Configuring NTP Server(s)
One more of the “annoying items” that i’m probably never going to use again in anger, is NTP server configuration.
Basically, rather than set the time and let your servers/devices “drift” so that after X hours/days/weeks they are actually at different times (which can cause a lot of problems for kerberos, LDAP authentication, etc) you can use NTP to sync the servers all to a single time source, so they are all correct in terms of the same time.
To do this, you first need a NTP Server.
Installation
Is easy, on RHEL its already there! If not, you can install “yum install ntp ntpdate” (there is no group from what i can see).
Configuration
There is only one file to edit – that is /etc/ntp.conf. In here, we need to edit a few things to get it working. I’ve added a snip below of the ntp.conf file on my RHEL server i’m using for revision:
# Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 restrict -6 ::1
# Hosts on local network are less restricted. restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.rhel.pool.ntp.org iburst server 1.rhel.pool.ntp.org iburst server 2.rhel.pool.ntp.org iburst
#broadcast 192.168.1.255 autokey # broadcast server #broadcastclient # broadcast client #broadcast 224.0.1.1 autokey # multicast server #multicastclient 224.0.1.1 # multicast client #manycastserver 239.255.254.254 # manycast server #manycastclient 239.255.254.254 autokey # manycast client
# Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. #server 127.127.1.0 # local clock #fudge 127.127.1.0 stratum 10
The interesting items are highlighted in bold.
Firstly, “server ..”. These lines are what they say on the tin, the server’s we are going to take our time source from. So like in DNS, we have a ‘highest power’, and our servers talk to those, and people talk to us – a hierarchy. In this example, i’m going to take my time sources from rhel.pool.ntp.org servers, and have people take their time from me – saving bandwidth, yada yada.
The ‘iburst’ option added is important, as it will send out a burst of sync packets, rather than waiting and spreading them out over 10 minutes (FWIR) – this means it takes significantly less time to get the NTP server setup.
Next, we need to edit the “restrict ..” line – to say who can view and access our server’s NTP time signature.
Thats pretty much the entirity of configuration. Next, we just have to allow access inbound (iptables) using a line such as:
iptables -I INPUT 3 -s 192.168.0.0/24 -p udp --dport 119 -j ACCEPT
Which will give us:
3 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:119
…and thats pretty much it!
Closing thoughts
The main objective of NTP from a questioning POV is probably around “create a server that takes it time source from blah.ntp.org and then sync a server to your NTP server”.
Using the above, you should be able to do that – and then on the NTP client, run “ntpdate yourntpserverhere.com” and it will sync from there. “ntpstat” will then show you the results.