Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1244
  • Last Modified:

Setting up an NTP server on Debain Woody

Hi

I currently have a handful of hosts on my network synchronising time using my ISP's ntp server and the ntpdate command via cron.

I would like to run my own ntp server on a Debian Woody server.

What configuration would I need to make in ntp.conf to achieve this? This server needs to continue to get time from my ISP, but also act as an ntp server for clients on my LAN.


Gareth
0
localgareth
Asked:
localgareth
  • 14
  • 11
  • 3
2 Solutions
 
GnsCommented:
Basically you just need set
server <name_of_ISP_ntp_server_or_its_IP-Address>
and perhaps (if you have any local firewall) allow connections to the ntp port (123).
Then you do the same setup on all the other hosts, but (of course) using your main ntp servers name_or_IP... Using ntpdate from cron _might_ be OK, but ntp is really designed to run like this... So why not do so;-)

-- Glenn
0
 
localgarethAuthor Commented:
Hi Glenn

So any host taking its time from a ntp server also acts as an ntp server itself?


Gareth
0
 
GnsCommented:
Oh, and there might be other things you _could_ set, but really none that you _need_ set.
If you want to have the main server poll more timesources, just add another server line... It'll be smart enough to extract the best possible time.
If you want two servers to act as timesource fallbacks for each other, you can also set them to poll different servers on the net (or perhaps a GPS clock or somesuch) and then have them be "peer other_server"... And the clients would then have these two as servers... But you really don't need anytrhing more complex than the first for "fairly certain whithin the second" accuracy.
You can check the message file that it starts syncing (after changing the config and restarting ntpd) and perhaps poll ISP ntpd and your ntpd with ntpdate during a day to see that it works OK.

-- Glenn
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
GnsCommented:
Ah crossing posts.
Basically "yes".
Unless you tell it otherwise.
Things to be aware of is the "stratum"... This is a factor that determine how good the time rweally is... A stratum 1 has it's own atomic clock, while a stratum 2 asks one or more stratum 1 etc. Your server will likely have a rather low stratum, so ... if the "client servers" think they have a higher stratum, they will not take the time from your server.
But usually this is not a problem (and the logs will show if it is a problem for you).

-- Glenn
0
 
GnsCommented:
"rather low stratum" meaning a rather high value ... 10-16 depending on what the ISPs ntp stratum would be and ... well some other stuff.

-- Glenn
0
 
GnsCommented:
IIRC, the default config would lead to a client thinking itself to be the lowliest beast possible... stratum 16. So it shouldn't be a problem.

-- Glenn
0
 
localgarethAuthor Commented:
Glenn, thanks for the tips.

I think I've broken something now :-(

My ntp server has the following config...

# /etc/ntp.conf, configuration for ntpd
logfile /var/log/ntp/ntpd
driftfile /etc/ntp.drift
statsdir /var/log/ntp/
server ntp.demon.co.uk

I start the daemon, using /etc/init.d/ntp-server start

But when I run 'ntpdate 10.253.253.48' from a host on my network... I get '3 Aug 12:39:16 ntpdate[15036]: no server suitable for synchronization found'.

Any ideas?


Gareth
0
 
GnsCommented:
It might take a couple of minutes for it to "rev up its engine", so try again and see what you get.
Also, check the message log for any messages from ntpd, or the /var/log/ntp/ntpd file.

As an example, here's a working ntp.conf from my central server:
# Scam for local machines clock
fudge   127.127.1.0 stratum 10
# Servers on the internet
server ifi.uio.no
server ntp.lth.se version 3
# driftfile
driftfile /etc/ntp/drift
# Don't use authentication... It's a protected LAN
authenticate no
# Don't ask why I have a keyfile:-)
keys            /etc/ntp/keys
# Ent of ntp.conf

As you can see, 'm using two nice and close (to me) stratum 2 server, where the second (ntp.lth.se) uses version 3 of the protocol. You might need that for your ISPs ntp too.

-- Glenn
0
 
GnsCommented:
Oh, and it goes without saying (I guess) that the directory /var/log/ntp need exist in your case.

-- Glenn
0
 
localgarethAuthor Commented:
Hi Glenn

If I look in my syslog file, it seems to synchronize okay.

root@telesto:/var/log# tail syslog | grep ntpd
Aug  3 13:14:18 telesto ntpd[28372]: synchronized to 194.168.4.76, stratum 3

I've tried to telnet localhost 123, but I get connection refused - is this normal?

Gareth
ps.. I have got /var/log/ntp :-)
0
 
GnsCommented:
Yes, it's normal. Ntp usually use UDP, not TCP port 123 so... no telnet.

Good that it syncs OK... Do try the ntpdate again, it might just have been a timing (!:-) issue.

If that doesn't help, try adding the
authenticate no
line to /etc/ntp.conf and restart ntpd.

-- Glenn
0
 
localgarethAuthor Commented:
Tried that... still nothing.

I've just tried (from a host) ntpdate'ing to my ISP server...

earth:/etc/init.d # ntpdate ntp.demon.co.uk
 3 Aug 14:43:51 ntpdate[13596]: adjust time server 158.152.1.76 offset 0.000032 sec

This works - so atleast it proves a firewall isn't the problem!

earth:/etc/init.d # ntpdate time.galaxy.tbs
 3 Aug 14:43:56 ntpdate[13597]: no server suitable for synchronization found


Gareth
0
 
GnsCommented:
> This works - so atleast it proves a firewall isn't the problem!
Eh, I was thinking more like an iptables (netfilter) or ipchains FW local to your ntp-server.
iptables -L
might show something.

