Saturday, August 21, 2004

NTP aka Network Time Protocol

All awaited weekend has arrives after a hectific week at work ( Usually this is not very common for system / network admins :)) and

looks like in the mid of everything and work i found the girl i think is my type and hope things go the good way :).

Picking up a very light topic today but a very important one is to have all the servers in sync with a central server with aspect to time.

This generally helps a lot when comparing logs from different machines etc ....

A li'll theory behind NTP is that NTP is organised in a hierarchical client-server model. In the top of this hierarchy there are a small number of machines known as reference clocks. A reference clock is known as stratum 0 and is typically a cesium clock or a Global Positioning System (GPS) that receives time from satellites. Attached to these machines there are the so-called stratum 1 servers (that is, stratum 0 clients), which are the top level time servers available to the Internet, that is, they are the best NTP servers available.

With all this theoritical definitions now discuss what we as admins actually need to do is to syncronise a server on the n/w with a public NTP server and keep the other servers on the n/w in sync with the NTP server on our production network.

Basically NTP server and client are not two different deamons it is one and the same thing just depends on the configuration file /etc/ntp.conf.

Before we start with the actual configuration a list of public NTP server's can be found at :

Majorly Listing the files used for NTP :

1. /etc/ntp.conf Whenever ntpd starts it checks its configuration file to determine syncronization sources, authentication options, monitoring options, access control and other operating options.

2. /etc/ntp/drift It is called as the frequency file that contains the latest estimate of clock frequency error

3. /etc/ntp/keys If specified, it will also look for this file containing the authentication keys .

Taking a look at the sample /etc/ntp.conf :

# Server to sync the clock from
server ]
#Peers are servers on the same network which also as ntp servers.


# Location of the drift File
driftfile /etc/ntp/drift

#Does the server require authentication (A better method is to block the other public servers from synchronising is using the restrict option shown below.)

authenticate no

#This is used in case authentication method is used.
#keys /etc/ntp/keys
#trustedkey 65535
#requestkey 65535
#controlkey 65535

# This is a better way to restrict servers by allowing only certain IP subnets.
# by default ignore all ntp packets
restrict mask ignore
# allow localhost
restrict mask
# accept packets from... (Only the servers on the subnet below will be allowed to sync time including localhost :)
restrict mask
restrict mask
restrict mask

A sample file on the NTP client would simply be :

#more /etc/ntp.conf

driftfile /etc/ntp/ntp.drift
pidfile /var/run/

restrict default ignore

That all should get you up and running in the NTP side and listing some good utils with the NTP server.

ntp-genkeys >>>> to generate a key for NTP authentication
ntpd >>>> The actual NTP deamon
ntpdate >>>> Generally used in cron jobs or if your machine is not continuously on the ineternet and can be run manually when you connect to the internet.

Crontab entry to update the system clock once a day
0 2 * * * /usr/sbin/ntpdate -s -b -p 8 -u

-b : Force the time to be stepped using the settimeofday() system call, rather than slewed (default) using the adjtime() system call. This option should be used when called from a startup file at boot time.
-p samples
Specify the number of samples to be acquired from each server as the integer samples, with values from 1 to 8 inclusive. The default is 4.
Divert logging output from the standard output (default) to the system syslog facility. This is designed primarily for convenience of cron scripts.
Direct ntpdate to use an unprivileged port or outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronise with hosts beyond the firewall. Note that the -d option always uses unprivileged ports.

Last but not the least NTP works on the port no. 123 and supports both TCP and UDP protocols.

After you modify your ntp.conf for a new subnet steps to check are :

1. Check your rules on the firewall / ACL's on the router whether the traffic is allowed to pass or not.
2. Check the /etc/hosts.allow file on the server to check whether the new sunet is allowed there.
3. This is the most common mistake and i make it too is that after modifying the configuration file i do not give a -HUP to the NTP deamon so that it can read the new configuration again and accept time time packets from the new servers.

Hey ppl i think todays stuff was written in a very unorganised manner but lack of time and 72 Hr work schdule ...... :)

WIll try and put more some more intruging topics like BGP starting with simple topics and moving on to complex stuff like route dampening and filters etc ....


At 10/05/2005 08:22:00 AM, Blogger jiri said...

Hey, I have enjoyed...your blog is informative - even entertaining.

I have a halloween sites. They pretty much covers costumes and masks related stuff.

Thanks again and I'll be sure to bookmark you.


Post a Comment

<< Home