DAS - Time Server Setup

Introduction

Since Kerberos networks require that all participating hosts have their clocks synchronized within 5 minutes of the KDCs, we need to implement some mechanism for doing this. On the DAS server side, the answer is ntpd, the Network Time Protocol daemon. The server setup is relatively simple, and there are several options for keeping your clients in sync.

The NTP daemon listens on UDP port 123, and NTP clients may use a source port of 123, or standard non-privileged ports. Some firewalls do not accept traffic when clients use a UDP source port < 1024.

Assumptions

These are step-by-step instructions for configuring and testing NTP servers and clients. These instructions assume the following:

The baseline Red Hat 9 operating system has been installed and configured in accordance with these instructions.
TCP/IP addressing and networking is setup properly.
Your network has access to a good, stable, upstream NTP server.
Any and all firewalls concerned are configured to allow NTP traffic.
Your timezone and system clock are set properly.

Instructions for DAS-M and DAS-S

Step 1: Make sure that the NTP package is installed

If you followed the baseline OS installation procedures for Red Hat 9, the package should already be installed. According to Red Hat, there are currently no security updates for it.

[root@das-m etc]# rpm -qa | grep ntp
ntp-4.1.2-0.rc1.2

The package includes ntpd, a utility called ntpdate, manpages, and other documentation.

Step 2: Select a good upstream NTP server and test connectivity to it

In our case, there is only one upstream NTP server we can connect to. It is radius.kerb.org at 10.10.20.111. We cannot connect to any public NTP servers because the institute's firewall only allows NTP from the outside world to the RADIUS server. Check the list of public NTP servers and read requirements for using them.

To make sure that you can successfully make an NTP query from DAS-M or DAS-S to the RADIUS server, use the ntpdate command like this:

[root@das-m etc]# ntpdate -q radius.kerb.org
server 10.10.20.111, stratum 2, offset 0.001151, delay 0.02583
23 Oct 16:35:10 ntpdate[1086]: adjust time server 10.10.20.111 offset 0.001151 sec

This queries the NTP server, but does not set the clock. For more information, you can use the -d (debug) option instead, which also does not set the clock.

Step 3: Make sure your clock is not out to lunch

Use the date command to make sure that your timezone is correct, and that your system clock is not already way out of whack. Correct as necessary.

Step 4: Configure the /etc/ntp.conf config file

The /etc/ntp.conf file controls the behaviour of the NTP daemon. The config we are using will restrict access to our lab network, and specify the server we will use. It is fairly simple:

# DAS-M ntpd config
# Configured by Van, 8-8-2003
#
restrict default ignore
restrict 127.0.0.1
restrict 10.10.22.0 mask 255.255.255.0 notrust nomodify notrap
restrict 10.10.20.111 mask 255.255.255.255 nomodify notrap noquery
server 10.10.20.111
 
fudge   127.127.1.0 stratum 10
 
driftfile /etc/ntp/drift
broadcastdelay  0.008
 
authenticate no
 
keys            /etc/ntp/keys
 
# End Config

Step 5: Start the NTP daemon and make sure it is running

[root@das-m etc]# /etc/init.d/ntpd start
ntpd: Synchronizing with time server:                      [  OK  ]
Starting ntpd:                                             [  OK  ]

[root@das-m etc]# pgrep -l ntp
685 ntpd

[root@das-m etc]# netstat -una | grep 123
udp        0      0 10.10.22.42:123       0.0.0.0:*
udp        0      0 127.0.0.1:123           0.0.0.0:*
udp        0      0 0.0.0.0:123             0.0.0.0:*

Step 6: Configure ntpd to start automatically at boot time

[root@das-m etc]# chkconfig ntpd off
[root@das-m etc]# chkconfig --level 345 ntpd on
[root@das-m etc]# chkconfig --list ntpd
ntpd            0:off   1:off   2:off   3:on    4:on    5:on    6:off

Step 7: Verify that your server is synchronized with its NTP source

It may take a number of minutes for the clock to synchronize. You can use the ntpdc command to view information about ntpd's status. It can be used in interactive mode, by simply entering ntpdc, or invoked with the -c switch to run the commands from the shell prompt. Here is a list of useful ntpdc commands:

ntpdc -c listpeers
ntpdc -c peers
ntpdc -c sysinfo
ntpdc -c sysstats
ntpdc -c iostats

When your NTP daemon is synchronized, it should look something like this, with a * on the far left:

[root@das-m root]# ntpdc -c peers
     remote           local      st poll reach  delay   offset    disp
=======================================================================
*radius.kerb.org   10.10.22.42    2  512  377 0.00034 -0.008775 0.00725

Step 8: Configure and start ntpd on DAS-S

You will also want to configure and start the NTP daemon on DAS-S. This gives your DAS clients a second source to synchronize from. Just do steps 1-7 on DAS-S.

References

The NTP home page
Dr. David Mills' NTP page
Practical Guide to Date, Time, and Time Zones for Red Hat Linux

2.4 :: DAS - Time Server Setup