Solved

Urgent Need help to setup NTP to synchoronize times between redhat servers

Posted on 2007-03-27
15
3,055 Views
Last Modified: 2013-12-06
I have 3 redhat servers and i want to set one of them as NTP server and the others as clients.
Please provide me the steps as simple as possible.
0
Comment
Question by:mukhtar2t
  • 7
  • 6
  • 2
15 Comments
 
LVL 1

Expert Comment

by:iamgibbon
ID: 18799264
1. install ntp services using either of these commands:
# yum install ntp
or
# up2date ntp

configure /etc/ntp.conf file using command:
# vi /etc/ntp.conf
add address of ntp server to ntp.conf file, save the file and restart the ntp service

on your other 2 servers edit the ntp.conf to look at the server you configured, restart the services.

you can also force an ntp update using the command :
# ntpdate ntp.server.etc
hth.
0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 18799342
Hi

Checkout http://www.pool.ntp.org/ for available time servers.


a ntpd.conf for your main linux ntp server

# default restrictions
restrict default noquery notrust nomodify

# override the default restrictions here for your other 2  Linux server boxes
restrict  1.2.3.4 mask 255.255.255.255 nomodify  
restrict  1.2.3.5 mask 255.255.255.255 nomodify

# public NTP servers to sync with
server Public-timeserver1
server Public-timeserver2

restrict Public-timeserver1 noquery nomodify
restrict Public-timeserver2 noquery nomodify


# NTP drift file - used to keep track of your system clocks
# time deviation
driftfile /etc/ntp.drift

# NTP log file
logfile /var/log/ntp.log


example config file for your other linux boxes


# default restrictions
restrict default noquery notrust nomodify

# Permit all access over the loopback interface
restrict 127.0.0.1

# public NTP servers to sync with
server FQDN-of-your-primary-ntp-server


restrict  FQDN-of-your primary-ntp-server noquery nomodify

# NTP drift file - used to keep track of your system clocks
# time deviation
driftfile /etc/ntp.drift

# NTP log file
logfile /var/log/ntp.log


Checkout http://www.pool.ntp.org/ for available time servers.

Trev
0
 
LVL 1

Expert Comment

by:iamgibbon
ID: 18799381
Hi.
dont forget to forward udp port 123 to your server that gets its time sync from external source.
hth.
0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 18799726
Hi

Also make sure that the servers have the (roughly) correct time before you start the ntpd service "service ntpd start" as otherwise the intial sync may fail.

if you have any issue once the ntpd service is running pls type the following on the command line and copy/post the output.

grep ntpd /var/log/messages

Trev
0
 
LVL 4

Author Comment

by:mukhtar2t
ID: 18799782
Peace be upon you suggestionstick.
First let us do this for just tow server and i will apply for the third.
My NTP server address is 10.0.0.202
This is the ntp.conf:

# Prohibit general access to this service.
restrict default ignore
restrict 66.187.233.4 mask 255.255.255.255 nomodify notrap noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1


# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap


# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip



# --- NTP MULTICASTCLIENT ---
#multicastclient                  # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap



# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server 66.187.233.4
fudge      127.127.1.0 stratum 10      