Do you get anything in the logs when you do the (failed) ntpdate? Including auth and/or syslog?

> earth:/etc/init.d # ntpdate time.galaxy.tbs
>  3 Aug 14:43:56 ntpdate[13597]: no server suitable for synchronization found
Might indicate a stratum problem... "suitable" being the key word. Try adding the "fudge" line, exactly as above.

Ok, I'm going to test a bit on my dusty ol' woody, and see what shakes.

-- Glenn
0
 
localgarethAuthor Commented:
iptables -L shows accept for all chains, and no other rules - this is the same on both my (broken) time server and my hosts.

Don't get anything in the logs when a client tries to connect... I did get a message in syslog...

Aug  3 14:39:21 telesto ntpd[28881]: configure: keyword "authenticate" unknown

... so took that back out.

I'll try adding the fudge line :-)


Gareth
0
 
GnsCommented:
Ok, I've some preliminary findings as of yet... As most things with woody, it's a somwhat "dusty" version of ntp. You might have a lot of "synchronization lost" entries in /var/lgg/deamon.log or /var/log/syslog ... which would explain why it can't act as a server.

... Looking further....

-- Glenn
0
 
GnsCommented:
Ok, setting the fudge line like
fudge 127.127.1.0 stratum 10
restarting ntp, then letting it be for the interval between my last message and this one fixed it for my old woody...
It _might_ have worked with earlier configs too, if I'd been patient enough:-).

-- Glenn
0
 
de2ZotjesCommented:
I had this same problem (no server suitable for syn..), turned out that in ntp.conf I used the setting multicastclient.
Comment that one out, worked for me
0
 
localgarethAuthor Commented:
Glenn...

I've not made any config changes for a couple of hours, and just decided to check back and test the ntpdate command from a client on my network... and it worked!!! But when I restarted ntp-server, the client can no longer synchronise... and gets the same error message.

I guess I need to see how long before it magically starts working.


Gareth
0
 
localgarethAuthor Commented:
Glenn

Again, this morning it's all working fine... restart the service and it doesn't work.

Could this just be usual behaviour?


Gareth
0
 
de2ZotjesCommented:
Since Glenn seems to be out for the moment:

Yes this is usual behaviour. It might take a couple of minutes to get accurate readings from the up-stream timeserver. During that time you will not be able to synchronize to the current server.
0
 
localgarethAuthor Commented:
de2... How long is usual, is this documentated anywhere?


Gareth
0
 
GnsCommented:
(Well, 'scuse me for being home sleeping:-):-)
Yes, one should be able to determine this (from the very voluminous and explicit docs, if nowhere else:-), but... One really don't need to!
You'll probably have "good enough" time to survive being without a true timesource for at least a couple of hours, expecially once all clocks have been brought ... "close". If time is supercritical (perhaps due to some scientific calcs/equipment, or some distributed RT requirements ... or similar) you could probably not live with it, but for good synchronized "office" time... you'll be fine.
And the good part is that they will start syncing ASAP as the readings are good.

To me, ntp is one of those "setup-and-almost-forget" type of services, since the protocols and tools have been intelligently designed;). It's been rocksolid for years for me, and a host of others around the globe... A good reason to keep a couple of linux servers on the LAN, that are so lightly loaded ('cause NTP really don't stress any normal smi-modern machine at all) that you can use them for any _other_ task you like... File/printservers perhaps?

Let us know if you have any more problems, setting up the rest of the servers.

-- Glenn
0
 
localgarethAuthor Commented:
Hi Glenn

I didn't know techie's needed sleep!?! hehe.

Well... I think I can live with the delay :-) It's seems to be between 6 and 8 minutes, so its nothing major.

I've now setup my other clients to get their time from my main time server... however, I don't want these clients to also act as severs - it just seems unnecessary.

How would I set a client only mode in ntp.conf?


Gareth
... points for this question increased to 500 :-)


0
 
GnsCommented:
Um, again... Does it really matter? ntp is rather safe as it is...
But if you'd like to be supersure, just set your local firewall ('cause if you deem NTP to be a security risk, you _really_ should have a local FW on every machine) to block "incoming" ntp requests.
If you have a moderately safe LAN (protected from everything but the users;-), I wouldn't bother:-)

-- Glenn
0
 
localgarethAuthor Commented:
Guess it doesn't *really* matter... just thought it was better not to have services accessable to other hosts hat aren't needed.

I don't want to start installing and configuring iptables for this, I had hoped there would be a configuration entry that could be used in ntp.conf.


Gareth
0
 
de2ZotjesCommented:
To block incoming requests you can also state (in the ntp.conf that is):

restrict default ignore
restrict <server> mask 255.255.255.255 nomodify notrap noquery

additional restrict lines can be used to open the service to more remote machines.

0
 
GnsCommented:
Yes de2Zotjes, thanks for jogging my memory(:-), still... if one deems this necessary, a firewall is never wrong.

-- Glenn
0
 
localgarethAuthor Commented:
Guys... thanks for all your help.


Gareth
 
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 14
  • 11
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now