# Time synchronization with ntp daemon.

## carlos123

FAST START INSTRUCTIONS TO GETTING NTPD RUNNING

(Please NOTE that these instructions are two years old and that things may have changed since I wrote them.  I just don't have time to keep them updated these days so if someone wants to change them or let me know how I can let them do that please PM me or just do it - if you know how.  Thanks.)

The following instructions will install the ntpd program.  After following the instructions below your system time will automatically be kept accurate by ntpd.  Which will synchronize your computer's time with that kept by a time server out on the Internet.  

 # emerge ntp

 # cp /usr/share/ntp/ntp.conf /etc/ntp.conf 

 Find three timeservers from here.

Note: do NOT use a Stratum 1 server unless you are authorized to do so! Using at least three time servers will ensure that your time gets updated if any one or more of the three is not available at any one point in time.  

 # nano /etc/ntp.conf 

Note: or use any other editor like vi, vim, emacs, etc.. 

 Add "server <your_timeserver_domain_name>" on a seperate line for each of the three time servers you chose earlier.

Note: do NOT add "iburst" to these lines if you have an always on connection to the Internet like ADSL or cable if you want the most accurate time synchronization.  Otherwise the time will only be updated about once an hour in a burst.  "iburst" is really more for those whose internet connection will generally be getting started and stopped such as with dial-up.  

 # nano /etc/conf.d/ntpd 

 Uncomment the NTPDATE_CMD="ntpdate" line. 

 Uncomment the NTPDATE_OPTS="-b someserver" line. 

 Replace "someserver" with the domain name of one of the three servers you chose.  

Note: I am not yet sure how to add multiple servers to this line.

 # /etc/init.d/ntpd start 

 # rc-update add ntpd default 

 Verify that correct time was set by going to 

http://tycho.usno.navy.mil/cgi-bin/timer.pl (for North American time zones only - use http://www.worldtimeserver.com/ to get International time zones). 

  Verify that the time servers are being accessed by typing "ntpq -p" at the command prompt.  You should see the time servers being contacted as output. 

Discussion leading up to these instructions can be found at https://forums.gentoo.org/viewtopic.php?p=240688#240688.  Thanks to forum member, cederberg, for the original idea and set of instructions on which the above are based.  

If you turn off your computer and then restart it and the time is off by too great of an amount, ntpd may refuse to start until you manually correct the time and bring it more in line with the correct time.  To do that:

# /etc/init.d/ntpd stop

Note: this is just to stop anything still running that ntpd uses.    

Set your time manually.

# /etc/init.d/ntpd start

Note: restarts everything needed by ntpd to operate.   

If the above or any other instructions don't work check the ntpd log at /var/log/ntpd.log for additional insight as to possible reasons. 

A few miscellaneous notes: 

ntp is a protocol.  ntpd is a daemon that is both an ntp server (serving up time) and an ntp client (getting the time from an ntp server).  The ntp server part is not useful unless it gets it's time from an external source of time.  Under Gentoo "emerging ntp" will install ntpd.  

If you see any innacuracies in these intructions please send me a private email so that I can research and revise the instructions.  I will respond to all emails though it might take me a few days.  

By sending me a private email it will avoid confusion from those who might read your communication on this thread.  

To send me a private email just hit the "pm" button at the bottom of this thread.  

If these instructions have helped you I would be overjoyed to hear that too  :Smile: 

Thanks. 

Carlos

PS.  If you are surprised by the great number of times that I have edited these instructions please be aware that this is due to my search for the perfect and most easily understood instructions and notes.  Not because the basic instructions themselves needed a lot of revising due to errors.Last edited by carlos123 on Sat Feb 05, 2005 5:05 pm; edited 26 times in total

----------

## Gnufsh

You have to emerge ntp first, right?

----------

## AlterEgo

Complicated......

I just emerged ntp

and made a cronjob "ntpdate ntp.xs4all.nl" every hour/day whatever.

Simple  :Smile: 

----------

## zojas

but ntpd is much better. It actually figures out how much your clock drifts, and can continually and smoothly adjust the clock with sub-second accuracy, rather than jerking it to the correct time once an hour.

also with ntpd you can specify multiple servers in your /etc/ntp.conf file. the ntpd daemon can use more than one time source.

----------

## magne

yep

----------

## NickDaFish

Four those of you with security in mind you may want to add the following lines to your /etc/ntp.conf.....

```
# By default don't listen to anyone

restrict default ignore 

# allow full access to local IPs

restrict 127.0.0.1

restrict 192.168.1.1

# allow time server's packets but don't allow config modifications

restrict 10.0.0.1 nomodify

```

(Example assumes that the host is running on 192.168.1.1 and that the time server is 10.0.0.1)

I *think* that allows you full access, your timeservers limited access and by default ignores everyone else.

If you want to support clients on a 192.168.1.0 network I think you would also need a line like this.....

```
restrict 192.168.1.0 mask 255.255.255.0 nomodify
```

I say think alot because there is alot of cryptic docs (IMHO) for ntp. The page I got most of these options from is here: http://www.eecis.udel.edu/~mills/ntp/html/accopt.html.

EDIT: Descovered that the dispite what the docs listed above say you don't appear to be able to use DNS host names with restrict. Any one with any insite on why not please let me know.

----------

## scout

To continue with security ... I had to open the udp port "ntp" for ntpd and ntpdate to work (I have a stateful firewall). Could someone confirm me that ntpd and ntpdate can only use udp ?.

----------

## Koon

 *carlos123 wrote:*   

> Note: do NOT use a Stratum 1 server unless you are authorized to do so!

 

Clean way if you have multiple machines : set up one host as a Stratum 3 (sync with a Stratum 2) and set up the others as Stratum 4 (sync on your Stratum 3 host) : this way you will not overload the Stratum 2 servers !

-K

----------

## Forse

Thnx for a nice tip =)

----------

## zojas

 *scout wrote:*   

> To continue with security ... I had to open the udp port "ntp" for ntpd and ntpdate to work (I have a stateful firewall). Could someone confirm me that ntpd and ntpdate can only use udp ?.

 

you should only have to open the ports if you want other hosts to be able to use your ntpd to synchronize their clocks. If you just want to get your local clock synchronized, the standard NEW and ESTABLISHED,RELATED rules should allow your ntpd to use ntpds on the internet as time sources.

but since you brought it up, I'm interested in this too for my laptop, so I experimented with iptables. (when I'm at home, I use my laptop as an ntpd peer to my workstation)

to my laptop, i only allowed tcp packets to 123. I logged and dropped udp packets to 123, and also logged (but allowed) tcp packets to 123. 

set up ntp on the laptop and got it running. ran it on another machine with the only server entry in ntp.conf as the laptop.

it tried to send udp packets to the laptop, never tried to send tcp packets.

once I allowed the udp packets through and blocked the tcp ones, it worked, 'ntpq -p' on the client machine started giving data about the laptop's ntp server.

----------

## Gnufsh

 *Koon wrote:*   

>  *carlos123 wrote:*   Note: do NOT use a Stratum 1 server unless you are authorized to do so! 
> 
> Clean way if you have multiple machines : set up one host as a Stratum 3 (sync with a Stratum 2) and set up the others as Stratum 4 (sync on your Stratum 3 host) : this way you will not overload the Stratum 2 servers !
> 
> -K

 

How do I do this?

----------

## zojas

for your local ntp server, put about 5 'server' lines in the ntp.conf file, each 'server' being a different stratum 2 time server on the internet.

like this:

```

server server1

server server2

server server3

server server4

server server5

```

say the host name of your local ntp server is 'one', and you have four other machines, 'two', 'three', 'four', and 'five'. then the ntp.conf file on 'two' should have this in it:

```

server one

peer three

peer four

peer five

```

then the ntp.conf files for the others are similar, so all your internal machines use 'one' as a server and all the other internal machines as peers.

a 'server' line is a host that you will use to set your local clock. a 'peer' is one where the relationship goes both ways; the peer may also ask you for the correct time.

this way 'one' gets time from the internet, and all the others get time from 'one' and also help each other out.

----------

## Gnufsh

The url link doesn't work, it's got a extra slach at the end.

http://www.eecis.udel.edu/~mills/ntp/clock2a.html/

should be

http://www.eecis.udel.edu/~mills/ntp/clock2a.html

----------

## Gnufsh

Do I have to do anything special to the server to get it to reply to incoming requests?

----------

## zojas

not to ntpd by default (your firewall needs to allow udp port 123)

----------

## RayVan

 *AlterEgo wrote:*   

> Complicated......
> 
> I just emerged ntp
> 
> and made a cronjob "ntpdate ntp.xs4all.nl" every hour/day whatever.
> ...

 

Not good. If your clock is running fast, this will 'step' the clock backward, instead of 'skew'ing it. If this ever happens /during/ a compilation, make will give you very odd errors, and you will be extremely confused. Having files created in the future on your drive can be a bad thing.

FYI, the documentation for ntpdate specifically tells you NOT to do this.Last edited by RayVan on Sun Mar 30, 2003 5:37 am; edited 1 time in total

----------

## cederberg

 *RayVan wrote:*   

>  *AlterEgo wrote:*   Complicated......
> 
> I just emerged ntp
> 
> and made a cronjob "ntpdate ntp.xs4all.nl" every hour/day whatever.
> ...

 

From reading the ntp distribution documentation, it looks like the ntpdate utility is also to be removed in the future... I'd guess these type of problems is the reason.

----------

## sarnold

I just wrote a  post here on ntp config without using ntpdate.  It seems to work just fine, and no waiting for the time to stabilize either (just a short delay when the ntpd init script starts up).

I still need to get auth working, and I also didn't mention the access rules I use on my stratum 3 servers.  I think I need to consolidate this stuff into one doc (since I already got a request to do that)...

----------

## Cluster

After doing all this (thanks for clear, simple instructions!), is there a way to know that the clock does in fact get corrected and everything is fine?  For example, is there a logfile that I can check for recent ntpd activity?

----------

## zojas

it will log stuff in your system logs.

----------

## Cluster

One more thing: as far as I can see, my machine has now become an NTP server.  I read some documentation that says that ntpd can be configured to allow other machines (clients?) to modify the server's time.  My question: are the default security settings correct in that my machine can issue time, but does not accept time from any hosts other than those in my configuration files?

Is there anything I should be concerned about, now that I run ntpd?

----------

## TGL

 *Cluster wrote:*   

> After doing all this (thanks for clear, simple instructions!), is there a way to know that the clock does in fact get corrected and everything is fine?  For example, is there a logfile that I can check for recent ntpd activity?

 

To check that everything is running as expected, you can use ntptrace and ntpq -p. Both have manpages.

And now something different: for people who use dhcp to configure their network, it can be usefull to tell dhcpcd not to use the ntp configuration that the dhcp provides (for instance my DSL modem/router provides one). This can be done by adding the -N option to dhcpd in /etc/conf.d/net:

```
iface_eth0="dhcp"

dhcpcd_eth0="-R -N"
```

----------

## ronmon

To expand on TGL's advice, after extensive man and HOWTO reading, I could not find a way to add the -N option for a pcmcia network device (specifically my Orinoco) to prevent the overwriting of my /etc/ntp.conf. So I added "-c /etc/ntp.conf.good" (after creating the file) to my /etc/conf.d/ntpd file.

----------

## tovrstra

Some ntp-related things seem to have changed in the portage tree. Now there is an extra configfile (/etc/conf.d/ntp-client) which contains some parameters that were in (/etc/conf.d/ntdp) before. An init.d script has been added too (/etc/init.d/ntp-client). Both /etc/init.d/ntp-client and /etc/init.d/ntpd have to be started (in this order) to sync the clock. There are still two things I don't understand:

1) Why should /etc/init.d/ntp-client be started first. It only starts ${NTPCLIENT_CMD} >/dev/null ${NTPCLIENT_OPTS}. In my case NTPCLIENT_CMD="ntpdate" and NTPCLIENT_OPTS="-b ntp.telenet.be" After that I start /etc/init.d/ntpd and everything works fine. 

