Below is the full text from the link above (Distributed Authentication System (DAS) Handbook by Van Emery)
Since Kerberos networks require that all participating hosts have their clocks synchronized within 5 minutes of the KDCs, we need to implement some mechanism for doing this. There are several ways to keep your DAS clients synchronized:
- Run ntpd
- Run ntpdate periodically via cron
- Run some other time synchronization client, like rdate or chronyd
- Set the clock manually and cross your fingers
Simply setting the clock manually will probably cause you headaches later, since it may not be clear why authentication is failing.
We will only look at two methods: running ntpd or running ntpdate via cron. Of the two methods, running the NTP daemon is preferred. However, there may be cases where you do not want the overhead of running ntpd and you want to use a simpler approach.
The NTP daemon listens on UDP port 123, and NTP clients may use a source port of 123, or standard non-privileged ports. Some firewalls do not accept traffic when clients use a UDP source port < 1024.
These are step-by-step instructions for configuring and testing NTP servers and clients. The instructions are Red Hat/Fedora specific, but the config files should work on Debian and Mandrake. There is a FreeBSD link in the References section. These instructions assume the following:
- TCP/IP addressing and networking is setup properly
- You have already setup your DAS servers, which act as NTP servers
- Any and all firewalls concerned are configured to allow NTP traffic
- Your timezone and system clock are set properly
- The DAS clients will not act as NTP servers for other systems
Instructions for Setting up ntpd on DAS Clients
Step 1: Make sure that the NTP package is installed
If you followed the baseline OS installation procedures for Red Hat 9, the package should already be installed. According to Red Hat, there are currently no security updates for it.
root@das-m etc# rpm -qa | grep ntp ntp-4.1.2-0.rc1.2
The package includes ntpd, a utility called ntpdate, manpages, and other documentation.
Step 2: Test NTP connectivity to your DAS servers
To make sure that you can successfully make an NTP queries to DAS-M or DAS-S, use the ntpdate command like this:
root@labdemo2 root# ntpdate -q das-m das-s server 10.10.22.42, stratum 3, offset 0.020712, delay 0.02576 server 10.10.22.40, stratum 3, offset 0.025256, delay 0.02583 10 Jun 10:11:08 ntpdate30613: adjust time server 10.10.22.42 offset 0.020712 sec
This queries the NTP servers, but does not set the clock. For more information, you can use the -d (debug) option instead, which also does not set the clock.
Step 3: Make sure your clock is not out to lunch
Use the date command to make sure that your timezone is correct, and that your system clock is not already way out of whack. Correct as necessary.
Step 4: Configure the /etc/ntp.conf config file
The /etc/ntp.conf file controls the behaviour of the NTP daemon. The config we are using will restrict access to the loopback, and specify das-m and das-s as the servers. It is fairly simple:
# DAS Client ntpd config # Configured by Van, 8-8-2003 # restrict default ignore restrict 127.0.0.1 # Our Time Servers (das-s and das-m) restrict 10.10.22.40 mask 255.255.255.255 nomodify notrap noquery restrict 10.10.22.42 mask 255.255.255.255 nomodify notrap noquery server 10.10.22.40 ## das-s server 10.10.22.42 ## das-m fudge 127.127.1.0 stratum 10 driftfile /etc/ntp/drift broadcastdelay 0.008 authenticate no keys /etc/ntp/keys # End Config
Step 5: Start the NTP daemon and make sure it is running
[root@labdemo2 log]# /etc/init.d/ntpd start Starting ntpd: [ OK ] [root@labdemo2 log]# pgrep -l ntp 30772 ntpd [root@labdemo2 log]# netstat -una | grep 123 udp 0 0 10.10.22.41:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:*
Step 6: Configure ntpd to start automatically at boot time
[root@labdemo2 etc]# chkconfig ntpd off [root@labdemo2 etc]# chkconfig --level 345 ntpd on [root@labdemo2 etc]# chkconfig --list ntpd ntpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Step 7: Verify that your server is synchronized with its NTP source
It may take a number of minutes for the clock to synchronize. You can use the ntpdc command to view information about ntpd’s status. It can be used in interactive mode, by simply entering ntpdc, or invoked with the -c switch to run the commands from the shell prompt. Here is a list of useful ntpdc commands:
- ntpdc -c listpeers
- ntpdc -c peers
- ntpdc -c sysinfo
- ntpdc -c sysstats
- ntpdc -c iostats
When your NTP daemon is synchronized, it should look something like this, with a * on the far left:
[root@labdemo2 etc]# ntpdc -c peers remote local st poll reach delay offset disp ======================================================================= =das-m 10.10.22.41 3 512 377 0.00070 0.033431 0.00563 *das-s 10.10.22.41 3 512 376 0.00029 0.017484 0.00369
Instructions for Using ntpdate with cron
In some situations, running the ntpd on every DAS client is overkill. You can use ntpdate to set the time periodically via NTP. Here are the basic commands:
[root@labdemo2 etc]# ntpdate das-m 10 Jun 11:42:35 ntpdate: adjust time server 10.10.22.42 offset 0.085310 sec [root@labdemo2 etc]# ntpdate -u das-m 10 Jun 11:42:41 ntpdate: adjust time server 10.10.22.42 offset 0.082466 sec
The -u option makes the query from a non-privileged UDP source port, and may be necessary depending on what host-based or network firewalls are between your DAS client and your DAS server. You can also specify both DAS servers as NTP sources for redundancy:
[root@labdemo2 etc]# ntpdate -u das-s das-m 10 Jun 11:43:41 ntpdate: adjust time server 10.10.22.42 offset 0.055390 sec
If you want to run this command hourly, or daily, just place it in the appropriate cron directory. For example, to run the ntpdate command hourly, you would create a bash script called ntpdate-hourly:
#!/bin/bash # Run ntpdate hourly to keep clocks in sync ntpdate -u -s das-s das-m # End script
The -s option sends the command output to syslog instead of standard output, so that cron will not send you an e-mail every hour when the command runs successfully. You can see the result by looking at the /var/log/messages log file instead. The -u option allows the client to use an unprivileged source port for the query, which works best with many firewalls and NAT devices.
Now copy the script to the /etc/cron.hourly directory and change the permissions:
[root@labdemo2 root]# cp -v ntpdate-hourly /etc/cron.hourly `ntpdate-hourly' -> `/etc/cron.hourly/ntpdate-hourly' [root@labdemo2 root]# chmod 0750 /etc/cron.hourly/ntpdate-hourly
Your DAS clients should now be automatically updated with the correct time, and you will not have any Kerberos problems related to time skew.