Solved

Setting up an NTP server on Debain Woody

Posted on 2004-08-03
28
1,241 Views
Last Modified: 2009-07-29
Hi

I currently have a handful of hosts on my network synchronising time using my ISP's ntp server and the ntpdate command via cron.

I would like to run my own ntp server on a Debian Woody server.

What configuration would I need to make in ntp.conf to achieve this? This server needs to continue to get time from my ISP, but also act as an ntp server for clients on my LAN.


Gareth
0
Comment
Question by:localgareth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
  • 3
28 Comments
 
LVL 20

Expert Comment

by:Gns
ID: 11702722
Basically you just need set
server <name_of_ISP_ntp_server_or_its_IP-Address>
and perhaps (if you have any local firewall) allow connections to the ntp port (123).
Then you do the same setup on all the other hosts, but (of course) using your main ntp servers name_or_IP... Using ntpdate from cron _might_ be OK, but ntp is really designed to run like this... So why not do so;-)

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11702780
Hi Glenn

So any host taking its time from a ntp server also acts as an ntp server itself?


Gareth
0
 
LVL 20

Expert Comment

by:Gns
ID: 11702792
Oh, and there might be other things you _could_ set, but really none that you _need_ set.
If you want to have the main server poll more timesources, just add another server line... It'll be smart enough to extract the best possible time.
If you want two servers to act as timesource fallbacks for each other, you can also set them to poll different servers on the net (or perhaps a GPS clock or somesuch) and then have them be "peer other_server"... And the clients would then have these two as servers... But you really don't need anytrhing more complex than the first for "fairly certain whithin the second" accuracy.
You can check the message file that it starts syncing (after changing the config and restarting ntpd) and perhaps poll ISP ntpd and your ntpd with ntpdate during a day to see that it works OK.

-- Glenn
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 20

Expert Comment

by:Gns
ID: 11702833
Ah crossing posts.
Basically "yes".
Unless you tell it otherwise.
Things to be aware of is the "stratum"... This is a factor that determine how good the time rweally is... A stratum 1 has it's own atomic clock, while a stratum 2 asks one or more stratum 1 etc. Your server will likely have a rather low stratum, so ... if the "client servers" think they have a higher stratum, they will not take the time from your server.
But usually this is not a problem (and the logs will show if it is a problem for you).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 11702859
"rather low stratum" meaning a rather high value ... 10-16 depending on what the ISPs ntp stratum would be and ... well some other stuff.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 11702886
IIRC, the default config would lead to a client thinking itself to be the lowliest beast possible... stratum 16. So it shouldn't be a problem.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11703194
Glenn, thanks for the tips.

I think I've broken something now :-(

My ntp server has the following config...

# /etc/ntp.conf, configuration for ntpd
logfile /var/log/ntp/ntpd
driftfile /etc/ntp.drift
statsdir /var/log/ntp/
server ntp.demon.co.uk

I start the daemon, using /etc/init.d/ntp-server start

But when I run 'ntpdate 10.253.253.48' from a host on my network... I get '3 Aug 12:39:16 ntpdate[15036]: no server suitable for synchronization found'.

Any ideas?


Gareth
0
 
LVL 20

Expert Comment

by:Gns
ID: 11703580
It might take a couple of minutes for it to "rev up its engine", so try again and see what you get.
Also, check the message log for any messages from ntpd, or the /var/log/ntp/ntpd file.

As an example, here's a working ntp.conf from my central server:
# Scam for local machines clock
fudge   127.127.1.0 stratum 10
# Servers on the internet
server ifi.uio.no
server ntp.lth.se version 3
# driftfile
driftfile /etc/ntp/drift
# Don't use authentication... It's a protected LAN
authenticate no
# Don't ask why I have a keyfile:-)
keys            /etc/ntp/keys
# Ent of ntp.conf

As you can see, 'm using two nice and close (to me) stratum 2 server, where the second (ntp.lth.se) uses version 3 of the protocol. You might need that for your ISPs ntp too.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 11703605
Oh, and it goes without saying (I guess) that the directory /var/log/ntp need exist in your case.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11704160
Hi Glenn

If I look in my syslog file, it seems to synchronize okay.

root@telesto:/var/log# tail syslog | grep ntpd
Aug  3 13:14:18 telesto ntpd[28372]: synchronized to 194.168.4.76, stratum 3

I've tried to telnet localhost 123, but I get connection refused - is this normal?

Gareth
ps.. I have got /var/log/ntp :-)
0
 
LVL 20

Expert Comment

by:Gns
ID: 11704227
Yes, it's normal. Ntp usually use UDP, not TCP port 123 so... no telnet.

Good that it syncs OK... Do try the ntpdate again, it might just have been a timing (!:-) issue.

If that doesn't help, try adding the
authenticate no
line to /etc/ntp.conf and restart ntpd.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11704323
Tried that... still nothing.

I've just tried (from a host) ntpdate'ing to my ISP server...

earth:/etc/init.d # ntpdate ntp.demon.co.uk
 3 Aug 14:43:51 ntpdate[13596]: adjust time server 158.152.1.76 offset 0.000032 sec

This works - so atleast it proves a firewall isn't the problem!

earth:/etc/init.d # ntpdate time.galaxy.tbs
 3 Aug 14:43:56 ntpdate[13597]: no server suitable for synchronization found


Gareth
0
 
LVL 20

Expert Comment

by:Gns
ID: 11704603
> This works - so atleast it proves a firewall isn't the problem!
Eh, I was thinking more like an iptables (netfilter) or ipchains FW local to your ntp-server.
iptables -L
might show something.