2) I set NTPCLIENT_OPTS="-b ntp.telenet.be" in /etc/conf.d/ntp-client, but when I execute ntpq -p I get the three servers configured in /etc/ntp.conf:

```
     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 LOCAL(0)        LOCAL(0)         5 l   23   64  377    0.000    0.000   0.015

+bia.telenet-ops Time2.Stupi.SE   2 u  357  512  377   15.075   20.077   0.584

*mserv.ugent.be  swisstime.ee.et  2 u  292  512  377   32.172   28.298   6.403

+ntp1.belbone.be ntp2-rz.rrze.un  2 u  345  512  377   35.311   -9.690  24.702
```

Why has NTPCLIENT_OPTS="-b ntp.telenet.be" to be set in /etc/conf.d/ntp-client when /etc/ntp.conf all the info ntpd needs?

----------

## cederberg

 *tovrstra wrote:*   

> 1) Why should /etc/init.d/ntp-client be started first.

 

The ntp-client retrieves current time, sets the clock, and quits. This may adjust the clock several hours if needed, depending on how much your machine clock had drifted since it was last shutdown. This is a safety measure, as the ntpd daemon cannot compensate for clock drifts that are too large.

The ntpd server that you subsequently start, maintains your clock by connecting to several ntp servers. It needs several servers to get the most accurate time. If your computer clock is incorrect, it will be adjusted in small steps (possibly subsecond) making it hardly visible. The ntpd server guarantees that time will always flow forward, and it will not adjust your computer clock backward. Rather, it will make each second a bit longer until the correct time has been reached. It may make large steps forward, though, if I recall correctly.

 *tovrstra wrote:*   

> Why has NTPCLIENT_OPTS="-b ntp.telenet.be" to be set in /etc/conf.d/ntp-client when /etc/ntp.conf all the info ntpd needs?

 

Well, as ntpdate is a stand-alone program it takes all its arguments on the command-line. It does not read the ntpd server configuration file (ntp.conf). Also, it only needs a single time server, as it will not try to set the clock more than roughly accurate (with a precision of about a second).

----------

## zojas

the ntp-client seems to be designed to set your clock once to get it in the ballpark. then ntpd runs after that.

this used to be handled by the ntpd script.

----------

## dju`

i tried to run my own ntpd server for my lan, but it seems it can't synch to ntp servers on the internet. look at what i get an hour after having launched ntp-client and ntpd :

```
$ ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 imag.imag.fr    0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00

 dns.univ-lyon1. 0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00

 ntp.unilim.fr   0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00

 imag.imag.fr    0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00

 ntp.internet-fr 0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00

 soleil.uvsq.fr  0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00
```

```
$ ntptrace

localhost: stratum 16, offset 0.000052, synch distance 0.00539

0.0.0.0:        *Not Synchronized*
```

here is my ntp.conf :

```
server          ntp.imag.fr

server          ntp.univ-lyon1.fr

server          ntp.unilim.fr

server          ntp.imag.fr

server          ntp.internet-fr.net

server          ntp.uvsq.fr

logfile         /var/log/ntpd.log

driftfile       /var/lib/ntp/ntp.drift

restrict default ignore

restrict 127.0.0.1

restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap
```

what's wrong with that ?

----------

## zojas

probably your 'restrict' lines? 

I don't use 'restrict', I just rely on my firewall, I should probably look into it though

----------

## dju`

that was it, thanks. i'll have a deeper look at the restrict option.

----------

## dju`

some news about restrict:

here is my config for my local ntp server (192.168.0.1 on my 192.168.0 network), it is currently working.

```
# allow all from localhost

restrict        127.0.0.1

# allow synchronisation from the lan

restrict        192.168.0.0     mask 255.255.255.0      notrust nopeer notrap noquery

# allow public servers we are synchronizing to to send information

# ntp packets (modes 6 and 7)

# it seems this is needed for sync to work!

#

# restrict        public_ntp_server_ip   noserve nomodify        # a public ntp server

# examples i use :

restrict        164.81.11.1     noserve nomodify        # ntp.unilim.fr

restrict        129.88.30.1     noserve nomodify        # ntp.imag.fr

restrict        212.37.192.31   noserve nomodify        # ntp.internet-fr.net

restrict        193.51.24.1     noserve nomodify        # ntp.uvsq.fr

# ignoring the rest

restrict        default         ignore

```

the public_ntp_server_ip are the ip adresses of the public servers you try to sync to, there should be a restrict line per server line.

almost the same thing for the others hosts on my lan, that sync to my ntp server :

```
restrict        127.0.0.1

restrict        192.168.0.1     noserve nomodify        # my ntp server

restrict        default         ignore
```

i hope this will help.

----------

## meowsqueak

Thanks carlos123 - this seems to be working perfectly for me. Perhaps you could update your original post to include the ntp-client info and rc-update-ing ntp-client and ntpd.

----------

## Kirigoe

thanks! hopefully this'll be more accurate than simply running ntpdate as a cron job.

if you're looking for stratum 2 servers to sync with, here's an updated list of 174 servers all around the world: http://www.eecis.udel.edu/~mills/ntp/clock2a.html

- kiri

----------

## k12linux

 *tovrstra wrote:*   

> 1) Why should /etc/init.d/ntp-client be started first. It only starts ${NTPCLIENT_CMD} >/dev/null ${NTPCLIENT_OPTS}. In my case NTPCLIENT_CMD="ntpdate" and NTPCLIENT_OPTS="-b ntp.telenet.be" After that I start /etc/init.d/ntpd and everything works fine. 

 

If for some reason your clock is way off at boot, ntpdate will force it to the correct time.  The reason you might want to do this is that ntpd (depending on it's config) will refuse to adjust your clock if it is too far from "actual" time.

----------

## carlos123

Just so everyone knows I am going on an extended business trip that will take 6 months to a year and will not have the ability to update this FAQ item the way it deserves to be.  For a few months at least I will not have my own computer or Internet connection.  

So if someone could take over the upkeep of this FAQ item I would appreciate it.  Let me know if I need to do anything in terms of making it possible for someone else to keep these instructions up to date.  

Thanks.  

Carlos (author of the instructions at the top of this thread).

----------

## jshaw523

You can do a netstat -ta to make sure your time server, if running at all, isn't availible to the outside world.  For instance, on my machine it is there but bound only to localhost, not to * which would mean it was bout to my external IP as well.

----------

## Woollyfoot

I think you mean

```
netstat -ua
```

since ntp uses udp, not tcp.

----------

## angelacb

 *dJu` wrote:*   

> some news about restrict:
> 
> here is my config for my local ntp server (192.168.0.1 on my 192.168.0 network), it is currently working.
> 
> ```
> ...

 

Hi, for this setup, does it require me to open ports 123 for the servers:

 *Quote:*   

> restrict        164.81.11.1     noserve nomodify        # ntp.unilim.fr 
> 
> restrict        129.88.30.1     noserve nomodify        # ntp.imag.fr 
> 
> restrict        212.37.192.31   noserve nomodify        # ntp.internet-fr.net 
> ...

 

Or does UDP/TCP ports on 123 only used by my local NTP clients trying to sync with my ntpd server and my ntpd syncing Stratum 2 servers doesn't require any specific ports to be open on the firewall?

Best Regards,

----------

## uglyman

thanks everybody. It took me a couple of tries, but I got this all working now!

as for the previous question, I did not have to forward any ports on my router to get this working. I think you would only have to if you run your own ntp server for machines outside your LAN. I am no networking wizard though.

thanks again!

uglyman

----------

## sgtrock

Hi, all.

One timekeeping requirement that I haven't seen identified yet has to do with limited Internet connectivity.  I'm on an ISDN line at home that has generous but not unlimited metered usage.  In addition, my personal requirements are such that I can easily ignore as much as a minute difference between my systems and the authoritative ones.

I've got a couple of desktops running Gentoo, a laptop running Debian, and a server that I'm planning to build as Gentoo.

Ideally, what I'd like to do is set up my timekeeping on my server to only request an update once a day.  I would then use that server to update the rest of my subnet.  Until I get the server up, I'm OK with setting up each PC to check once a day.  

Unfortunately, I can't figure out from the Gentoo docs or the manpages how to do that.  I thought about just setting up a cron job to run it.  Two issues, though.  I'm struggling with what the command should look like.  Should I call /etc/init.d/ntpd and tweak /etc/conf.d/ntpd.conf to run '-q'?  Several guys have stated that using ntp -q frequently isn't the right approach due to the extra traffic it creates.  Should I do something else?

Or am I looking at the wrong files completely?

Also, I'm lucky in that my ISP does an excellent job of supplying network resources.  They have a DNS round robin set up between 3 different local timeservers.  Their three timeservers are getting their time from I think 5 different global servers.  Since my needs don't require super tight timekeeping, I plan to use just the DNS entry for my timeserver; ntp.visi.com (only available to Visi customers, btw).  Does anyone see a major issue with that?

TIA,

SgtRock

----------

## shadow303

I believe that you should just set the minpoll and maxpoll options on the server and otherwise run everything normally.  I have never tried using this before, but I believe that for what you want, you set:

minpoll 17

maxpoll 17

The seventeen indicates and interval of 2^17 seconds (36.4 hours).  Using a 16 would bring it down to 18.2 hours.  I got the info from http://www.gsp.com/cgi-bin/man.cgi?section=5&topic=ntp.conf so you might want to check there.

----------

## kamagurka

for some reason this doesnt work for me. there should really be no problems, as i'm not on a network or have a firewall. when i try ntpd -q it hangs there for indefinite time until i kill it. if i try ntpdate he exits at once with "no servers can be used, exiting".

i have already scoured multiple threads on this and usually its pretty confusing; as far as i can tell ive done everything correctly. heres my ntp.conf:

```

# Name of the servers ntpd should sync with

# Please respect the access policy as stated by the responsible person.

server ntp.tuxfamily.net

server tick.keso.fi

server ntp.ndsoftwarenet.com

#local backup:

fudge 127.127.1.0 stratum 3

server 127.127.1.0

# you should not need to modify the following paths

logfile   /var/log/ntpd.log

driftfile /var/lib/ntp/ntp.drift

# If you want to deny all machines (including your own)

# from accessing the NTP server, uncomment:

#

restrict default ignore

restrict 127.0.0.1

```

----------

## mbjr

Is there any way to tell ntpd to listen on 1 ip address only? I was checking the manuals and well, no info on that.   :Sad: 

----------

## BlindSpy

I've been looking around so much and reading sooo many lengthy guides on how to do this with no success. I wish I would have looked here first because it worked perfectly and only took a few minutes! thanks a lot for the great guide!

----------

## mbjr

Yes, the guide is perfect, thank you Carlos!  :Smile: 

----------

## mbjr

Let me do a quick hungarian translation for this howto  :Smile:  I'd really appreciate if Gentoo admins decide to make these instructions available for the big-public (post in on gentoo.org's System Administration Documentation section)  :Razz: 

GYORS INDÍTÁSI INSTRUKCIÓK NTPD FUTTATÁSÁHOZ

A következõ instrukciók vérgehajtása során az ntpd program települni fog. Sikeres végrehejtás esetén az ntpd folyamatosan karban tartja majd a rendszeridõt. Ez annyit jelent, a számítógép rendszeridejét szinkronizálja az idõ-szerverek idejével, interneten keresztül.

 # emerge ntp

 # cp /usr/share/ntp/ntp.conf /etc/ntp.conf 

 Keress három idõszervert a ezen

az oldalon. Megjegyzés: NE használj Stratum 1 kiszolgálót, csak ha erre jogosult vagy! Legalább három idõszerver használata némi biztonságot jelent arra nézve, hogy az idõ biztosan szinkronizálódik, ha egy vagy több kiszolgáló nem elérhetõ.