#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay      0.008

#
# Authentication delay.  If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
authenticate yes

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys            /etc/ntp/keys

and this is the result for grep ntpd /var/log/messages

Mar 27 00:14:03 server ntpd[5064]: time reset 0.176357 s
Mar 27 00:14:03 server ntpd[5064]: synchronisation lost
Mar 27 03:38:17 server ntpd[5064]: time reset -0.246986 s
Mar 27 03:38:17 server ntpd[5064]: synchronisation lost
Mar 27 08:21:24 server ntpd[5064]: time reset 0.180443 s
Mar 27 08:21:24 server ntpd[5064]: synchronisation lost
Mar 27 09:06:31 server ntpd[5064]: time reset 0.607093 s
Mar 27 09:06:31 server ntpd[5064]: synchronisation lost
Mar 27 09:21:54 server ntpd[5064]: time reset 0.211869 s
Mar 27 09:21:54 server ntpd[5064]: synchronisation lost
Mar 27 09:37:09 server ntpd[5064]: time reset -0.153912 s
Mar 27 09:37:09 server ntpd[5064]: synchronisation lost
Mar 27 09:52:21 server ntpd[5064]: time reset -0.227535 s
Mar 27 09:52:21 server ntpd[5064]: synchronisation lost
Mar 27 10:07:35 server ntpd[5064]: time reset 0.260253 s
Mar 27 10:07:35 server ntpd[5064]: synchronisation lost
Mar 27 11:33:24 server ntpd[5064]: time reset -0.202148 s
Mar 27 11:33:24 server ntpd[5064]: synchronisation lost
Mar 27 12:51:41 server ntpd[5064]: time reset 0.136955 s
Mar 27 12:51:41 server ntpd[5064]: synchronisation lost
Mar 27 14:21:43 server ntpd[5064]: ntpd exiting on signal 15
Mar 27 14:21:43 server ntpd: ntpd shutdown succeeded
Mar 27 14:43:18 server ntpdate[15717]: step time server 66.187.233.4 offset 1.260074 sec
Mar 27 14:43:18 server ntpd:  succeeded
Mar 27 14:43:18 server ntpd[15721]: ntpd 4.1.2@1.892 Thu Sep 11 05:38:15 EDT 2003 (1)
Mar 27 14:43:18 server ntpd: ntpd startup succeeded
Mar 27 14:43:18 server ntpd[15721]: precision = 9 usec
Mar 27 14:43:18 server ntpd[15721]: kernel time discipline status 0040
Mar 27 14:43:18 server ntpd[15721]: frequency initialized 61.597 from /var/lib/ntp/drift
Mar 27 14:47:47 server ntpd[15721]: kernel time discipline status change 41
Mar 27 14:48:50 server ntpd[15721]: kernel time discipline status change 1
Mar 27 15:23:12 server ntpd[15721]: time reset 0.601682 s
Mar 27 15:23:12 server ntpd[15721]: synchronisation lost
Mar 27 16:35:04 server ntpd[15721]: time reset -0.320047 s
Mar 27 16:35:04 server ntpd[15721]: synchronisation lost

My client NTP Address is: 10.0.0.200
0
 
LVL 4

Author Comment

by:mukhtar2t
ID: 18799810
NTP server :
Red Hat Enterprise Linux WS release 3 (Taroon)
NTP Client:
Red Hat Enterprise Linux AS release 4 (Nahant Update 2)
0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 18800792
Hi

stop ntp

"service ntpd stop"

run the following command

ntpdate  66.187.233.4

should look like this

28 Mar 01:20:24 ntpdate[2053]: adjust time server 66.187.233.4 offset 0.017163 sec.

then

start the ntp service

"service ntpd start"

wait for a few minutes, then run
ntpq -p

copy/post

assuming that you posted the config from your local NTP server on  10.0.0.202
backup the ntp.conf file on both servers before making any changes
Then under the section
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

add a line

restrict 10.0.0.200  mask 255.255.255.0  nomodify notrap

then in the client server conf use 10.0.0.202 instead of  66.187.233.4 (backup ntp.conf before making any changes).


might also change authenticate yes to authenticate no.

also your ntp version is different, but I could not see any mention in the logs of ntpd listening on any interfaces.

could you copy/clean/post
lsof -i | grep ntpd

you will have to clean this output for public consumption as it will have internal host names.

Trev


0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Author Comment

by:mukhtar2t
ID: 18801032
At the server
service ntpd stop
Shutting down ntpd:                                        [  OK  ]
#ntpdate  66.187.233.4
27 Mar 18:47:49 ntpdate[17973]: adjust time server 66.187.233.4 offset -0.098214 sec
#service ntpd start
ntpd: Synchronizing with time server:                      [  OK  ]
Starting ntpd:                                             [  OK  ]
# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==================================================
 clock1.redhat.c .CDMA.           1 u   33   64    1  658.611  -10.990   0.004
#lsof -i|grep ntpd
ntpd      17991     ntp    4u  IPv4 309683362       UDP *:ntp
ntpd      17991     ntp    5u  IPv4 309683363       UDP localhost.localdomain:ntp
ntpd      17991     ntp    6u  IPv4 309683364       UDP servername.lan:ntp

i added the line to /etc/ntp.conf and backed it up.