Do you get anything in the logs when you do the (failed) ntpdate? Including auth and/or syslog?

> earth:/etc/init.d # ntpdate time.galaxy.tbs
>  3 Aug 14:43:56 ntpdate[13597]: no server suitable for synchronization found
Might indicate a stratum problem... "suitable" being the key word. Try adding the "fudge" line, exactly as above.

Ok, I'm going to test a bit on my dusty ol' woody, and see what shakes.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11704756
iptables -L shows accept for all chains, and no other rules - this is the same on both my (broken) time server and my hosts.

Don't get anything in the logs when a client tries to connect... I did get a message in syslog...

Aug  3 14:39:21 telesto ntpd[28881]: configure: keyword "authenticate" unknown

... so took that back out.

I'll try adding the fudge line :-)


Gareth
0
 
LVL 20

Expert Comment

by:Gns
ID: 11705177
Ok, I've some preliminary findings as of yet... As most things with woody, it's a somwhat "dusty" version of ntp. You might have a lot of "synchronization lost" entries in /var/lgg/deamon.log or /var/log/syslog ... which would explain why it can't act as a server.

... Looking further....

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 11706321
Ok, setting the fudge line like
fudge 127.127.1.0 stratum 10
restarting ntp, then letting it be for the interval between my last message and this one fixed it for my old woody...
It _might_ have worked with earlier configs too, if I'd been patient enough:-).

-- Glenn
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11709280
I had this same problem (no server suitable for syn..), turned out that in ntp.conf I used the setting multicastclient.
Comment that one out, worked for me
0
 

Author Comment

by:localgareth
ID: 11709697
Glenn...

I've not made any config changes for a couple of hours, and just decided to check back and test the ntpdate command from a client on my network... and it worked!!! But when I restarted ntp-server, the client can no longer synchronise... and gets the same error message.

I guess I need to see how long before it magically starts working.


Gareth
0
 

Author Comment

by:localgareth
ID: 11713041
Glenn

Again, this morning it's all working fine... restart the service and it doesn't work.

Could this just be usual behaviour?


Gareth
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11713759
Since Glenn seems to be out for the moment:

Yes this is usual behaviour. It might take a couple of minutes to get accurate readings from the up-stream timeserver. During that time you will not be able to synchronize to the current server.
0
 

Author Comment

by:localgareth
ID: 11713875
de2... How long is usual, is this documentated anywhere?


Gareth
0
 
LVL 20

Accepted Solution

by:
Gns earned 350 total points
ID: 11714076
(Well, 'scuse me for being home sleeping:-):-)
Yes, one should be able to determine this (from the very voluminous and explicit docs, if nowhere else:-), but... One really don't need to!
You'll probably have "good enough" time to survive being without a true timesource for at least a couple of hours, expecially once all clocks have been brought ... "close". If time is supercritical (perhaps due to some scientific calcs/equipment, or some distributed RT requirements ... or similar) you could probably not live with it, but for good synchronized "office" time... you'll be fine.
And the good part is that they will start syncing ASAP as the readings are good.

To me, ntp is one of those "setup-and-almost-forget" type of services, since the protocols and tools have been intelligently designed;). It's been rocksolid for years for me, and a host of others around the globe... A good reason to keep a couple of linux servers on the LAN, that are so lightly loaded ('cause NTP really don't stress any normal smi-modern machine at all) that you can use them for any _other_ task you like... File/printservers perhaps?

Let us know if you have any more problems, setting up the rest of the servers.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11714203
Hi Glenn

I didn't know techie's needed sleep!?! hehe.

Well... I think I can live with the delay :-) It's seems to be between 6 and 8 minutes, so its nothing major.

I've now setup my other clients to get their time from my main time server... however, I don't want these clients to also act as severs - it just seems unnecessary.

How would I set a client only mode in ntp.conf?


Gareth
... points for this question increased to 500 :-)


0
 
LVL 20

Expert Comment

by:Gns
ID: 11714322
Um, again... Does it really matter? ntp is rather safe as it is...
But if you'd like to be supersure, just set your local firewall ('cause if you deem NTP to be a security risk, you _really_ should have a local FW on every machine) to block "incoming" ntp requests.
If you have a moderately safe LAN (protected from everything but the users;-), I wouldn't bother:-)

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11714344
Guess it doesn't *really* matter... just thought it was better not to have services accessable to other hosts hat aren't needed.

I don't want to start installing and configuring iptables for this, I had hoped there would be a configuration entry that could be used in ntp.conf.


Gareth
0
 
LVL 6

Assisted Solution

by:de2Zotjes
de2Zotjes earned 150 total points
ID: 11714365
To block incoming requests you can also state (in the ntp.conf that is):

restrict default ignore
restrict <server> mask 255.255.255.255 nomodify notrap noquery

additional restrict lines can be used to open the service to more remote machines.

0
 
LVL 20

Expert Comment

by:Gns
ID: 11714777
Yes de2Zotjes, thanks for jogging my memory(:-), still... if one deems this necessary, a firewall is never wrong.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11717256
Guys... thanks for all your help.


Gareth
 
0

Featured Post

Database Solutions Engineer FAQs

In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller single-server environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question