 # nano /etc/ntp.conf 

Megjegyzés: vagy használhatsz bármilyen más szerkerztõt, mint pl. a vi, vim, emacs, stb.

 Vedd fel a "server <idõszerver_domain_név>" sorokat minden idõszerverhez, melyeket korábban kiválatsztottál.

Megjegyzés: NE add hozzá az "iburst"-t ezekhez a sorokhoz, ha folyamatos internet-kapcsolattal rendelkezel, mint pl az ADSL, kábel, és a legpontosabb szinkronizációt szeretnéd! Ellenkezõ esetben az idõ kb óránként egyszer frissül, egy löketben (burst). Az "iburst" inkább azoknak való, akiknek külön el kell indítani és utánna leállítani az internet-kapcsolatot, mint pl a betárcsázás (dial-up).

 # nano /etc/conf.d/ntpd 

 Uncommentáld az NTPDATE_CMD="ntpdate" sort. 

 Uncommentáld az NTPDATE_OPTS="-b someserver" sort. 

 Írd át a "someserver" szót az általad választott idõszerverek egyikének domain nevére.

Megjegyzés: Egyenlõre nem tudom, hogy hogyan lehet ide több szervert is felvenni.

 # /etc/init.d/ntpd start 

 # rc-update add ntpd default 

 Ellenõrízd, hogy az idõt a kövekezõn keresztül sikerült frissíteni:

http://tycho.usno.navy.mil/cgi-bin/timer.pl (csak az Észak-Amerikai régióra érvényes - használd a http://www.worldtimeserver.com/-ot nemzetközi idõk megszerzéséhez). 

  Ellenõrízd, hogy az idõszerverekhez sikeres a hozzáférés az "ntpq -p" parancs megadásával egy parancssorban. Látnod kell a hozzáféréseket a szerverekhez a kimenetben. 

Az errõl szóló beszélgetéseket a  https://forums.gentoo.org/viewtopic.php?p=240688#240688 oldalon találod.  

Köszönet fórum tagjának, cederbergnek, aki eredetileg az ötletet adta jelen instrukciók elkészítéséhez.

Ha kikapcsolod a számítógéped és utánna megint be, és az idõ frissítésére egy jó ideig nem kerül sor, akkor elõfordulhat, hogy az ntpd addig nem hajlandó futni, amíg manuálisan újra nem állítod az idõt. Ezt a következõképpen teheted meg:

# /etc/init.d/ntpd stop

Megjegyzés: csak azért, hogy minden ami esetleg az ntpd-t használja, vegye tudomásul, hogy most stop van.

Állítsd be az idõt manuálisan!

# /etc/init.d/ntpd start

Megjegyzés: mindent újraindítasz, hogy az ntpd újra mûködõképes legyen.   

Ha a fenti instrukciók nem mûködnek, akkor nézz bele az ntpd naplóállományba (/var/log/ntpd.log) bõvebb betekintést nyerve ezzel a lehetséges okokba. 

Néhány egyéb megjegyzés:

az ntp egy protocol. az ntpd egy daemon, ami egyben ntp-szerver (idõt szolgáltat), és egy ntp-kliens (idõt szinkronizál). Az ntp szerver nem túl hasznos, ha nem külsõ helyrõl szerzi az idõt. Gentoo alatt "emerge ntp" telepíti az ntpd-t-

Ha pontatlanságokat találsz jelen instrukciókban, kérlek küldj nekem egy email értesítést, hogy felkutassam és megvizsgáljam az instrukciókat. Minden e-mailre válaszolok, még ha pár napig eltart is.

A privát email küldése segít megakadályozni, hogy aki jelen szálat olvassa, összezavarodjon a külömbözõ megjegyzésektõl.

Email küldéséhez csak nyomd meg a "pm" gombot a szál alján!

Ha jelen instrukciók segítségedre voltak, örömmel hallanék arról is.  :Smile: 

Köszönettel:

Carlos

UI: Ha meglepõdsz azon, hogy hány alkalommal szerkesztettem jelen instrukciókat, akkor tudomásodra hozom, hogy ez a legegyszerûbb és legjobban érthetõ magyarázatok és megjegyzések keresésének tudható be, nem pedig annak, hogy az alap-instrukciók tele voltak hibákkal.

[/quote]

So how about this?  :Surprised: ) Please feel free to take this translation based on the instructions by Carlos. This one was made to make the opensource community more happy  :Very Happy: 

----------

## nianderson

 *carlos123 wrote:*   

> 
> 
> [*] # nano /etc/conf.d/ntpd 
> 
> [*] Uncomment the NTPDATE_CMD="ntpdate" line. 
> ...

 

i think in the new ebuilds this is in /etc/conf.d/ntp-client

----------

## mbjr

yes, you're right, we have to get Carlos to make some modifications (update)  :Surprised: ) But after all, its a great start-guide to ntp  :Razz: 

----------

## nianderson

yeh just the noobs would be lost there  :Wink: 

but it is a great guide

----------

## mbjr

Hey  :Surprised: ) Help the noobs, get Carlos  :Razz: 

----------

## Andersson

 *carlos123 wrote:*   

> Just so everyone knows I am going on an extended business trip that will take 6 months to a year and will not have the ability to update this FAQ item the way it deserves to be. For a few months at least I will not have my own computer or Internet connection. 
> 
> So if someone could take over the upkeep of this FAQ item I would appreciate it. Let me know if I need to do anything in terms of making it possible for someone else to keep these instructions up to date. 
> 
> Thanks. 
> ...

 

Since carlos123 asked to be relieved of the responsibility of updating this guide, how about merging with the other ntp thread?

edit: On the other hand, completely rewriting the first post of the other thread to include this guide will make the rest of the thread very difficult to read. If anything, that thread should merge to this, we have the guide!  :Wink: 

Oh well, I read through this thread (and the other) and tried to get all changes to the original list. Here's the updated version (I hope new readers in the thread find it here)... It should include most of the corrections in this thread, but I haven't tested it to see that it works. Find an error and correct it please.

changelog:

removed cp /usr/share/ntp/ntp.conf /etc/ntp.conf, no longer needed.

added uncomment the "restrict" line that matches your situation.

replaced nano /etc/conf.d/ntpd with nano /etc/conf.d/ntp-client in #6.

removed Uncomment the NTPDATE_CMD="ntpdate" line, no longer needed.

added open up for udp on port 123.

 *carlos123 wrote:*   

> 
> 
>  # emerge ntp
> 
>  Find three timeservers from here.
> ...

 

----------

## jonny5

Thank you for the help.  Worked perfectly.

----------

## rfr7310

As part of a world update, I upgraded NTP to version 4.2.0-r2. When the /etc/init.d/ntp-client start command is executed, I get the following error:

```
 * Setting clock via the ntp client 'ntpdate'...

17 Apr 01:18:22 ntpdate[18246]: cannot find family compatible socket to send ntp packet

 * Failed to set clock                                                           [ !! ]
```

I have set the ntp-client program to run at boot time and the same error occurs (though the number in the brackets is different). Here is what I have turned up in the various logs on my system:

(1) dmesg => nothing

(2) /var/log/messages =>

Apr 16 07:52:07 manderley grsec: time set by (ntpdate:28761) UID(0) EUID(0), parent (rc:1604) UID(0) EUID(0)

Apr 16 19:21:28 manderley grsec: time set by (ntpdate:15938) UID(0) EUID(0), parent (rc:29605) UID(0) EUID(0)

Apr 16 22:19:21 manderley grsec: time set by (ntpdate:29810) UID(0) EUID(0), parent (bash:24169) UID(0) EUID(0)

Apr 16 23:55:50 manderley rc-scripts: Please edit /etc/conf.d/ntp-client

(3) /var/log/ntpd.log => does not exist

I am using the 2.4.25-gentoo-r1 kernel sources. I am also using DHCP to obtain an IP address, and my system (Dell DImension 4100) has a 3Com 3C905TX NIC. My system sits behind a Linksys Cable/DSL Router. (I was able to successfully synchronize before upgrading NTP.)

Here are my config files as they currently stand (comments have been stripped for brevity):

(1) /etc/ntp.conf

```
server  ntp0.cornell.edu prefer

server  sundial.columbia.edu

server  reva.sixgirls.org

logfile         /var/log/ntpd.log

driftfile       /var/lib/ntp/ntp.drift

restrict default nomodify

restrict 127.0.0.1
```

(2) /etc/conf.d/ntp-client

```
NTPCLIENT_CMD="ntpdate"

NTPCLIENT_OPTS="-b ntp0.cornell.edu sundial.columbia.edu reva.sixgirls.org"
```

(3) /etc/conf.d/ntpd

```
NTPD_OPTS="-u ntp:ntp"
```

All I want to do is have my system clock synchronized at startup (I do not have a need for a NTP server at this point). I have looked through Bugzilla, the forums, and ntp.org to no further avail. Any help you can give would be greatly appreciated.

----------

## mattmm

I'm having the same problem as rfr7310   :Evil or Very Mad: 

unfortunatley these tips dont work for the 4.2 version. Or at least not for me...

----------

## jjasghar

```

tito etc # /etc/init.d/ntpd start

 * Starting ntpd...

usage: /usr/bin/ntpd [ -abdgmnqx ] [ -c config_file ] [ -e e_delay ]

                [ -f freq_file ] [ -k key_file ] [ -l log_file ]

                [ -p pid_file ] [ -r broad_delay ] [ -s statdir ]

                [ -t trust_key ] [ -v sys_var ] [ -V default_sysvar ]

                [ -P fixed_process_priority ]

                [ -u user[:group] ] [ -i chrootdir ]

 * Failed to start ntpd                                                                      [ !! ]

```

i get this error trying to start ntp any ideas?

----------

## kozmic

 *Quote:*   

> 
> 
> ntpdate[18246]: cannot find family compatible socket to send ntp packet
> 
> 

 

I get that error too while trying to sync against ntpd's that worked before a new version of ntpd/ntp-client came in portage.. is it borked?

----------

## Andersson

I'm using ntp-4.2.0-r2, it works just like before. I just had to re-enter a server in /etc/conf.d/ntp-client after etc-update.

