ORC Owl Logo 2  

Owl River Company

 
  Your IP is: 54.146.59.49

Up More Tips

   http://www.owlriver.com/tips/ntp_setup/

I would like to synchronize my host to the 'real' time using NTP; How do I set up /etc/ntp.conf


Recent implementations in the NTP timeserver DNS configurations have made it much easier to get NTP working. Ten minut's editting of ,etc.ntp.conf should do the trick.

Fortunately, it is fairly direct to fix this. This example was done under the latest stable version of the Centos project's 'CentOS-3.4' Enterprise distribution. The approach, however, is generic and will work under any Red Hat or closely derived Linux distribution as well.

Edit /etc/ntp.conf and restart your NTP service. We need to all all local interfaces as permitted; we can determine them using a 'shell one-liner' thus:

[root@ftp root]# /sbin/ifconfig | grep inet | awk '{print $2}' | \ awk -F: '{print $2}' 10.16.1.253 172.16.11.253 127.0.0.1 [root@ftp root]#

so we need to add: 10.16.1.253 and 172.16.11.253 to the existing 127.0.0.1 in /etc/ntp.conf -- added text is noted in red

# # ORC ntp.conf # # verify it is working with: ntpq -p -n # # Prohibit general access to this service. # restrict default ignore # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 # ORC - manually add local interfaces to use restrict 10.16.1.253 restrict 172.16.11.253 # -- CLIENT NETWORK ------- # Permit systems on this network to synchronize with this # time service. Do not permit those systems to modify the # configuration of this service. Also, do not use those # systems as peers for synchronization. # ORC - manually tighten list of clients # restrict 10.0.0.0 mask 255.0.0.0 notrust nomodify notrap restrict 10.16.1.0 mask 255.255.255.0 notrust nomodify notrap restrict 172.16.11.0 mask 255.255.255.0 notrust nomodify notrap # --- OUR TIMESERVERS ----- # or remove the default restrict line # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. # restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery # server mytrustedtimeserverip # --- NTP MULTICASTCLIENT --- #multicastclient # listen on default 224.0.1.1 # restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap # restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap # --- GENERAL CONFIGURATION --- # # Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. The # default stratum is usually 3, but in this case we elect to use stratum # 0. Since the server line does not have the prefer keyword, this driver # is never used for synchronization, unless no other other # synchronization source is available. In case the local host is # controlled by some external source, such as an external oscillator or # another protocol, the prefer keyword would cause the local host to # disregard all other synchronization sources, unless the kernel # modifications are in use and declare an unsynchronized condition. # ORC - we remove the dummy # server 127.127.1.0 # local clock # fudge 127.127.1.0 stratum 10 # ORC and add the pool of ntp servers from the DNS roundrobin server pool.ntp.org server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org # # Drift file. Put this in a directory which the daemon can write to. # No symbolic links allowed, either, since the daemon updates the file # by creating a temporary in the same directory and then rename()'ing # it to the file. # driftfile /var/lib/ntp/drift broadcastdelay 0.008 # # Authentication delay. If you use, or plan to use someday, the # authentication facility you should make the programs in the auth_stuff # directory and figure out what this number should be on your machine. # authenticate yes # # Keys file. If you want to diddle your server at run time, make a # keys file (mode 600 for sure) and define the key number to be # used for making requests. # # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote # systems might be able to reset your clock at will. Note also that # ntpd is started with a -A flag, disabling authentication, that # will have to be removed as well. # keys /etc/ntp/keys [root@ftp root]#
Note: this uses the hostname pool.ntp.org quite intentionally. Follow the link to learn more.

Then restart the NTP service:

[root@ftp root]# service ntpd restart Shutting down ntpd: [ OK ] Starting ntpd: [ OK ] [root@ftp root]#

Then wait for tem minutes, to let the jitter settle down, and examine progress:

# /usr/sbin/ntpq -p -n remote refid st t when poll reach delay offset jitter ============================================================================== 69.228.59.2 .GPS. 1 u 8 64 3 130.478 -36.543 2.590 213.15.3.19 192.36.133.25 2 u 2 64 3 147.645 -35.156 4.528 216.234.161.11 199.212.17.15 3 u 10 64 3 86.345 -40.980 3.133 [root@ftp root]#


Traps for the unwary:
Q: Why am I getting errors in /var/log/messages which say: ntpd returns a permission denied error!?
A: You have an overly restrictive restrict line. See: NTP Bug 129.

------- Additional Comment #12 From Harlan Stenn 2003-07-02 22:05 -------

This turned out to be a local problem in the ntp.conf file - somebody had done something like:

  restrict 127.0.0.1 nomodify notrap noserve nopeer notrust

and since the resolver process communicates back to ntpd using 127.0.0.1 the above 'restrict" line was telling ntpd to refuse to listen to the resolver process.

We make this available for non-commercial and individual use. Please respect our copyright, and consider contacting us for all your Open Source and *nix design, architect / systems analysis, and administration needs.


rev 050210 RPH
http://www.owlriver.com/tips/ntp_setup/
Up More Tips
       

Back to Top Page
[legal] [ no spam policy ] [ Copyright] © 2008 Owl River Company
All rights reserved.

Last modified: Fri, 29 Apr 2005 16:59:17 -0400
http://www.owlriver.com/tips/ntp_setup/index.php