NTP Client Time Synchronization

Client Time Synchronization

Below is the full text from the link above (Distributed Authentication System (DAS) Handbook by Van Emery)


Since Kerberos networks require that all participating hosts have their clocks synchronized within 5 minutes of the KDCs, we need to implement some mechanism for doing this. There are several ways to keep your DAS clients synchronized:

  • Run ntpd
  • Run ntpdate periodically via cron
  • Run some other time synchronization client, like rdate or chronyd
  • Set the clock manually and cross your fingers

Simply setting the clock manually will probably cause you headaches later, since it may not be clear why authentication is failing.

We will only look at two methods: running ntpd or running ntpdate via cron. Of the two methods, running the NTP daemon is preferred. However, there may be cases where you do not want the overhead of running ntpd and you want to use a simpler approach.

The NTP daemon listens on UDP port 123, and NTP clients may use a source port of 123, or standard non-privileged ports. Some firewalls do not accept traffic when clients use a UDP source port < 1024.


These are step-by-step instructions for configuring and testing NTP servers and clients. The instructions are Red Hat/Fedora specific, but the config files should work on Debian and Mandrake. There is a FreeBSD link in the References section. These instructions assume the following:

  • TCP/IP addressing and networking is setup properly
  • You have already setup your DAS servers, which act as NTP servers
  • Any and all firewalls concerned are configured to allow NTP traffic
  • Your timezone and system clock are set properly
  • The DAS clients will not act as NTP servers for other systems

Instructions for Setting up ntpd on DAS Clients

Step 1: Make sure that the NTP package is installed

If you followed the baseline OS installation procedures for Red Hat 9, the package should already be installed. According to Red Hat, there are currently no security updates for it.

root@das-m etc# rpm -qa | grep ntp

The package includes ntpd, a utility called ntpdate, manpages, and other documentation.

Step 2: Test NTP connectivity to your DAS servers

To make sure that you can successfully make an NTP queries to DAS-M or DAS-S, use the ntpdate command like this:

root@labdemo2 root# ntpdate -q das-m das-s
server, stratum 3, offset 0.020712, delay 0.02576
server, stratum 3, offset 0.025256, delay 0.02583
10 Jun 10:11:08 ntpdate30613: adjust time server offset 0.020712 sec

This queries the NTP servers, but does not set the clock. For more information, you can use the -d (debug) option instead, which also does not set the clock.

Step 3: Make sure your clock is not out to lunch

Use the date command to make sure that your timezone is correct, and that your system clock is not already way out of whack. Correct as necessary.

Step 4: Configure the /etc/ntp.conf config file

The /etc/ntp.conf file controls the behaviour of the NTP daemon. The config we are using will restrict access to the loopback, and specify das-m and das-s as the servers. It is fairly simple:

# DAS Client ntpd config
# Configured by Van, 8-8-2003

restrict default ignore

# Our Time Servers (das-s and das-m)
restrict mask nomodify notrap noquery
restrict mask nomodify notrap noquery
server    ## das-s
server    ## das-m

fudge stratum 10

driftfile /etc/ntp/drift
broadcastdelay  0.008

authenticate no

keys            /etc/ntp/keys

# End Config

Step 5: Start the NTP daemon and make sure it is running

[root@labdemo2 log]# /etc/init.d/ntpd start
Starting ntpd:                                             [  OK  ]

[root@labdemo2 log]# pgrep -l ntp
30772 ntpd

[root@labdemo2 log]# netstat -una | grep 123
udp        0      0*
udp        0      0 *
udp        0      0   *

Step 6: Configure ntpd to start automatically at boot time

[root@labdemo2 etc]# chkconfig ntpd off
[root@labdemo2 etc]# chkconfig --level 345 ntpd on
[root@labdemo2 etc]# chkconfig --list ntpd
ntpd            0:off   1:off   2:off   3:on    4:on    5:on    6:off

Step 7: Verify that your server is synchronized with its NTP source

It may take a number of minutes for the clock to synchronize. You can use the ntpdc command to view information about ntpd’s status. It can be used in interactive mode, by simply entering ntpdc, or invoked with the -c switch to run the commands from the shell prompt. Here is a list of useful ntpdc commands:

  • ntpdc -c listpeers
  • ntpdc -c peers
  • ntpdc -c sysinfo
  • ntpdc -c sysstats
  • ntpdc -c iostats

When your NTP daemon is synchronized, it should look something like this, with a * on the far left:

[root@labdemo2 etc]# ntpdc -c peers
     remote           local      st poll reach  delay   offset    disp
=das-m     3  512  377 0.00070  0.033431 0.00563
*das-s     3  512  376 0.00029  0.017484 0.00369

Instructions for Using ntpdate with cron

In some situations, running the ntpd on every DAS client is overkill. You can use ntpdate to set the time periodically via NTP. Here are the basic commands:

[root@labdemo2 etc]# ntpdate das-m
10 Jun 11:42:35 ntpdate[32709]: adjust time server offset 0.085310 sec
[root@labdemo2 etc]# ntpdate -u das-m
10 Jun 11:42:41 ntpdate[32710]: adjust time server offset 0.082466 sec

The -u option makes the query from a non-privileged UDP source port, and may be necessary depending on what host-based or network firewalls are between your DAS client and your DAS server. You can also specify both DAS servers as NTP sources for redundancy:

[root@labdemo2 etc]# ntpdate -u das-s das-m
10 Jun 11:43:41 ntpdate[32711]: adjust time server offset 0.055390 sec

If you want to run this command hourly, or daily, just place it in the appropriate cron directory. For example, to run the ntpdate command hourly, you would create a bash script called ntpdate-hourly:

# Run ntpdate hourly to keep clocks in sync

ntpdate -u -s das-s das-m

# End script

The -s option sends the command output to syslog instead of standard output, so that cron will not send you an e-mail every hour when the command runs successfully. You can see the result by looking at the /var/log/messages log file instead. The -u option allows the client to use an unprivileged source port for the query, which works best with many firewalls and NAT devices.

Now copy the script to the /etc/cron.hourly directory and change the permissions:

[root@labdemo2 root]# cp -v ntpdate-hourly /etc/cron.hourly
`ntpdate-hourly' -> `/etc/cron.hourly/ntpdate-hourly'
[root@labdemo2 root]# chmod 0750 /etc/cron.hourly/ntpdate-hourly

Your DAS clients should now be automatically updated with the correct time, and you will not have any Kerberos problems related to time skew.


It's only fair to share...
Share on FacebookGoogle+Tweet about this on TwitterShare on LinkedIn

Leave a Reply