----------

## rfr7310

Thanks for the tip, Andersson! I looked at the NTPCLIENT_OPTS line in my /etc/conf.d/ntp-client file and removed the two extra servers I had in there (now there's only one server). It works like a charm! So much for backup servers.   :Very Happy: 

```
NTPCLIENT_CMD="ntpdate"

NTPCLIENT_OPTS="-b ntp0.cornell.edu"
```

----------

## stripe

Just upgraded to 4.2.0-r2 daemon, read the forums about the "notrust noserve" implementation and NTP seems to be working, just I am not clear about the log. Can anybody tell me what does NTP mean by the log string? Please let me know, there's nothing useful out there on the net. Thanks...

my config

```

logfile         /var/log/ntpd.log

driftfile       /var/lib/ntp/ntp.drift

server           81.95.96.33        prefer

server           195.113.144.201

server           217.11.227.68

restrict         81.95.96.33        nomodify

restrict         195.113.144.201    nomodify

restrict         217.11.227.68      nomodify

restrict         127.0.0.1

restrict         10.19.1.44         nomodify

restrict         10.19.6.1          nomodify

```

my log - the unkown string

```

 7 May 22:42:56 ntpd[30326]: frequency initialized 111.062 PPM from /var/lib/ntp/ntp.drift

 7 May 22:43:03 ntpd[20559]: sendto(217.11.227.68): Bad file descriptor

 7 May 22:43:05 ntpd[20559]: sendto(81.95.96.3): Bad file descriptor

 7 May 22:47:43 ntpd[30326]: ntpd exiting on signal 15

 7 May 22:47:44 ntpd[30577]: frequency initialized 111.062 PPM from /var/lib/ntp/ntp.drift

 7 May 22:47:44 ntpd[30577]: getaddrinfo: "195.113..144.201" invalid host address, line ignored

 7 May 22:48:09 ntpd[30577]: ntpd exiting on signal 15

 7 May 22:48:11 ntpd[30674]: frequency initialized 111.062 PPM from /var/lib/ntp/ntp.drift

 7 May 22:56:50 ntpd[30674]: synchronized to 217.11.227.68, stratum=2

 7 May 22:56:52 ntpd[30674]: synchronized to 195.113.144.201, stratum=1

 7 May 22:56:52 ntpd[30674]: time reset -0.174600 s

 7 May 22:56:52 ntpd[30674]: kernel time sync disabled 0041

 7 May 22:59:56 ntpd[20559]: sendto(195.113.144.201): Bad file descriptor

 8 May 17:12:47 ntpd[20559]: sendto(217.11.227.68): Bad file descriptor

 8 May 17:12:55 ntpd[20559]: sendto(81.95.96.3): Bad file descriptor

 8 May 17:12:56 ntpd[20559]: sendto(195.113.144.201): Bad file descriptor

 8 May 17:29:53 ntpd[20559]: sendto(217.11.227.68): Bad file descriptor

 8 May 17:30:00 ntpd[20559]: sendto(81.95.96.3): Bad file descriptor

 8 May 17:30:00 ntpd[20559]: sendto(195.113.144.201): Bad file descriptor

 8 May 17:46:57 ntpd[20559]: sendto(217.11.227.68): Bad file descriptor

 8 May 17:47:03 ntpd[20559]: sendto(81.95.96.3): Bad file descriptor

 8 May 17:47:06 ntpd[20559]: sendto(195.113.144.201): Bad file descriptor

 8 May 18:04:01 ntpd[20559]: sendto(217.11.227.68): Bad file descriptor

 8 May 18:04:06 ntpd[20559]: sendto(81.95.96.3): Bad file descriptor

```

----------

## Garth

Stripe, et. al.

I found this morning that I had the same crazy log messages. I spent the better part of 4 hours trying to figure it out, and in the process really messed up my time server. After I finally had my server getting good time and the two clients getting good time off the server I left because my brain was fried! (went looking for beer and czech women, alas, found neither) I din't see any funny log messages either. But, I just basically ran the dumb thing with no restrict flags (I am behind a firewall anyway). 

Not sure what my machines are up to now, but I'll find out Monday morning if I'm back to the crazy log messages. 

Anyway, I want to also pass along this tidbit that goes against what the comments say in the default ntp.conf file.

The restrict flag notrust means "Deny service unless the packet is cryptographically authenticated." This comes right from Access Control in the NTP Documentation. Therefore, If you are not using the authentication keys provided in ntpd (who does) then DO NOT put "notrust" on the line that allows your subnet client to access your time server!

Also, maybe this will help some understand the "restrict' statements.

All incoming packets addresses will be compared to your list of restrict statements.

The restrict statement that produces a value closest to 255.255.255.255 is the statement that will be used.

The restrict statement always uses a default mask of 255.255.255.255 unless you specify one.

"restrict" with an address and no flags will allow complete unfettered access to your time server from that address.

No restrict statements at all allows complete, unfettered access to your time server from anyone on your LAN or the Internet!

Illustrating:

"restrict default ignore" -- the string "default" has special meaning: it uses address 0.0.0.0 and mask of 0.0.0.0. If this is your only restrict statement, all address will match this and be ignored, including the time servers you specified in the top of the file! No one will be able to communicate with your ntpd server!

"restrict 128.8.10.1 nomodify"

"restrict 192.35.82.50 nomodify" -- with no specified mask, ntpd applies the default mask of 255.255.255.255 to each of these address, therefore the only restriction applied to these two specific addresses is the "nomodify" option: "Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted." This is the option you need to set up for each time server you are syncing to if you also have the above restrict line (default ignore)

"restrict 192.168.1.0 mask 255.255.255.0 nomodify" -- the expressed mask forces all the addresses on the subnet "192.168.1.x" to take only the same restriction as above.

"restrict 127.0.0.1" -- this allows no restrictions to the local machine. I would beware, however, that your server may allow itself to sync to it's own hardware clock. I'm not sure if this would difinately happen, but in my 3 hours of reading, I saw it mentioned somewhere.

For the complete, authoritative list of restrict flags and their descriptions, see Access Control in the NTP Documentation.

Anyway, hope this helps someone. I can think straight now. Now where's my beer?

----------

## stripe

wow, thanks a lot Garth for that "manual", It´s a fantastic flag description I was looking for a long time. Just I added a mask behind IPs and log is clean, finaly. Somehow I thought it´s resolving automaticaly, but it is not.

Well if you would like to taste a Czech beer and girl, well if you will pass trough Prague someday, just let me know, you´ll get some by me, about the girl I´m afraid it´s up to you to catch one  :Wink:  but I think it would not be a problem all of them are beautiful....

----------

## Garth

Thanks stripe, I will remember that invite for the next time I am in Praha

Here is my working ntpd.conf file. I found that if you create all the restricts as shown, but do not allow localhost (restrict 127.0.0.1), then what happens when you type ntpq -pn is that your command line will just sit and do nothing. So dont forget that line!

```

# Name of the servers ntpd should sync with

server ntp-2.cso.uiuc.edu

server ntp1.kansas.net

server louie.udel.edu

 

# you should not need to modify the following paths

logfile         /var/log/ntpd.log

driftfile       /var/lib/ntp/ntp.drift

 

# Warning: Using NO NTP restrict settings will leave your NTP

# server accessible to all hosts on the Internet.

 

# deny all machines from accessing the NTP server

restrict default ignore

 

# allow localhost, but don't sync to local harware clock

restrict 127.0.0.1 nopeer

 

# To allow machines within your network to synchronize

# their clocks with your server, but ensure they are

# not allowed to configure the server or used as peers

# to synchronize against 

restrict 192.168.1.0 mask 255.255.255.0 nomodify nopeer

 

#allow access from the above time servers

restrict 130.126.24.44 nomodify

restrict 199.240.130.12 nomodify

restrict 128.4.40.12 nomodify

```

ntpq output from this machine:

```

garth_1 etc # ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

*ntp-2.gw.uiuc.e 128.174.38.133   2 u   16   64   37   26.509   -4.675   2.356

+triangle.kansas 128.252.19.1     2 u   11  512   37   34.356   -7.358   1.867

+louie.udel.edu  18.145.0.30      2 u    9  512   37   42.573   -1.062   2.183

```

ntpd.conf on clients:

```

server garth_1

logfile         /var/log/ntpd.log

driftfile       /var/lib/ntp/ntp.drift

restrict default ignore

restrict 127.0.0.1 nopeer

restrict 192.168.1.219 nomodify

```

ntpq output from the client:

```

garth_2 root # ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

*GARTH_1         ntp-2.gw.uiuc.e  3 u    9   64   17    0.215  -14.309   3.820

```

Also, for another great HOWTO to understand the "reach" keyword in your ntpq output, see this article in the Linux Journal: Understanding NTP Reachability Statistics

Party On!

----------

## rtwick

bump

----------

## Andersson

 *rtwick wrote:*   

> bump

 

Bump? You haven't even asked a question.  :Smile: 

----------

## rtwick

 *Andersson wrote:*   

>  *rtwick wrote:*   bump 
> 
> Bump? You haven't even asked a question. 

 

that's because I know I will need it frequently as I'm planning to move 3 machines form redhat to gentoo  :Smile: 

----------

## thekk

Slightly off-topic, but I think it does belong here:

An initiative of several public NTP server adminsitrators has started, because some NTP servers were overloaded with requests for the correct time. Therefor, a project was started to spread the load more evenly over the participating servers. This is done through round-robin DNS (meaning: domainname lookups resolve to different IP's). On the projects website is a more extensive explanation (and an invitation to join the group, if you have a good NTP-server)

Anyway, what the point in this whole story is that you don't have to find out which servers are the best for you, but you can specify your servers using (only the top bit of the file):

```

# Server config

# Because of round robin DNS we get 3 different IP's

server pool.ntp.org

server pool.ntp.org

server pool.ntp.org

```

Greetings,

Thekk

----------

## Andersson

Following the advice on using the restrict commands for the servers, this pool doesn't work. These lines:

 *Garth wrote:*   

> # deny all machines from accessing the NTP server 
> 
> restrict default ignore
> 
> [...]
> ...

 

I suppose I could add all the time servers in that project (I think it said there was 115 of them), but that would be a little too much work to keep track of when new ones are added all the time. Or I could allow access from any time server. But I think I'd rather stick with my hand picked servers and hope they're not under too much load.

On a side note, that ntp pool means ntp emerge could come with a working configuration.  :Cool: 

----------

## Garth

 *Andersson wrote:*   

> Following the advice on using the restrict commands for the servers, this pool doesn't work. These lines:
> 
>  *Garth wrote:*   # deny all machines from accessing the NTP server 
> 
> restrict default ignore
> ...

 

Andersson, I was thinking the same thing. Noting in a previous post:

 *NickDaFish wrote:*   

> EDIT: Discovered that the dispite what the docs listed above say you don't appear to be able to use DNS host names with restrict. Any one with any insite on why not please let me know.

 

Most stratum 2 time server admins tell you not to key off their IP address since it could easily change, use the name instead. I was worried that my config might crap out over time if some or all of the servers changes their IP address and this was bugging me.

However, I just tried using the hostnames for my timeservers in my restrict statements and it works!  :Cool:  However, on my system, at least, watch ntpq -p hangs, but simple ntpq -p prints good results. This may be due to some DNS resolve issues. I note also that if I give a ntpq -pn it gives me the proper IP addresses of the time servers.

So, yes, Anderson, if the pools are functional, the ebuild ntp.conf could set up a functional system right out of the box.  :Cool: 

I'm sticking to my hand-picked servers for now, but if anyone has good success with the pool, post the results here.

 :Confused:  One big question about the pool configuration:

if you use:

```

# Server config 

# Because of round robin DNS we get 3 different IP's 

server pool.ntp.org 

server pool.ntp.org 

server pool.ntp.org
```

How do you know that:

```

restrict pool.ntp.org nomodify

restrict pool.ntp.org nomodify

restrict pool.ntp.org nomodify
```

Will produce the same 3 IP's   :Question:   :Question:  I see scripting ahead!  :Shocked: 

----------

## cbr

```
root@tux:/home/cbr# /etc/init.d/ntpd stop

 * Stopping ntpd...

start-stop-daemon: warning: failed to kill 8143: No such process

1 pids were not killed

No process in pidfile `/var/run/ntpd.pid' found running; none killed.

 * Failed to stop ntpd                                                            [ !! ]

root@tux:/home/cbr# /etc/init.d/ntpd start

 * Starting ntpd...                                                               [ ok ]

root@tux:/home/cbr# ps -A | grep ntp

root@tux:/home/cbr#
```

/etc/init.d/ntpd start doesnt start ntpd. When i start it manually without $NTPD_OPTS (which are '-u ntp:ntp'), it starts. What is the problem?

----------

## Garth

cbr, Check your /etc/passwd file, your should have a line as such:

```

ntp:x:123:123:added by portage for ntp:/dev/null:/bin/false
```

also, in your /etc/group file:

```

ntp::123:
```

If not, this may be the cause of the problem.

----------

## cbr

The /etc/group line is slightly different:

```
ntp:x:123:
```

-edit- But i tryed to change it and it didnt give any difference. It has started doing that lately.. before that it worked great.

----------

## thekk

 *Garth wrote:*   

>  One big question about the pool configuration:
> 
> if you use:
> 
> ```
> ...

 

Yes, that was a problem that I struggled with. I solved it by denying NEW udp connections at the firewall from the internet to port 123 (ntp).

