How to configure the ntpd service in Red Hat Enterprise Linux to function as an NTP time server for a network of NTP clients

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 3
  • Red Hat Enterprise Linux 4
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

  • How to configure NTP
  • How to setup NTP
  • Basic NTP setup
  • How to configure network time

The ntp package provides the Network Time Protocol (NTP) time synchronization daemon. This daemon is capable of keeping the local system synchronized to an external time source, as well as providing NTP time server services to the network, depending upon its configuration.

This article will provide an example configuration of an NTP server for the local network which uses multiple external servers as trusted time sources, and requires the ntp package to be installed on the server.

Resolution

In the example configuration shown, the ntpd service will be configured to allow hosts within two example IP subnets (10.0.0.0/255.0.0.0 and 192.168.0.0/255.255.255.0) to use this server as an NTP server. Queries from all other hosts except localhost (127.0.0.1) will not be accepted, and only the servers named with server statements will be trusted as stable time sources we synchronize to.

Example /etc/ntp.conf:

default restrictions - apply these to anyone not specified by a better-
matching restrict statement.  We will trust any host named as a server,
but will not allow queries, traps, or modifications to our service
parameters by default:
restrict default nomodify notrap noquery

Permit all access over the loopback interface.
restrict 127.0.0.1

-- CLIENT NETWORK -------
Permit systems on this network to synchronize with this
time service.  Do not permit those systems to modify the
configuration of this service.
EDIT TO DEFINE IP SUBNETS OF YOUR NTP CLIENTS:
restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap

--- OUR TIMESERVERS -----
servers we want to use as stable time sources
we "trust" by default (see 'default' statement above)
so we shouldn't need special 'restrict' statements for
these servers to trust them as time sources.
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org


    
Drift file.
driftfile /var/lib/ntp/drift
broadcastdelay  0.008


Keys file.

keys            /etc/ntp/keys

Notes

NTP uses UDP port 123. In order for the server to both synchronize itself with its trusted time sources and service NTP clients, the server's firewall configuration must allow UDP traffic to destination port 123. The noquery restriction used in the default restrict statement will protect the server from functioning as an NTP server to hosts not defined as shown in the CLIENT NETWORK section. If iptables rules are contemplated to further limit NTP traffic to only authorized hosts, caution in selection of iptables rules is highly recommended.

The ntpd service may have already been running prior to the above configuration being set, depending on the post-install configuration options chosen and other factors. Therefore it is recommended the ntpd service be restarted to ensure the desired configuration is applied:

service ntpd restart
Shutting down ntpd:                              [  OK  ]
ntpd: Synchronizing with time server:            [  OK  ]
Starting ntpd:                                   [  OK  ]

The ntpd service should be configured to automatically start in all network runlevels. The following command will accomplish this:

[root@host ~]# chkconfig --level 345 ntpd on

Note that it is normal for the ntpd daemon to need as long as 5 minutes (or perhaps longer depending upon environment) to receive enough data from the time source(s) defined by server statements to choose the one most stable timesource. Until this has occurred, network clients will not be able to use the local ntpd as a time source. A common symptom of this situation is the error message "no suitable server for synchronization found" when clients attempt to synchronize to the server.

For further documentation on the ntpd time synchronization daemon, refer to the documentation provided with the ntp package in /usr/share/doc/ntp- (version).

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.