At the client
#ntpdate  10.0.0.202
27 Mar 18:55:27 ntpdate[11873]: no server suitable for synchronization found

0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 18801178
Hi

have you opened up your iptables firewall on 10.0.0.202 to allow UDP Port 123 from 10.0.0.200? If not open and try a "ntpdate 10.0.0.202" again

if you run ntpq -p the reach value should now read one of the following values  1, 3, 7, 17, 37, 77, 177, 377

the fact that you are not displaying  a reach value of 0 on your main NTP server is a good sign. it means that the last sync attempt to redhats  time server was good.

Trev


 

0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 18801241
Hi

"if you run ntpq -p the reach value should now read one of the following values  1, 3, 7, 17, 37, 77, 177, 377"

this is on your ntp server

Trev
0
 
LVL 4

Author Comment

by:mukhtar2t
ID: 18802611
I did the forword but i can't verify is it success or not
i typed this command which i got it from an expert here
iptables -A INPUT -p udp -m udp -d 10.0.0.202 -s 10.0.0.200 --dport  123 -j ACCEPT
but the client still not working
 ntpdate  10.0.0.202
27 Mar 21:05:30 ntpdate[15929]: no server suitable for synchronization found



The client conf file:


# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

restrict default nomodify notrap noquery
restrict 10.0.0.202 mask 255.255.255.255 nomodify notrap noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1


# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap


# --- OUR TIMESERVERS -----
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org


# --- NTP MULTICASTCLIENT ---
#multicastclient                  # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap



# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server      127.127.1.0      # local clock
fudge      127.127.1.0 stratum 10      

#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay      0.008

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys            /etc/ntp/keys
0
 
LVL 5

Accepted Solution

by:
suggestionstick earned 500 total points
ID: 18804180
Hi


The "ntpdate 10.0.0.202" command will not use the ntp.conf filefile settings, however your client ntp.conf  in the time servers section should contain.(notice the defaultsare commented)

# --- OUR TIMESERVERS -----
server 10.0.0.202
#server 0.pool.ntp.org
#server 1.pool.ntp.org
#server 2.pool.ntp.org

also delete "restrict 10.0.0.202 mask 255.255.255.255 nomodify notrap noquery" line as this is covered under the default restrict.

save and restart "service ntpd condrestart"


I think the issue is still with your firewalls, you will also have to allow ntp on your ntp client server. (if the box is behind a another firewall, and you are not masq for internal clients then a quick firewall stop/start might be in order)

on both boxes "service iptables stop"  quickly run ntpdate 10.0.0.202 on the client box , observe the results and then quickly  run "service iptables start" on both boxes.  if you don't want to stop your firewall i can understand,  instead do a "service iptables condrestart"  on your ntp server box and then "service iptables status"  can you see a rule for ntp listed?




can you also run a ntpq-p on the ntp server and copy/paste the results


Trev
0
 
LVL 4

Author Comment

by:mukhtar2t
ID: 18806806
On the client
I added the server 10.0.0.202
deleted the line restrict 10.0.0.202 mask 255.255.255.255 nomodify notrap noquery
#service ntpd condrestart
#ntpdate  10.0.0.202
28 Mar 12:54:39 ntpdate[16762]: no server suitable for synchronization found

On the server
ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
========================================================= clock1.redhat.c .CDMA.           1 u   17   64    3  862.194  112.954  45.692
0
 
LVL 4

Author Comment

by:mukhtar2t
ID: 18806827
Now on the client
chkconfig ntpd on
service ntpd start
Starting ntpd:                                             [  OK  ]
#ntpdate -u 10.0.0.202
28 Mar 13:25:40 ntpdate[17683]: step time server 10.0.0.202 offset 2.913365 sec

On the server
# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==========================================================*clock1.redhat.c .CDMA.           1 u   50   64  377  829.291  -36.215  54.734
0
 
LVL 4

Author Comment

by:mukhtar2t
ID: 18807475
Peace be upon you suggestionstick
I realy appreciate your support.
if there is degree more than A, it must be for you.
i hope my god give you a good
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This document is written for Red Hat Enterprise Linux AS release 4 and ORACLE 10g.  Earlier releases can be installed using this document as well however there are some additional steps for packages to be installed see Metalink. Disclaimer: I hav…
As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now