For the good order, here is my ntp.conf:

```
#First specify log and driftfile:

logfile         /var/log/ntpd.log

driftfile       /var/lib/ntp/ntp.drift

# Server config 

# Because of round robin DNS we get 3 different IP's 

server pool.ntp.org 

server pool.ntp.org 

server pool.ntp.org

# Restrict default acces, no ignore because then we block packets from 

# the (unknown) servers, still some restrictions so we don't sync the 

# internet servers with our hardware time.

restrict default nopeer noquery nomodify

# Now allow some access from lo, don't allow to sync with hardware clock

restrict 127.0.0.1 nopeer

# Allow requests from the local network:

restrict 10.0.0.0 mask 255.0.0.0  nomodify nopeer
```

For a full list of access control options, click here.

Now, the internet is able to get time information from our server. Even though this gives almost no traffic, it is still a (very) small (especially because Gentoo by default runs it as a non-privileged user) security risk. Therefor we want to intercept packets requesting timeinfo from our server. This can be done by iptables, because even though UDP is a stateless protocol, it is possible to filter new requests using iptables. (I found that out here).

So, without further ado, a few rules from my iptables script:

```
# NTP section

# eth0 is local network, eth1 is internet

# Allow questions to be asked to the time server from the local network.

iptables -A INPUT -i eth0 -p udp --dport ntp --sport ntp -j ACCEPT

iptables -A OUTPUT -o eth0 -p udp --dport ntp --sport ntp -j ACCEPT

# Disallow requests asking questions from the internet.

iptables -A INPUT -i eth1 -p udp --dport ntp --sport ntp -m state --state NEW -j DROP

# Allow questions to be asked to to the internet time servers.

iptables -A INPUT -i eth1 -p udp --dport ntp --sport ntp -j ACCEPT

iptables -A OUTPUT -o eth1 -p udp --dport ntp --sport ntp -j ACCEPT
```

I hope this may help someone.

Greetings,

Thekk

----------

## meowsqueak

I have a problem - today I restarted ntpd (4.2.0-r2) and it stopped providing time to clients. You can't get any simpler than my setup:

/etc/ntp.conf

 *Quote:*   

> logfile         /var/log/ntpd.log
> 
> driftfile       /var/lib/ntp/ntp.drift
> 
> server ntp.iprolink.co.nz
> ...

 

/etc/conf.d/ntp

 *Quote:*   

> #NTPD_OPTS="-u ntp:ntp"

 

```
$ netstat -ua | grep ntp

udp        0      0 theoden.middle_eart:ntp *:*                                 

udp        0      0 localhost:ntp           *:*                                 

udp        0      0 *:ntp                   *:*  
```

```
$ ps aux | grep [n]tp

root     28847  0.0  0.6  3504 3504 ?        SL   12:41   0:00 /usr/bin/ntpd -p /var/run/ntpd.pid

```

```
# ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 amp-gw.compass. 203.167.224.60   2 u    2   64    1   54.006  -121.85   0.001

 mu-relay1.masse 192.5.41.40      2 u   65   64    1   47.932  -112.30   0.001

 orthanc.otago.a 130.217.76.79    3 u    1   64    3   62.903  -117.38  20.495

 gen2.ihug.co.nz 130.217.76.34    2 u   63   64    1   28.494  -120.21   0.001

 gen3.ihug.co.nz 130.217.76.49    2 u   62   64    1   43.594  -127.83   0.001

 gen1.ihug.co.nz 130.217.76.34    2 u   61   64    1   29.626  -120.67   0.001

 zorac.sf-bay.or 204.123.2.5      2 u   60   64    1  178.675  -117.72   0.001

```

Now if I try this on another machine (no firewall, direct LAN connection, was working before I restarted server today):

```
# ntpdate theoden

Looking for host theoden and service ntp

host found : theoden

 2 Jul 12:36:25 ntpdate[2502]: no server suitable for synchronization found

```

I have no 'restrict' lines, no iptables, nothing confusing or strange at all. I've tried rolling back to ntp-4.1.2 but that made no difference. 

This was working earlier - what could possibly have changed? I've spent two hours on this now... anyone got any ideas?

(I also upgraded NTP on my Debian server recently and the exact same thing has happened there too - other machines on LAN cannot use it as a time server any more).

----------

## meowsqueak

Ah ha! I went to lunch and when I came back it was working! It seems running '/etc/init.d/ntpd restart' locks clients out of the server for a while - perhaps until the time is in sync. That makes sense. And my debian box is working now too. Time cures all ills...

----------

## Quantumstate

I'd like to repeat this question.  The fewer ports open, the better.

 *mbjr wrote:*   

> Is there any way to tell ntpd to listen on 1 ip address only? I was checking the manuals and well, no info on that.  

 

----------

## Quantumstate

^^

----------

## elwood75

On three gentoo boxes I followed this guide, and within days my ntp.conf file had been overwritten-- very frustrating!

However I found that others on the web were having the same issue, and the ntp mailing lists indicated the answer.  If you DHCP server thinks it has info about the ntp servers for your network, the DHCP client will overwrite your ntp.conf configuration with the configuration provided by the DHCP server.

To avoid this, uncomment dhcpcd_eth0 (or whichever network adapter is appropriate) , and add "-N" to the config line:

```
# For DHCP set iface_eth? to "dhcp"

# For passing options to dhcpcd use dhcpcd_eth?

#

iface_eth0="dhcp"

dhcpcd_eth0="-t 30 -N"

```

This tells the DHCP client to not overwrite the ntp.conf file.

Brad

----------

## Martz

 :Arrow:  I'm having a small problem with getting the time to syncronise. It seems that my clock has drifted too far for NTPd to update it 

 :Question:  I have set the system time (through webmin, im a n00b) to be that of GMT as found on Worldtimeserver so my system clock roughly matches

I have also checked that I have my time zone set correctly, and symlinked to GMT:

jupiter# ln -sf /usr/share/zoneinfo/GMT /etc/localtime

When I run ntpq -p it shows a very large offset:

```

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 193.25.198.254  145.238.110.49   2 u    3   64    1   24.808  -354394   0.001

 bear.zoo.bt.co. 193.63.106.104   2 u    2   64    1   28.690  -354394   0.001

```

 I get this in my ntpd.log file:

```

21 Jul 12:11:09 ntpd[6603]: synchronized to 193.25.198.254, stratum=2

21 Jul 12:11:09 ntpd[6603]: time correction of -3544 seconds exceeds sanity limit (1000); set clock manually to the correct UTC time.
```

However I cannot get the system clock anywhere near the GMT time  :Sad:  Does anyone have any suggestions? Any would be appreciated.

----------

## think4urs11

```
/etc/init.d/ntpd stop

/usr/bin/ntpdate <your ntp server of choice>

/etc/init.d/ntpd start
```

should fix the offset problem

HTH

T.

----------

## Martz

My problems was caused by not symlinking the correct time zone to /etc/localtime

Because in GMT of daylight savings, my drift was a few seconds + an hour. I was using the GMT, GMT+0 time zones which are all the same as UTC. 

Setting the /etc/localtime to GB makes it work perfectly  :Smile: 

Now I have my Gentoo box using NTPD querying 2 external NTP servers for the correct time. My Windows domain controlers then get their time from the Gentoo box, and the Win2K workstations sync with the domain controler during login. Complete enterprise time sync working great  :Smile: 

Thanks for the guide!

----------

## dob

Anyone tried openntpd yet?  :Very Happy: 

It's supposed to have a saner licence than ntpd, and to be more secure as well (it can be set up to not listen on all network interfaces)

http://openntpd.org/

(and it's already in portage)

I seems to work, however, the usual ntp utilities like ntptrace and ntpq don't seem to work with it. I get the following in syslog:

```
Jul 25 18:22:44 tokyo ntpd[17216]: malformed packet received
```

And in the term where I run ntpq / ntptrace:

```
127.0.0.1: timed out, nothing received

***Request timed out
```

Openntpd is set to listen on 127.0.0.1

Anyone had more luck ?   :Confused: 

----------

## dob

To install it just emerge openntpdLast edited by dob on Thu Jul 29, 2004 10:49 am; edited 1 time in total

----------

## dedbox

Just emerged openntpd-20040719 and my ntp woes are gone.   :Very Happy: 

It is obviously not as flexible as traditional ntpd (which still runs on my gateway), but my workstation's ntpd.conf is much easier to read. Unmerging net-misc/ntp removed all ntp* executables. I assume this means they're not intended for use with openntpd. Only indication that openntpd is working are these lines in my syslog:

```
Jul 28 08:25:10 [ntpd] adjusting local clock by 4.096589s

Jul 28 08:29:10 [ntpd] adjusting local clock by 3.900064s

Jul 28 08:32:40 [ntpd] adjusting local clock by 3.703613s

```

I verified the clock was actually moving like this:

```
ssh gateway date; date
```

----------

## dob

 *dedbox wrote:*   

> Just emerged openntpd-20040719 and my ntp woes are gone.  
> 
> ```
> Jul 28 08:25:10 [ntpd] adjusting local clock by 4.096589s
> 
> ...

 Wow! Your clock drifts by huge margins!  :Shocked: 

My syslog looks like this

```
Jul 28 07:52:32 tokyo ntpd[17215]: adjusting local clock by -0.000837s

Jul 28 08:21:53 tokyo ntpd[17215]: adjusting local clock by -0.001849s

Jul 28 08:41:53 tokyo ntpd[17215]: adjusting local clock by -0.001578s

Jul 28 09:15:42 tokyo ntpd[17215]: adjusting local clock by 0.000151s

Jul 28 09:47:30 tokyo ntpd[17215]: adjusting local clock by -0.000527s

Jul 28 10:07:30 tokyo ntpd[17215]: adjusting local clock by -0.000923s

Jul 28 10:37:33 tokyo ntpd[17215]: adjusting local clock by 0.000115s

Jul 28 11:17:30 tokyo ntpd[17215]: adjusting local clock by 0.000325s
```

----------

## andrewbarr

Hi. I followed this guide to set up ntpd and ntp-client on my machine. Once ntpd is started, there is a constant drip of network activity from this machine to my router. The LED light on my switch blinks once every second or so. Is this normal/to be expected? The activity stops when the ntpd daemon is shut down.

----------

## Ladynik0n

I thought I follows the instructions right but I guess I didnt .. 

I got this.  

```
 /etc/init.d/ntpd start 
```

 * Starting ntpd...

usage: /usr/bin/ntpd [ -abdgmnqx ] [ -c config_file ] [ -e e_delay ]

                [ -f freq_file ] [ -k key_file ] [ -l log_file ]

                [ -p pid_file ] [ -r broad_delay ] [ -s statdir ]

                [ -t trust_key ] [ -v sys_var ] [ -V default_sysvar ]

                [ -P fixed_process_priority ]

                [ -u user[:group] ] [ -i chrootdir ]

 :Shocked: 

this is how everything else looks

this is nano /etc/conf.d/ntpd

```
# Copyright 1999-2002 Gentoo Technologies, Inc.

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-misc/ntp/files/ntpd.confd,v 1.14 2004/02$

# Options to pass to the ntpd process

# Most people should leave this line alone ...

# however, if you know what you're doing, feel free to tweak

NTPD_OPTS="-b cornell"

NTPDATE_CMD="ntpdate"

```

And this is : 

```
# NOTES:

#  - you should only have to update the server line below

#  - if you start getting lines like 'restrict' and 'fudge'

#    and you didnt add them, AND you run dhcpcd on your

#    network interfaces, be sure to add '-Y -N' to the

#    dhcpcd_ethX variables in /etc/conf.d/net

# Name of the servers ntpd should sync with

# Please respect the access policy as stated by the responsible person.

#server         ntp.example.tld         iburst

server         clock.linuxshell.net

server         ntp0.cornell.edu

server         reva.sixgirls.org

##

# A list of available servers is available here:

# http://www.eecis.udel.edu/~mills/ntp/clock2a.html

# http://www.eecis.udel.edu/~mills/ntp/servers.html

# Please follow the rules of engagement and use a

# you should not need to modify the following paths

driftfile       /var/lib/ntp/ntp.drift

#server ntplocal.example.com prefer

#server timeserver.example.org

# Warning: Using default NTP settings will leave your NTP

# server accessible to all hosts on the Internet.

# If you want to deny all machines (including your own)

# from accessing the NTP server, uncomment:

#

#restrict default ignore

# To only deny other machines from changing the

# configuration but allow localhost uncomment:

#restrict default notrust nomodify

#restrict 127.0.0.1

# To allow machines within your network to synchronize

# their clocks with your server, but ensure they are

# not allowed to configure the server or used as peers

# to synchronize against, uncomment this line.

#

#restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

```

What am I not getting   :Embarassed: 

----------

## j__m

OK, do the following:

```

emerge =ntp-4.1.2

```

Sorry to say but the 4.2.0-r2 ebuild is FUBAR and never worked on any of approx. 15 computers I tried. 

