Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Setting up an NTP server on Debain Woody

Posted on 2004-08-03
28
Medium Priority
?
1,242 Views
Last Modified: 2009-07-29
Hi

I currently have a handful of hosts on my network synchronising time using my ISP's ntp server and the ntpdate command via cron.

I would like to run my own ntp server on a Debian Woody server.

What configuration would I need to make in ntp.conf to achieve this? This server needs to continue to get time from my ISP, but also act as an ntp server for clients on my LAN.


Gareth
0
Comment
Question by:localgareth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
  • 3
28 Comments
 
LVL 20

Expert Comment

by:Gns
ID: 11702722
Basically you just need set
server <name_of_ISP_ntp_server_or_its_IP-Address>
and perhaps (if you have any local firewall) allow connections to the ntp port (123).
Then you do the same setup on all the other hosts, but (of course) using your main ntp servers name_or_IP... Using ntpdate from cron _might_ be OK, but ntp is really designed to run like this... So why not do so;-)

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11702780
Hi Glenn

So any host taking its time from a ntp server also acts as an ntp server itself?


Gareth
0
 
LVL 20

Expert Comment

by:Gns
ID: 11702792
Oh, and there might be other things you _could_ set, but really none that you _need_ set.
If you want to have the main server poll more timesources, just add another server line... It'll be smart enough to extract the best possible time.
If you want two servers to act as timesource fallbacks for each other, you can also set them to poll different servers on the net (or perhaps a GPS clock or somesuch) and then have them be "peer other_server"... And the clients would then have these two as servers... But you really don't need anytrhing more complex than the first for "fairly certain whithin the second" accuracy.
You can check the message file that it starts syncing (after changing the config and restarting ntpd) and perhaps poll ISP ntpd and your ntpd with ntpdate during a day to see that it works OK.

-- Glenn
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 20

Expert Comment

by:Gns
ID: 11702833
Ah crossing posts.
Basically "yes".
Unless you tell it otherwise.
Things to be aware of is the "stratum"... This is a factor that determine how good the time rweally is... A stratum 1 has it's own atomic clock, while a stratum 2 asks one or more stratum 1 etc. Your server will likely have a rather low stratum, so ... if the "client servers" think they have a higher stratum, they will not take the time from your server.
But usually this is not a problem (and the logs will show if it is a problem for you).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 11702859
"rather low stratum" meaning a rather high value ... 10-16 depending on what the ISPs ntp stratum would be and ... well some other stuff.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 11702886
IIRC, the default config would lead to a client thinking itself to be the lowliest beast possible... stratum 16. So it shouldn't be a problem.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11703194
Glenn, thanks for the tips.

I think I've broken something now :-(

My ntp server has the following config...

# /etc/ntp.conf, configuration for ntpd
logfile /var/log/ntp/ntpd
driftfile /etc/ntp.drift
statsdir /var/log/ntp/
server ntp.demon.co.uk

I start the daemon, using /etc/init.d/ntp-server start

But when I run 'ntpdate 10.253.253.48' from a host on my network... I get '3 Aug 12:39:16 ntpdate[15036]: no server suitable for synchronization found'.

Any ideas?


Gareth
0
 
LVL 20

Expert Comment

by:Gns
ID: 11703580
It might take a couple of minutes for it to "rev up its engine", so try again and see what you get.
Also, check the message log for any messages from ntpd, or the /var/log/ntp/ntpd file.

As an example, here's a working ntp.conf from my central server:
# Scam for local machines clock
fudge   127.127.1.0 stratum 10
# Servers on the internet
server ifi.uio.no
server ntp.lth.se version 3
# driftfile
driftfile /etc/ntp/drift
# Don't use authentication... It's a protected LAN
authenticate no
# Don't ask why I have a keyfile:-)
keys            /etc/ntp/keys
# Ent of ntp.conf

As you can see, 'm using two nice and close (to me) stratum 2 server, where the second (ntp.lth.se) uses version 3 of the protocol. You might need that for your ISPs ntp too.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 11703605
Oh, and it goes without saying (I guess) that the directory /var/log/ntp need exist in your case.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11704160
Hi Glenn

If I look in my syslog file, it seems to synchronize okay.

root@telesto:/var/log# tail syslog | grep ntpd
Aug  3 13:14:18 telesto ntpd[28372]: synchronized to 194.168.4.76, stratum 3

I've tried to telnet localhost 123, but I get connection refused - is this normal?

Gareth
ps.. I have got /var/log/ntp :-)
0
 
LVL 20

Expert Comment

by:Gns
ID: 11704227
Yes, it's normal. Ntp usually use UDP, not TCP port 123 so... no telnet.

Good that it syncs OK... Do try the ntpdate again, it might just have been a timing (!:-) issue.

If that doesn't help, try adding the
authenticate no
line to /etc/ntp.conf and restart ntpd.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11704323
Tried that... still nothing.

I've just tried (from a host) ntpdate'ing to my ISP server...

earth:/etc/init.d # ntpdate ntp.demon.co.uk
 3 Aug 14:43:51 ntpdate[13596]: adjust time server 158.152.1.76 offset 0.000032 sec

This works - so atleast it proves a firewall isn't the problem!

earth:/etc/init.d # ntpdate time.galaxy.tbs
 3 Aug 14:43:56 ntpdate[13597]: no server suitable for synchronization found


Gareth
0
 
LVL 20

Expert Comment

by:Gns
ID: 11704603
> This works - so atleast it proves a firewall isn't the problem!
Eh, I was thinking more like an iptables (netfilter) or ipchains FW local to your ntp-server.
iptables -L
might show something.

