Talk:HOWTO NTP

From Gentoo Linux Wiki

[edit] Sync your time and write it in to the BIOS

Never use a hard-coded IP address ---- it leads to flooding servers. Something like pool.ntp.org or uk.pool.ntp.org (or even n.uk.pool.ntp.org for n in 0..2) is much better, but really you should be using ntpd. hwclock will run on shutdown anyway (if /etc/init.d/clock is in /etc/runlevels/boot, which it is by default I think). --TC 13:01, 11 November 2007 (UTC)

Rather, it will run on shutdown if you set CLOCK_SYSTOHC="yes" in /etc/conf.d/clock. TC 13:29, 11 November 2007 (UTC)

[edit] Keep up with Windows (if necessary)

Extracted from Web submission
Tip provided by Don Faulkner

Don't forget a simple "net time" command for Windows systems.
According to my NT side, the syntax is:

NET TIME [\\computername | /DOMAIN[:domainname]] [/SET]

My experience is that you can also append a [/YES] to have the time set in unattended mode. I set this up with AT like so:

AT 01:00 /every:M,W,F "NET TIME \\SambaServer /SET /YES"

Our Linux systems sync their time to a universal time server, and thus everybody's happy.

For Win95, use the system agent, or anything else available. A batch file called from the startup group is sufficient if the machine is rebooted enought to suit you. The "NET TIME" syntax is the same.

Ive spent a lot of time trying to get my LAN clients (192.168.0.x) syncing time with the LAN server (192.168.0.10) ive ended up with this . which seems to work

router root # cat /etc/ntp.conf

server ntp.cis.strath.ac.uk
server ntp2a.mcc.ac.uk
server time-server.ndo.com
restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap
fudge 127.127.1.0 stratum 3
server 127.127.1.0
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
router root #

client

bash-2.05b# cat /etc/ntp.conf
server 127.127.1.0
server 192.168.0.10
fudge 127.127.1.0 stratum 12
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

bash-2.05b#

as well I needed to open aport of the firewall (To make it easy i opened port 123 to let all through and rely on the ntp server config to restrict access .

More Info Here: http://forums.gentoo.org/viewtopic-p-2168758.html#2168758

[edit] DHCP + NTP

If DHCP is activated do you only need to:

1. emerge ntp
2. /etc/init.d/ntp-client start
3. rc-update add ntp-client default

In order to have your computer sync with the DHCP server?

The ntpd-service should be started as well to keep the time in sync. Rune 17:52, 7 May 2006 (UTC)

[edit] ntp-client killed at boot

Our LAN uses spanning tree, when the network interface (eth0) is brought up at boot no data can flow for upto a minute until spanning tree finishes its job.

Because of this ntp-client is killed at boot because it gets hung up waiting. Not sure what the best way around this is. Dont ask me why we use spanning tree, im not the network guy ;)

You use spanning tree to avoid a network storm caused by loops.

Don't use ntp-client at all. Use ntpd. --TC 13:03, 11 November 2007 (UTC)

[edit] /var/log/messages ?

If you are seeing Bad file descriptor errors in /var/log/messages, then make sure that only one instance of ntpd is running:

My gentoo system does not have a /var/log/messages, and I was under the impression that Gentoo used a different logging structure. Does this need to be edited to say for example /var/log/everything, or wherever ntp messages get filed?

--Sputicus 21:18, 26 September 2005 (GMT)

This being Gentoo it uses the logging structure you choose ;-) Mainly by selecting which logger to install (sysklogd, syslog-ng or metalog) as they use different layouts. --mda

[edit] Using cron to keep time

Should we add a section about using cron instead of ntpd. Something like the following with added discussion of pros and cons, example cron etc?

Instead of running the ntpd to keep the time in sync while running you can also use a cron job to run the command every so often. Use the following command which will use the config from /etc/ntp.conf.