Also be sure to add appropriate entry to /etc/portage/package.mask to block any future updates to ntp via emerge -u world.

----------

## AMSch

Hello!

Ich have successfully installed Opennpt and it looks like it works, but there ist one strange thing:

Im using openntpd on 2 PCs and on both I find the following output ind /var/log/messages

```

Aug 18 10:19:23 neo ntpd[6901]: adjusting local clock by 527.833010s

Aug 18 10:23:25 neo ntpd[6901]: adjusting local clock by 527.711954s

Aug 18 10:25:26 neo ntpd[6901]: adjusting local clock by 527.469137s

```

```

Aug 18 10:00:23 morpheus ntpd[1246]: adjusting local clock by 1429.649724s

Aug 18 10:03:53 morpheus ntpd[1246]: adjusting local clock by 1429.985324s

Aug 18 10:07:23 morpheus ntpd[1246]: adjusting local clock by 1430.341580s

Aug 18 10:11:24 morpheus ntpd[1246]: adjusting local clock by 1430.730004s

Aug 18 10:13:24 morpheus ntpd[1246]: adjusting local clock by 1431.133677s

```

So on both Systems (installed Version of Openntpd 20040719p) there are big time differences and I dont feel that this is normal (since I dont have the "right" time at all) - can anyone help why this is happening? /etc/localtime and Time in rc.conf are set to the right values.

----------

## Dr_Smack

I'm using ntp-4.1.2 and things seem to work, except I never get any messages stating my time was upated in /var/log/messages (or /v/l/ntpd.log).  I get the normal startup messages, but never anything after that (I've left it running for weeks).  My drift file gets updated throughout the day, but I can't tell if anything else is happening.

Here's my ntp.conf:

```

#First specify log and driftfile:

logfile         /var/log/ntpd.log

driftfile       /var/lib/ntp/ntp.drift

# Server config

# Because of round robin DNS we get 3 different IP's

server us.pool.ntp.org

server us.pool.ntp.org

server us.pool.ntp.org

# Restrict default access, no ignore because then we block packets from

# the (unknown) servers, still some restrictions so we don't sync the

# internet servers with our hardware time.

restrict default nopeer noquery nomodify

# Now allow some access from lo, don't allow to sync with hardware clock

restrict 127.0.0.1 nopeer

# Allow requests from the local network:

restrict 192.168.1.0 mask 255.255.255.0 nopeer nomodify

```

----------

## inode77

Using ntpd makes only sense if you have @ least a couple of computers to synchronize.

For a single machine it does not make any sense because ntpd is:

- too much software => security risk

- too complicated for the average user

- using fat too much resources

I'm not trying to say in any way you should not use ntp but there is an easy replacement which has none of the disadvantages mentioned above. But you can use it only as "client" to synchronize one single machine.

```

emerge rdate

```

After the tiny bit of software is installed add a line to  your crontab similar to the following:

```

5      5   *   *   *   /usr/bin/rdate -s swisstime.ee.ethz.ch &> /dev/null

```

That should do the trick whitout too much hassle with complicated configuration or resourceeating software.

Please do not synchronise more than once a day or seek approval with the timeserver administrators first. The protocol used to synchronize is defined by RFC 868.

http://www.ietf.org/rfc/rfc0868.txt?number=868

I recommend  using this to synchronize any site under 5 to 10 machines to synchronize.

----------

## skyfolly

shit, it never works.

----------

## Suicidal

Im starting to like BSD's openntpd as well its configuration is nearly nonexistent.

```
#

# Sample ntpd.conf

# $Id: ntpd.conf,v 1.2 2004/07/17 00:22:19 dtucker Exp $

#

# Adresses to listen on (ntpd does not listen by default)

listen on *

# listen on 127.0.0.1

# listen on ::1

# use a random selection of 8 public stratum 2 servers

# see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers

# servers pool.ntp.org

# Sync to the first active address these resolve to

server pool.ntp.org

server pool.ntp.org

server pool.ntp.org

```

This is from my server @ work and it is the entire config file. The only value I modified was to uncoment "listen on *"

I use it to keep my AD servers synched since msblast I have had horrible times keeping thier NTP right. Probably because of all the ICMP acl's out there.

With this there is no config unless you want it to be a server, so it would be perfect for client machines, and less teh security risk as well.

----------

## Suicidal

 *AMSch wrote:*   

> Hello!
> 
> Ich have successfully installed Opennpt and it looks like it works, but there ist one strange thing:
> 
> Im using openntpd on 2 PCs and on both I find the following output ind /var/log/messages
> ...

 

what is your /etc/localtime and rc.con set to, due to the large drift it looks as if you have the rc.conf set to UTC and /etc/localtime set to your local timezone. other than that I would suspect a buggy or (going) bad hardware such as your rtc.

----------

## frippz

 *jjasghar wrote:*   

> 
> 
> ```
> 
> tito etc # /etc/init.d/ntpd start
> ...

 

Yeah, I got that too and it seems that the init script (or whatever reads /etc/conf.d/ntpd) doesn't give a damn that the command to use is ntpdate and not ntpd. Don't know how to fix it though. Seems that ntpd is hardcoded into the init script.

----------

## pharaoh

I've spent so much time on this that now that my clock is in sync I don't believe how much time has passed since I started working on it...

I'm going to wait a bit until I continue troubleshooting why my clients won't sync to the server.  Server seems peachy now otherwise!  Thanks to everyone who posted their hearts out   :Very Happy: 

EDIT:  IT WORKS!!!  Just like Meowsqueak had said earlier, "go to lunch and come back".  YAY!  The HOWTO should probably be noted about this for newbs like me who think "it's setup correctly, why's it not working?" and then go changing things and breaking it.

----------

## Skywacker

Thanks for the guide. Master node now syncs perfectly and all slaves update from the master. 

-Skywacker

----------

## frippz

I got my time synching working perfect after reading this guide

http://gentoo-wiki.com/HOWTO_NTP

Also, in addition, this guide helped of course. Someone here mentioned to enable DMA on /dev/hda which mine didn't have enabled, so it did the trick! Now my clock doesn't trail one bit (not enough for me to notice anyway  :Very Happy: ).

----------

## Freejack00

I think this works if I can figure out why it does this everytime i try to run it:

* Running preup function

 *   Wireless extensions not found for eth0

 * Please make sure that /etc/conf.d/net has $ifconfig_eth0 set

 * (or $iface_eth0 for old-style configuration)

 * Starting ntpd...

 * Failed to start ntpd      

I use wireless which is ath0 not eth0. I have been setup like this for months and no problems till now when I try to setup ntp. Any ideas?

----------

## dusty_bin

As a noob to all things Linux/Gentoo - I am struggling:

1. ntpd is running with other servers in ntp.conf, but how do I hook up a local ref clock?

For the NMEA (for my Garmin GPS25LVS) is it just a matter of adding server 127.127.20.0 to ntp.conf and creating a symbolic link: ln -s /dev/ttyS0 /dev/gps0? (I dare say the syntax is wrong)

2. if I try to restart using /etc/init.d/ntpd restart, it always fail to start, but starts OK if I reboot.  Any ideas?

Currently on NTP v4.1.2 and kernel 2.4.25 - and in the process of trying to work my way through updating portage and then to NTP v4.2.0...

[edit] 

Oops, I see this isn't a support list - but it did seem like the most relevant thread at the time.

Anyway point 1 seems to be the correct way as my ref clock is now going.  As far as 2 goes, I've no idea - but having completed the portage business, the associated updates of the configuration and upgraded NTP, I don't see the problem anymore.

And now for PPSkit...

----------

## danorris

Hmm, I'm having some time zone problems with ntpd. In /etc/rc.conf I have:

```
CLOCK=local
```

And my timezone is set as:

```
freya root # file /etc/localtime

/etc/localtime: symbolic link to `/usr/share/zoneinfo/CST6CDT'

freya root # file -L /etc/localtime

/etc/localtime: timezone data
```

But when I run "ntpd -q" I get the following output in my syslog:

```
Dec  5 18:35:16 [ntpd] ntpd 4.2.0@1.1161-r Fri Dec  3 08:08:58 CST 2004 (1)

Dec  5 18:35:16 [ntpd] precision = 1.000 usec

Dec  5 18:35:16 [ntpd] kernel time sync status 0040

Dec  5 18:35:20 [ntpd] Frequency format error in /var/lib/ntp/ntp.drift

Dec  5 18:35:25 [ntpd] synchronized to 64.113.215.94, stratum=2

Dec  5 18:35:25 [ntpd] time correction of -86414 seconds exceeds sanity limit (1000); set clock manually to the correct UTC time.
```

And finally here's my ntp.conf (comments stripped):

```
server us.pool.ntp.org

server us.pool.ntp.org

server us.pool.ntp.org

server us.pool.ntp.org

driftfile /var/lib/ntp/ntp.drift

restrict default nomodify nopeer

restrict 127.0.0.1
```

Any ideas?

----------

## danorris

NEVERMIND!

I just noticed -86414 seconds is almost exactly 24 hours. Yep, my clock was off by a whole day. Thought it was 12/5 when it's really 12/4. The time was right though.

All fixed, thanks anyway and sorry for the retarded post!

----------

## kortec

i just finished setting up the whole NTP sub system on my box (AMD64, 2005.0 profile, with in a few days of totally up to date) but i was wondering something that hopefully someone will have the answer for. With the current ebuild, i get ntp-client and ntpd in /etc/init.d/ .. it seems to me that ntpd would turn my box in to a server, like if i wanted to set the time for my LAN, which i'm not particularly interested in doing. So can i get away with just running ntp-client on boot to sync and not have ntpd run at all?

----------

## danorris

I was originally confused by this, too.

ntp-client queries the public servers to get the current time, and then sets your system clock to that time. This happens instantaneously, so your clock "jumps" to the correct time. And it only does this once, when you run /etc/init.d/ntp-client start (which normally happens at boot).

ntpd keeps a running tally of the public servers' time. If your local clock drifts out of sync for any reason, it sill "slew" your clock toward the correct time. Unlike ntp-client, this is done smoothly; there are no instantaneous clock jumps, which is generally a good thing. Also, ntpd does this continuously, keeping your system clock locked with the correct time as long as ntpd is running. ntpd can also act as a time server for other machines, but it doesn't have to -- this is what the "restrict 127.0.0.1" line at the top of /etc/ntp.conf does, meaning the local machine is the only one that can access the "server".

So the bottom line is, you probably want them both. Just make sure you have "restrict 127.0.0.1" in your /etc/ntp.conf. You CAN do without ntpd if you really want to, but then your clock might drift out of sync if you start accumulating lots of uptime. ntpd won't hurt anything and will make sure you're always in sync, not just in sync at boot.

----------

## kortec

ah. makes perfect sense... thanks very much. =)

----------

## scharkalvin

I've looked though this thread, but I don't think I

see an answer to my problem.