Do you get anything in the logs when you do the (failed) ntpdate? Including auth and/or syslog?

> earth:/etc/init.d # ntpdate time.galaxy.tbs
>  3 Aug 14:43:56 ntpdate[13597]: no server suitable for synchronization found
Might indicate a stratum problem... "suitable" being the key word. Try adding the "fudge" line, exactly as above.

Ok, I'm going to test a bit on my dusty ol' woody, and see what shakes.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11704756
iptables -L shows accept for all chains, and no other rules - this is the same on both my (broken) time server and my hosts.

Don't get anything in the logs when a client tries to connect... I did get a message in syslog...

Aug  3 14:39:21 telesto ntpd[28881]: configure: keyword "authenticate" unknown

... so took that back out.

I'll try adding the fudge line :-)


Gareth
0
 
LVL 20

Expert Comment

by:Gns
ID: 11705177
Ok, I've some preliminary findings as of yet... As most things with woody, it's a somwhat "dusty" version of ntp. You might have a lot of "synchronization lost" entries in /var/lgg/deamon.log or /var/log/syslog ... which would explain why it can't act as a server.

... Looking further....

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 11706321
Ok, setting the fudge line like
fudge 127.127.1.0 stratum 10
restarting ntp, then letting it be for the interval between my last message and this one fixed it for my old woody...
It _might_ have worked with earlier configs too, if I'd been patient enough:-).

-- Glenn
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11709280
I had this same problem (no server suitable for syn..), turned out that in ntp.conf I used the setting multicastclient.
Comment that one out, worked for me
0
 

Author Comment

by:localgareth
ID: 11709697
Glenn...

I've not made any config changes for a couple of hours, and just decided to check back and test the ntpdate command from a client on my network... and it worked!!! But when I restarted ntp-server, the client can no longer synchronise... and gets the same error message.

I guess I need to see how long before it magically starts working.


Gareth
0
 

Author Comment

by:localgareth
ID: 11713041
Glenn

Again, this morning it's all working fine... restart the service and it doesn't work.

Could this just be usual behaviour?


Gareth
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11713759
Since Glenn seems to be out for the moment:

Yes this is usual behaviour. It might take a couple of minutes to get accurate readings from the up-stream timeserver. During that time you will not be able to synchronize to the current server.
0
 

Author Comment

by:localgareth
ID: 11713875
de2... How long is usual, is this documentated anywhere?


Gareth
0
 
LVL 20

Accepted Solution

by:
Gns earned 1400 total points
ID: 11714076
(Well, 'scuse me for being home sleeping:-):-)
Yes, one should be able to determine this (from the very voluminous and explicit docs, if nowhere else:-), but... One really don't need to!
You'll probably have "good enough" time to survive being without a true timesource for at least a couple of hours, expecially once all clocks have been brought ... "close". If time is supercritical (perhaps due to some scientific calcs/equipment, or some distributed RT requirements ... or similar) you could probably not live with it, but for good synchronized "office" time... you'll be fine.
And the good part is that they will start syncing ASAP as the readings are good.

To me, ntp is one of those "setup-and-almost-forget" type of services, since the protocols and tools have been intelligently designed;). It's been rocksolid for years for me, and a host of others around the globe... A good reason to keep a couple of linux servers on the LAN, that are so lightly loaded ('cause NTP really don't stress any normal smi-modern machine at all) that you can use them for any _other_ task you like... File/printservers perhaps?

Let us know if you have any more problems, setting up the rest of the servers.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11714203
Hi Glenn

I didn't know techie's needed sleep!?! hehe.

Well... I think I can live with the delay :-) It's seems to be between 6 and 8 minutes, so its nothing major.

I've now setup my other clients to get their time from my main time server... however, I don't want these clients to also act as severs - it just seems unnecessary.

How would I set a client only mode in ntp.conf?


Gareth
... points for this question increased to 500 :-)


0
 
LVL 20

Expert Comment

by:Gns
ID: 11714322
Um, again... Does it really matter? ntp is rather safe as it is...
But if you'd like to be supersure, just set your local firewall ('cause if you deem NTP to be a security risk, you _really_ should have a local FW on every machine) to block "incoming" ntp requests.
If you have a moderately safe LAN (protected from everything but the users;-), I wouldn't bother:-)

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11714344
Guess it doesn't *really* matter... just thought it was better not to have services accessable to other hosts hat aren't needed.

I don't want to start installing and configuring iptables for this, I had hoped there would be a configuration entry that could be used in ntp.conf.


Gareth
0
 
LVL 6

Assisted Solution

by:de2Zotjes
de2Zotjes earned 600 total points
ID: 11714365
To block incoming requests you can also state (in the ntp.conf that is):

restrict default ignore
restrict <server> mask 255.255.255.255 nomodify notrap noquery

additional restrict lines can be used to open the service to more remote machines.

0
 
LVL 20

Expert Comment

by:Gns
ID: 11714777
Yes de2Zotjes, thanks for jogging my memory(:-), still... if one deems this necessary, a firewall is never wrong.

-- Glenn
0
 

Author Comment

by:localgareth
ID: 11717256
Guys... thanks for all your help.


Gareth
 
0

Featured Post

Interactive Way of Training for the AWS CSA Exam

An interactive way of learning that will help you visualize core concepts so that you can be more effective when taking your AWS certification exam.  Built for students by a student to help them understand the concepts that they are being taught.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question