 192.168.xxx.0 mask 255.255.255.0 notrust nomodify notrap # --- OUR TIMESERVERS ----- server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org server uk.pool.ntp.org server ntp.nasa.gov # --- NTP MULTICASTCLIENT --- #multicastclient # listen on default 224.0.1.1 # restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap # restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # --- GENERAL CONFIGURATION --- # # Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. The # default stratum is usually 3, but in this case we elect to use stratum # 0. Since the server line does not have the prefer keyword, this driver # is never used for synchronization, unless no other other # synchronization source is available. In case the local host is # controlled by some external source, such as an external oscillator or # another protocol, the prefer keyword would cause the local host to # disregard all other synchronization sources, unless the kernel # modifications are in use and declare an unsynchronized condition. # fudge 127.127.1.0 stratum 10 # # Drift file. Put this in a directory which the daemon can write to. # No symbolic links allowed, either, since the daemon updates the file # by creating a temporary in the same directory and then rename()'ing # it to the file. # driftfile /var/lib/ntp/drift broadcastdelay 0.008 # Log file. Put this in a directory which the daemon can write to. # logfile /var/log/ntp/ntp.log # # Keys file. If you want to diddle your server at run time, make a # keys file (mode 600 for sure) and define the key number to be # used for making requests. # # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote # systems might be able to reset your clock at will. Note also that # ntpd is started with a -A flag, disabling authentication, that # will have to be removed as well. # keys /etc/ntp/keys restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery restrict uk.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery restrict ntp.nasa.gov mask 255.255.255.255 nomodify notrap noquery

Firewall Configuration

NTP uses port 123. But does it require TCP as well as UPD to be opened in the firewall? Some sources say it is only necessary to open port 123 for UCP, others for both UDP and TCP: http://www.patton.com/support/faqs_detail.asp?id=88.

Problems that can be Encountered in the Configuration

Stratum Issues

Configuring the NTP server (service) can give problems, as described in the following example:

To: Date: Wed, 15 Oct 2003 10:40:09 -0400 I have installed RedHat 8.0 and i've trying to use it as a ntp server for my switches. I configured the ntp.conf and it is seems to working as a daemon at least. First i have been trying to allow sync only for another machine with windows xp, but when i try to sync from the xp machine (home version) it tells me the following error message: An error occurred while Windows was synchronizing with 10.1.52.39. The time sample was rejected because: The peer's stratum is less than the host's stratum. I tried to sync XP with stratum 1 and stratum 2 public servers and it seems to work fine. My guess is that somehow the stratum of the Linux box is less than the windows box requires. I want to change redhat in a stratum 2 server so xp can sync from it. I do not really care that much about the exact time, i just want to have the same time in my network. An maybe some one can give me a clue how to start ntp daemon without having to connect to to internet, but just with the local clock The following is the ntp.conf file server time.nist.gov server 128.227.205.3 broadcast 10.255.255.255 restrict 127.0.0.1 restrict 10.1.52.37 // which is the name of XP machine driftfile /etc/ntp/ntp.drift resolver /etc/ntp/ntpres keys /etc/ntp/ntp.keys restrict default ignore

Here the difficulty turned out to be a Stratum issue. The table below contain useful references describing NTP servers and the concept of Stratum 0, 1, etc.

Problem Synchronizing Windows PCs to the NTP source

I found that I had problems getting my Windows XP PCs to synchonize off the Linux NTP server. In the end I had to resort to those WinXP boxes using the Samba time service off the Linux box. Such an approach is described in detail in using Samba on a NTP server to serve time.

Thus I modified the Samba configuration file /etc/samba/smb.conf as follows:

... #======================= Global Settings ===================================== [global] # workgroup = NT-Domain-Name or Workgroup-Name workgroup = # Added 28/06/2006 netbios name = hide dot files = yes preserve case = yes # server string is the equivalent of the NT Description field server string = My Samba Server (v%v) # Added 17/12/2005 time server = yes

The WinXP PCs on my LAN were then able to successfully synchorise to time off the Linux NTP server.

General Links

URL	Summary/Description
http://www.ntp.isc.org/bin/view/Main/WebHome	The NTP Public Services Project
http://ntp.isc.org/bin/view/Support/WebHome	NTP Support Web
http://support.ntp.org/bin/view/Support/ConfiguringNTP	Configuring NTP
http://support.ntp.org/bin/view/Support/HowToCalibrateSystemClockUsingNTP	How to calibrate the system clock using NTP
http://www.eecis.udel.edu/~mills/database/brief/flow/ntp4.pdf	NTP Version 4 Core Protocol Specification
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch24_:_The_NTP_Server	Excellent site (and book) on Linux configuration in general, and in this chapter on NTP in particular
http://linuxreviews.org/howtos/ntp/#toc1	General HOWTOs site
http://gentoo-wiki.com/HOWTO_NTP	HOWTO_NTP wiki site
http://support.microsoft.com/kb/q307897/	How To Synchronize the Time with the Windows Time Service in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q223184	Registry entries for the W32Time service
http://tf.nist.gov/service/pdf/win2000xp.pdf	Configuring Windows 2000 and Windows XP to use NIST Time Servers
http://forums.whirlpool.net.au/forum-replies.cfm?t=179117&r=2527476&u=20568	There are some reports that the WinXP client is not reliable, and some advise that a freeware client is downloaded (or a batch script written) to do time synchronisation
http://www.endruntechnologies.com/stratum1.htm	What is Stratum 1?
http://www.eecis.udel.edu/~mills/ntp/clock2a.html	Public NTP Secondary (stratum 2) Time Servers
http://www-uxsup.csx.cam.ac.uk/ntp/stratum4.html	Configuring a Stratum 4 Client
http://tldp.org/HOWTO/TimePrecision-HOWTO/ntp.html	Accurate Global Time Synchronization
http://www.cameratim.com/computing/linux/time-serving	Time serving on a Linux LAN
http://www.brennan.id.au/09-Network_Time_Protocol.html	Network Time Protocol