My pc is behind a firewall that ONLY allows access to the

internet via a proxy on port 8080 (http)

(I have to specify my user name, password, and IP address of the

proxy)

I can use wget and web browsers to use the proxy,

can I somehow configure an ntp client to do so?

(how?)

----------

## danorris

I don't think it's really possible to run NTP over a proxy. Standard proxies don't handle UDP at all. There are some UDP proxies out there (see Google), but your network administrator would have to install them. And I think even doing that is iffy -- you'd be introducing extra, fake latency, and it might throw off the NTP algorithms. They're pretty robust, and very stable against normal network issues, but NTP just was not designed to be proxied.

This is why proxies are evil. The best solution is to ask your network administrators to open TCP and UDP on port 123. If they won't do that, then they should be willing to run a master NTP server on the intranet and allow you to synchronize against that server from inside the private net. If they won't do that either, then they're just as evil as proxies. I work behind one of the strictest, lamest firewalls ever (at an Army Corps of Engineers facility) and even they allow outbound NTP.

----------

## scharkalvin

Actually we MAY have an internal NTP server.  Our desktop computers

are windows xp, but our servers run RHEL (actually whitebox ...) and

I think our computers get time synchronized to the server.  (Does 

a 'nix ntp server work with windows clients or does it have to

go through samba first?)  Anyway that would probably be my

best bet.  Have to ask the server guru for the internal ip address

of the server's ntp daemon.

----------

## platojones

 *Quote:*   

> 
> 
> I think our computers get time synchronized to the server. (Does
> 
> a 'nix ntp server work with windows clients or does it have to
> ...

 

Yes it does.  My I have a dual-boot XP/Gentoo box hooked to my Gentoo gateway box which runs an ntpd client/server.  The XP box ntp client has no problems sync'ing with the ntp server on my Gentoo gateway box.  Samba is not necessary and in fact has no role to play at all.

----------

## danorris

Correct, NTP is an Internet standard (RFC 958). It's one of the few things Microsoft has not "innovated" to the point of incompatibility. So you should be fine  :Wink: 

----------

## mightybyte

I used the Gentoo Home Router Guide to configure my router/firewall and ntp.  Due to ignorance of iptables, I was not able to get ntp working until I found the following in this thread.

 *Garth wrote:*   

> 
> 
> So, without further ado, a few rules from my iptables script:
> 
> ```
> ...

 

I would like to suggest that these rules be put somewhere in the Home Router Guide so that other people who might not be familiar with iptables can get ntp working.  The guide does say that you have to open the port for ntp, but it does not tell how to do so.  This addition would be very helpful.

----------

## sarnold

 *danorris wrote:*   

> 
> 
> [snip]
> 
> So the bottom line is, you probably want them both. Just make sure you have "restrict 127.0.0.1" in your /etc/ntp.conf. You CAN do without ntpd if you really want to, but then your clock might drift out of sync if you start accumulating lots of uptime. ntpd won't hurt anything and will make sure you're always in sync, not just in sync at boot.

 

Not exactly; the ntpd daemon does more than just "keep a running tally" of server time; the drift file is specific to your machine's hardware clock, so it would be much more desirable to use ntpd (and not ntp_client) and enable the hardware clock option in /etc/conf.d/clock (set CLOCK_SYSTOHC="yes").  This should provide the most stable time for a system that shuts down regularly, as well as one that runs for long periods.

To set a system clock initially, or after something like a battery replacement, either set your BIOS clock manually to the correct time (most likely GMT) or run ntp-client once to set the clock after boot up (however, the latter will cause a jump in the times in log files and file time-stamps; a forward jump isn't as a bad as a large backward jump).  About the only reason to even do that much is because if the time is off by more than a certain amount (nominally 1000 seconds) when ntpd starts, it will just die.

So, most people will want to 1) set the clock once, either manually or with ntp-client, and 2) after that run only ntpd (and not ntp-client) on most machines.  The only alternative that makes sense is to use ntp-client at each boot and let the system clock run free while the system is running, but this introduces varying degrees of time jumps in the logs and filesystem, depending on how long the machine is powered off and how bad the hardware clock itself drifts.  This just doesn't seem like a very good alternative to me, but it may suffice for some people.  And using both ntp-client and ntpd together is sort of the worst of both worlds...

----------

## Bigun

*bookmarked*

----------

## hayalci

I have spent *LOTS* of time reading ntp documentation and gentoo forums. I think it should be written in all capitals somewhere. Probably here.

NTP NEEDS OUTGOING UDP NTP PORT(123) OPENED ON YOUR FIREWALL, which sits between you and the ntp server and blocks all your sync requests, making you look at the "ntpq -p" outputs saying refid as .INIT. like this

```

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

20six.fr        .INIT.          16 u    -  128    0    0.000    0.000 4000.00

```

I should go and have our port 123/udp opened on the firewall.

 *mightybyte wrote:*   

> I used the Gentoo Home Router Guide to configure my router/firewall and ntp.  Due to ignorance of iptables, I was not able to get ntp working until I found the following in this thread.
> 
>  *Garth wrote:*   
> 
> So, without further ado, a few rules from my iptables script:
> ...

 

----------

## hayalci

The most painless solution is openntpd.

I wanted to sync my servers' time because their clock was not reliable (old hardware   :Wink:  ), and I did not have to cope with net-misc/ntp configuration or firewall ports. And no need to serve time (only two machines)

openntpd solves it all, works behind a firewall.

Easy steps:

1. If you want to keep net-misc/ntp along with openntp, add the following line to /etc/portage/package.use an reemerge, openntp should be installed along.

```
net-misc/ntp openntpd
```

Otherwise unmerge net-misc/ntp and emerge net-misc/openntpd

2. etc-update or dispatch-conf, update init script and config file

3. "usermod -d /var/empty ntp", bacues openntpd looks at the ntp user's home directory.

4. /etc/init.d/ntpd start

And here you go, syncing your clock, all in 3 minutes.  :Very Happy: 

You may have a look at /etc/ntpd.conf and change servers there. Try to use servers that are close to you, and have low network latency.

----------

## the_enigma

I was just curious as to how long ntp (regular, not openntpd) would take before it started taking some action.  I did have openntpd set up, but it didn't like the drift on my machine (60-90 seconds over 3 minutes, somehow   :Shocked:  ).  Currently, my ntp server for the network is still synchronising, stratum 16 and all that.  It's got as its server a stratum-2 from a nearby university.  Also my laptop is synching to the same server.  Below is the output from 'ntpq -c pe'.  "games" is my local server that is still synchronising at this point.

```
delta ntp # ntpq -c pe

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 games           .INIT.          16 u   10   64    0    0.000    0.000 4000.00

*b.pool.ntp.uq.e 130.102.152.7    2 u   14   64  377   19.665   66.735   4.843
```

Anyway, the "offset" has gone up by 6 (so 6ms I assume) in about 5 minutes.  Does this mean my clock is slowly getting worse off?  Is it just because ntp has to ensure it is synchronised before playing with stuff?

My ntp server, "games", is doing the same thing too.  

Although, what does that asterisk mean next to the "b.pool.ntp.uq.e".  That is only present on this laptop.

And also, when does a drift file get created/used.  I assume this'll take a while to show up, as it calculates drift.  I just want to make sure this all works

Anyway, there are some initial questions.  I'm actually gonna get some shut-eye now, and then it's exam time tomorrow, so I'll be back in approximately 12-14 hours.

Edit:  Ok, I just woke up.  Stuff seems to be going good now.  My own server has synchronised, and so has my laptop.  My desktop, however, is different.  It had the crazy clock drift, and is now ~368617ms off.  That's about 6 minutes, roughly.  This happened over about 7-8 hours I think.  Originally it was only <1000ms off.  Any ideas?  My config for this PC is below:

```
enigma@enigmas /etc $ cat ntp.conf | grep -v '#'

server          games prefer

server          au.pool.ntp.org

driftfile       /var/lib/ntp/ntp.drift

logfile         /var/log/ntp/ntp.log

restrict default nomodify

restrict 127.0.0.1 
```

Now this is exactly the same code that is in the config on the laptop too, which has synched successfully.

----------

## the_enigma

Bumping to hopefully get a response.

My machine which has crazy drift is still not being synced.  I get the following after running ntpd for a few hours

```
enigma@enigmas ~ $ ntpq -c pe

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 games           130.102.2.123    3 u   29   64  377    0.172  -271096 4387.34

 cazza.aceonline 203.12.160.2     3 u   43   64  377   85.228  -269772 3487.90

enigma@enigmas ~ $ 
```

The offset just keeps increasing and increasing.

The config for this particular machine is as follows

```
enigma@enigmas /etc $ cat ntp.conf | grep -v '#'

server          192.168.0.20 prefer

server          au.pool.ntp.org

driftfile       /var/lib/ntp/ntp.drift

logfile         /var/log/ntp/ntp.log

restrict default nomodify

restrict 127.0.0.1 

enigma@enigmas /etc $ 
```