$ ntpd -q

--mda Wed Nov 2 00:13:59 GMT 2005

That is a very bad idea. The reason is that the timeservers get flooded evry hour. ntpd will randomise its polling to avoid that. SNTP-clients run when people turn on their workstations at 8:00 is bad enough. Rune 17:57, 7 May 2006 (UTC)

[edit] NTPD and LDAP or NIS

If you find that you are still getting Error : Servname not supported for ai_socktype and you use LDAP or NIS, then double check your /etc/nsswitch.conf

# for ldap, change the following:
services:       ldap [NOTFOUND=return] files
# to
services:       files ldap [NOTFOUND=return]
# or
services:       db files
# if you use nis then replace ldap to read nis

If you have used the Gentoo HOWTO for LDAP http://www.gentoo.org/doc/en/ldap-howto.xml#doc_chap4 (Code Listing 4.5: /etc/nsswitch.conf) then this will not be the cause of any problems.

But if, like me... heh... you tried to do funky network stuffs... then its because LDAP isnt set up with services properly... stick to your files instead :)

--DP110 20:11, 19 January 2006 (GMT)

[edit] NTP and TCP

Citing the NTP debugging documentation "Note that NTP does not use TCP in any form. Also note that NTP requires 123 for both source and destination ports. These facts should be pointed out to firewall administrators."

[edit] 2006.1 profile / gcc 4.1 update

In 2006.1, the "caps" use flag is no longer on by default. When you upgrade to 2006.1 and recompile ntp (a required step as part of the upgrade to gcc 4.1), it will no longer have the "caps" functionality, and will stop working, with no changes to the configuration files. To get it working again, start reading from the top of the page as if you are doing a fresh install. Some things you may have to do:

• Add "caps" use flag to make.conf or package.use, re-emerge ntp
• Remove -u flag from ntp-client options

I added some words to the page about this "gotcha" in the 2006.1 profile, but they were removed. I put them there because there are about 12 forum posts asking "Why doesn't NTP work anymore?". However, they were poorly worded and technically redundant, so someone removed them. I'm putting them on this page, in case they are useful for someone else. JohnWhitlock 20:10, 22 September 2006 (UTC)

[edit] What is 'set its caps USE flag' mean?

There are alternative programs to perform time synchronization via NTP, such as OpenNTPD and Chrony.

To install ntp, set its caps USE flag in package.use, and run:

emerge ntp

For someone new, this makes NO sense. I have looked up how to use 'package.use' files, but this still isn't understandable.

caps USE flag enables for running daemons in user space - without root privileges

Enable caps:

   # emerge
          echo "net-misc/ntp caps" >> /etc/packages.use
          emerge -bavt ntp 
   # kernel options 
               Security options  --->
                [*] Enable different security models
                <*>   Default Linux Capabilities - CONFIG_SECURITY_CAPABILITIES
   # edit /etc/conf.d/ntpd
                NTPD_OPTS="-u ntp:ntp"
voila, ntp should no be running as user ntp => check /var/log/messages 

--84.191.31.77 21:19, 1 November 2006 (UTC)Herrmann

[edit] ntpd flooding server?

My ntpd is sending packets to the timeserver at a rate of about once per minute and has been doing so for many hours. That's not normal, is it? What would be a normal synchronization rate and where would that be configured? 83.78.60.148 23:48, 4 June 2007 (UTC)

With 8 servers every 4 hours (maxpoll 14), I'm ±20 ms - I should probably reduce this to every day or so (maxpoll 17), since the whole point about ntpd is that it extrapolates to keep your clock accurate without needing to poll timeservers. Run ntpq, type "peers", and see what you get. TC 13:13, 11 November 2007 (UTC)

[edit] Kernel config

The article mentions:

If you are using a 2.6 series kernel, make sure it has been compiled with the following options, to allow ntpd to set the clock whilst dropping root privileges:

Security options  --->
 [*] Enable different security models
 <*>   Default Linux Capabilities - CONFIG_SECURITY_CAPABILITIES

But a.f.a.i.k when "Enable different security models" is disabled, it defaults to "Default Linux Capabilities" so this step is redundant, if no other security models are needed/set.