Everything seems to work.  Here's a chunk of output from "ntpd -n -d -d"

```
clock_filter: n 8 off -263.074389 del 0.085514 dsp 0.003012 jit 2.332493, age 257

auth_agekeys: at 21300 keys 1 expired 0

        MCAST   *****sendpkt(fd=6 dst=192.168.0.20, src=192.168.0.17, ttl=0, len=48)

transmit: at 21306 192.168.0.17->192.168.0.20 mode 3

poll_update: at 21306 192.168.0.20 flags 0081 poll 6 burst 0 last 21306 next 21371

receive: at 21306 192.168.0.17<-192.168.0.20 restrict 080

receive: at 21306 192.168.0.17<-192.168.0.20 mode 4 code 1

poll_update: at 21306 192.168.0.20 flags 0081 poll 6 burst 0 last 21306 next 21372

clock_filter: n 8 off -263.294801 del 0.000170 dsp 0.003381 jit 2.336228, age 254

        MCAST   *****sendpkt(fd=6 dst=202.0.185.154, src=192.168.0.17, ttl=0, len=48)

transmit: at 21353 192.168.0.17->202.0.185.154 mode 3

poll_update: at 21353 202.0.185.154 flags 0001 poll 6 burst 0 last 21353 next 21418

receive: at 21353 192.168.0.17<-202.0.185.154 restrict 080

receive: at 21353 192.168.0.17<-202.0.185.154 mode 4 code 1

poll_update: at 21353 202.0.185.154 flags 0001 poll 6 burst 0 last 21353 next 21418

clock_filter: n 8 off -263.074389 del 0.085514 dsp 0.003653 jit 2.363686, age 321

auth_agekeys: at 21360 keys 1 expired 0

        MCAST   *****sendpkt(fd=6 dst=192.168.0.20, src=192.168.0.17, ttl=0, len=48)

transmit: at 21372 192.168.0.17->192.168.0.20 mode 3

poll_update: at 21372 192.168.0.20 flags 0081 poll 6 burst 0 last 21372 next 21438

receive: at 21372 192.168.0.17<-192.168.0.20 restrict 080

receive: at 21372 192.168.0.17<-192.168.0.20 mode 4 code 1

poll_update: at 21372 192.168.0.20 flags 0081 poll 6 burst 0 last 21372 next 21435

clock_filter: n 8 off -263.294801 del 0.000170 dsp 0.004020 jit 2.385102, age 320

        MCAST   *****sendpkt(fd=6 dst=202.0.185.154, src=192.168.0.17, ttl=0, len=48)

transmit: at 21418 192.168.0.17->202.0.185.154 mode 3

poll_update: at 21418 202.0.185.154 flags 0001 poll 6 burst 0 last 21418 next 21483

receive: at 21418 192.168.0.17<-202.0.185.154 restrict 080

receive: at 21418 192.168.0.17<-202.0.185.154 mode 4 code 1

poll_update: at 21418 202.0.185.154 flags 0001 poll 6 burst 0 last 21418 next 21482

clock_filter: n 8 off -263.074389 del 0.085514 dsp 0.004293 jit 2.775450, age 386

auth_agekeys: at 21420 keys 1 expired 0

        MCAST   *****sendpkt(fd=6 dst=192.168.0.20, src=192.168.0.17, ttl=0, len=48)

transmit: at 21435 192.168.0.17->192.168.0.20 mode 3

poll_update: at 21435 192.168.0.20 flags 0081 poll 6 burst 0 last 21435 next 21500

receive: at 21435 192.168.0.17<-192.168.0.20 restrict 080

receive: at 21435 192.168.0.17<-192.168.0.20 mode 4 code 1

poll_update: at 21435 192.168.0.20 flags 0081 poll 6 burst 0 last 21435 next 21500

clock_filter: n 8 off -263.294801 del 0.000170 dsp 0.003601 jit 2.809811, age 383

auth_agekeys: at 21480 keys 1 expired 0

        MCAST   *****sendpkt(fd=6 dst=202.0.185.154, src=192.168.0.17, ttl=0, len=48)

transmit: at 21482 192.168.0.17->202.0.185.154 mode 3

poll_update: at 21482 202.0.185.154 flags 0001 poll 6 burst 0 last 21482 next 21545

receive: at 21482 192.168.0.17<-202.0.185.154 restrict 080

receive: at 21482 192.168.0.17<-202.0.185.154 mode 4 code 1

poll_update: at 21482 202.0.185.154 flags 0001 poll 6 burst 0 last 21482 next 21548

clock_filter: n 8 off -263.074389 del 0.085514 dsp 0.005189 jit 3.462808, age 450

        MCAST   *****sendpkt(fd=6 dst=192.168.0.20, src=192.168.0.17, ttl=0, len=48)

transmit: at 21500 192.168.0.17->192.168.0.20 mode 3

poll_update: at 21500 192.168.0.20 flags 0081 poll 6 burst 0 last 21500 next 21565

receive: at 21500 192.168.0.17<-192.168.0.20 restrict 080

receive: at 21500 192.168.0.17<-192.168.0.20 mode 4 code 1

poll_update: at 21500 192.168.0.20 flags 0081 poll 6 burst 0 last 21500 next 21563

clock_filter: n 8 off -263.294801 del 0.000170 dsp 0.003607 jit 3.497038, age 448

auth_agekeys: at 21540 keys 1 expired 0

        MCAST   *****sendpkt(fd=6 dst=202.0.185.154, src=192.168.0.17, ttl=0, len=48)

transmit: at 21548 192.168.0.17->202.0.185.154 mode 3

poll_update: at 21548 202.0.185.154 flags 0001 poll 6 burst 0 last 21548 next 21611

receive: at 21548 192.168.0.17<-202.0.185.154 restrict 080

receive: at 21548 192.168.0.17<-202.0.185.154 mode 4 code 1

poll_update: at 21548 202.0.185.154 flags 0001 poll 6 burst 0 last 21548 next 21614

clock_filter: n 8 off -269.772968 del 0.085228 dsp 0.002783 jit 4.293075, age 66

        MCAST   *****sendpkt(fd=6 dst=192.168.0.20, src=192.168.0.17, ttl=0, len=48)

transmit: at 21563 192.168.0.17->192.168.0.20 mode 3

poll_update: at 21563 192.168.0.20 flags 0081 poll 6 burst 0 last 21563 next 21629

receive: at 21563 192.168.0.17<-192.168.0.20 restrict 080

receive: at 21563 192.168.0.17<-192.168.0.20 mode 4 code 1

poll_update: at 21563 192.168.0.20 flags 0081 poll 6 burst 0 last 21563 next 21628

clock_filter: n 8 off -263.294801 del 0.000170 dsp 0.003935 jit 4.285838, age 0

receive: at 21570 127.0.0.1<-127.0.0.1 restrict 000

sendpkt(fd=5 dst=127.0.0.1, src=127.0.0.1, ttl=-6, len=20)

receive: at 21570 127.0.0.1<-127.0.0.1 restrict 000

sendpkt(fd=5 dst=127.0.0.1, src=127.0.0.1, ttl=-6, len=444)

sendpkt(fd=5 dst=127.0.0.1, src=127.0.0.1, ttl=-6, len=220)

receive: at 21570 127.0.0.1<-127.0.0.1 restrict 000

sendpkt(fd=5 dst=127.0.0.1, src=127.0.0.1, ttl=-6, len=444)

sendpkt(fd=5 dst=127.0.0.1, src=127.0.0.1, ttl=-6, len=228)

auth_agekeys: at 21600 keys 1 expired 0

        MCAST   *****sendpkt(fd=6 dst=202.0.185.154, src=192.168.0.17, ttl=0, len=48)

transmit: at 21614 192.168.0.17->202.0.185.154 mode 3

poll_update: at 21614 202.0.185.154 flags 0001 poll 6 burst 0 last 21614 next 21679

receive: at 21614 192.168.0.17<-202.0.185.154 restrict 080

receive: at 21614 192.168.0.17<-202.0.185.154 mode 4 code 1

poll_update: at 21614 202.0.185.154 flags 0001 poll 6 burst 0 last 21614 next 21678

clock_filter: n 8 off -269.772968 del 0.085228 dsp 0.003038 jit 3.487901, age 132

        MCAST   *****sendpkt(fd=6 dst=192.168.0.20, src=192.168.0.17, ttl=0, len=48)

transmit: at 21628 192.168.0.17->192.168.0.20 mode 3

poll_update: at 21628 192.168.0.20 flags 0081 poll 6 burst 0 last 21628 next 21693

receive: at 21628 192.168.0.17<-192.168.0.20 restrict 080

receive: at 21628 192.168.0.17<-192.168.0.20 mode 4 code 1

poll_update: at 21628 192.168.0.20 flags 0081 poll 6 burst 0 last 21628 next 21694

clock_filter: n 8 off -271.096864 del 0.000172 dsp 0.001058 jit 4.387344, age 65

receive: at 21656 127.0.0.1<-127.0.0.1 restrict 000

sendpkt(fd=5 dst=127.0.0.1, src=127.0.0.1, ttl=-6, len=20)

receive: at 21656 127.0.0.1<-127.0.0.1 restrict 000

sendpkt(fd=5 dst=127.0.0.1, src=127.0.0.1, ttl=-6, len=444)

sendpkt(fd=5 dst=127.0.0.1, src=127.0.0.1, ttl=-6, len=220)

receive: at 21656 127.0.0.1<-127.0.0.1 restrict 000

sendpkt(fd=5 dst=127.0.0.1, src=127.0.0.1, ttl=-6, len=444)

sendpkt(fd=5 dst=127.0.0.1, src=127.0.0.1, ttl=-6, len=228)

auth_agekeys: at 21660 keys 1 expired 0

        MCAST   *****sendpkt(fd=6 dst=202.0.185.154, src=192.168.0.17, ttl=0, len=48)

transmit: at 21678 192.168.0.17->202.0.185.154 mode 3

poll_update: at 21678 202.0.185.154 flags 0001 poll 6 burst 0 last 21678 next 21741

receive: at 21678 192.168.0.17<-202.0.185.154 restrict 080

receive: at 21678 192.168.0.17<-202.0.185.154 mode 4 code 1

poll_update: at 21678 202.0.185.154 flags 0001 poll 6 burst 0 last 21678 next 21741

clock_filter: n 8 off -269.772968 del 0.085228 dsp 0.002056 jit 2.820879, age 196

        MCAST   *****sendpkt(fd=6 dst=192.168.0.20, src=192.168.0.17, ttl=0, len=48)

transmit: at 21694 192.168.0.17->192.168.0.20 mode 3

poll_update: at 21694 192.168.0.20 flags 0081 poll 6 burst 0 last 21694 next 21759

receive: at 21694 192.168.0.17<-192.168.0.20 restrict 080

receive: at 21694 192.168.0.17<-192.168.0.20 mode 4 code 1

poll_update: at 21694 192.168.0.20 flags 0081 poll 6 burst 0 last 21694 next 21758

clock_filter: n 8 off -271.096864 del 0.000172 dsp 0.001923 jit 3.580587, age 131

auth_agekeys: at 21720 keys 1 expired 0

        MCAST   *****sendpkt(fd=6 dst=202.0.185.154, src=192.168.0.17, ttl=0, len=48)

transmit: at 21741 192.168.0.17->202.0.185.154 mode 3

poll_update: at 21741 202.0.185.154 flags 0001 poll 6 burst 0 last 21741 next 21804

receive: at 21741 192.168.0.17<-202.0.185.154 restrict 080

receive: at 21741 192.168.0.17<-202.0.185.154 mode 4 code 1

poll_update: at 21741 202.0.185.154 flags 0001 poll 6 burst 0 last 21741 next 21805

clock_filter: n 8 off -269.772968 del 0.085228 dsp 0.002721 jit 2.458078, age 259
```

I have no idea what makes this machine so special that it can't sync.  Two other machines on the network use identical configs, and work fine.  Any ideas?

----------

## Andersson

It's been a while since I messed around with ntp, but perhaps I can give you some ideas.

First of all, are there any error messages in your logs?

It looks like you are syncing to au.pool.ntp.org as well as the other computers in your network. What are the other two computers syncing from? I don't think two computers should both listen to each other, but I'm sure you already thought of that.  :Razz: 

Try syncing only to au.pool.ntp.org and not the others in your network. If that works, see if you can have only one of them sync to au.pool.ntp.org, and your other computers syncing only to this computer, to minimize the strain on the public servers.

What about firewalls, is the traffic allowed on all computers (udp port 123)? And the restrict line, if you are using one of your own computers as a server, do you have your network addresses after restrict?

And my last tip, if the above doesn't help: try openntpd!  :Wink: 

----------

## the_enigma

Hi.  The other two computers, one syncs just to au.pool.ntp.org.   My laptop syncs to au.pool and to the previous machine, "games", which is set up to be a local server.  The log file is basically empty, which is annoying.  

I've set the dodgy machine to only sync to au.pool.ntp.org.  It's been running for about an hour, and has gone from ontime (by using ntpdate) to having an offset of -47859.  So 48 seconds off after an hour.  And not synced, and it keeps drifting away.

All machines are behind the same firewall, and all machines were going to use the same config, which is why I'm confused.  The same config file is on my laptop+desktop (same version of ntp too), yet the desktop won't sync. 

Oh, and as to openntpd, it "works", but it doesn't allow for drifting, which is obviously what my clock is doing.  So I'd get roughly a 60s clock change every 3 minutes.  So ntp seems to be sort-of doing its job, maybe it's just taking ages to sync.  I've only ever left it for around 12-14 hours.

I think that covers all the points you mentioned.

----------

## PaulBredbury

 *the_enigma wrote:*   

> My machine which has crazy drift is still not being synced.

 

Have you configured the required "Default Linux Capabilities" kernel option, as per the howto?

----------

## the_enigma

I thought "If this option is not selected, the default Linux security model will be used." meant that if I had set that option to N, it would be the same thing.  But I'll try enabling it anyway, see if it makes a difference.  Oh, and none of the machines have that option enabled, and only this one machine has trouble with ntpd.

----------

## Andersson

Is the clock drifting at the same rate if ntpd is not running?

----------

## the_enigma

It seems to be faster with ntpd running.  Which has got me confused.  Without running ntpd or openntpd, it's vaguely ontime, losing a minute every week or two.  With either one running, it goes nuts.

Oh, and after running ntpd for over a day, I eventually get

```
10 Nov 19:44:14 ntpd[2863]: synchronized to 202.55.152.4, stratum 3

10 Nov 19:44:14 ntpd[2863]: time correction of -1101 seconds exceeds sanity limit (1000); set clock manually to the correct UTC time.
```

Which sort of makes sense, I just don't know why it takes so long.

Oh, and I have tried deleting and recreating the drift file for ntpd, didn't change anything.

----------

