4.3 :: DAS Client Time Synchronization |
| Prev | Next | Index | |
Since Kerberos networks require that all participating hosts have their clocks synchronized within 5 minutes of the KDCs, we need to implement some mechanism for doing this. There are several ways to keep your DAS clients synchronized:
Simply setting the clock manually will probably cause you headaches later, since it may not be clear why authentication is failing.
We will only look at two methods: running ntpd or running ntpdate via cron. Of the two methods, running the NTP daemon is preferred. However, there may be cases where you do not want the overhead of running ntpd and you want to use a simpler approach.
The NTP daemon listens on UDP port 123, and NTP clients may use a source port of 123, or standard non-privileged ports. Some firewalls do not accept traffic when clients use a UDP source port < 1024.
These are step-by-step instructions for configuring and testing NTP servers and clients. The instructions are Red Hat/Fedora specific, but the config files should work on Debian and Mandrake. There is a FreeBSD link in the References section. These instructions assume the following:
If you followed the baseline OS installation procedures for Red Hat 9, the package should already be installed. According to Red Hat, there are currently no security updates for it.
[root@das-m etc]# rpm -qa | grep ntp ntp-4.1.2-0.rc1.2
The package includes ntpd, a utility called ntpdate, manpages, and other documentation.
To make sure that you can successfully make an NTP queries to DAS-M or DAS-S, use the ntpdate command like this:
[root@labdemo2 root]# ntpdate -q das-m das-s server 10.10.22.42, stratum 3, offset 0.020712, delay 0.02576 server 10.10.22.40, stratum 3, offset 0.025256, delay 0.02583 10 Jun 10:11:08 ntpdate[30613]: adjust time server 10.10.22.42 offset 0.020712 sec
This queries the NTP servers, but does not set the clock. For more information, you can use the -d (debug) option instead, which also does not set the clock.
Use the date command to make sure that your timezone is correct, and that your system clock is not already way out of whack. Correct as necessary.
The /etc/ntp.conf file controls the behaviour of the NTP daemon. The config we are using will restrict access to the loopback, and specify das-m and das-s as the servers. It is fairly simple:
# DAS Client ntpd config # Configured by Van, 8-8-2003 # restrict default ignore restrict 127.0.0.1 # Our Time Servers (das-s and das-m) restrict 10.10.22.40 mask 255.255.255.255 nomodify notrap noquery restrict 10.10.22.42 mask 255.255.255.255 nomodify notrap noquery server 10.10.22.40 ## das-s server 10.10.22.42 ## das-m fudge 127.127.1.0 stratum 10 driftfile /etc/ntp/drift broadcastdelay 0.008 authenticate no keys /etc/ntp/keys # End Config
[root@labdemo2 log]# /etc/init.d/ntpd start Starting ntpd: [ OK ] [root@labdemo2 log]# pgrep -l ntp 30772 ntpd [root@labdemo2 log]# netstat -una | grep 123 udp 0 0 10.10.22.41:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:*
[root@labdemo2 etc]# chkconfig ntpd off [root@labdemo2 etc]# chkconfig --level 345 ntpd on [root@labdemo2 etc]# chkconfig --list ntpd ntpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
It may take a number of minutes for the clock to synchronize. You can use the ntpdc command to view information about ntpd's status. It can be used in interactive mode, by simply entering ntpdc, or invoked with the -c switch to run the commands from the shell prompt. Here is a list of useful ntpdc commands:
When your NTP daemon is synchronized, it should look something like this, with a * on the far left:
[root@labdemo2 etc]# ntpdc -c peers
remote local st poll reach delay offset disp
=======================================================================
=das-m 10.10.22.41 3 512 377 0.00070 0.033431 0.00563
*das-s 10.10.22.41 3 512 376 0.00029 0.017484 0.00369
In some situations, running the ntpd on every DAS client is overkill. You can use ntpdate to set the time periodically via NTP. Here are the basic commands:
[root@labdemo2 etc]# ntpdate das-m 10 Jun 11:42:35 ntpdate[32709]: adjust time server 10.10.22.42 offset 0.085310 sec [root@labdemo2 etc]# ntpdate -u das-m 10 Jun 11:42:41 ntpdate[32710]: adjust time server 10.10.22.42 offset 0.082466 sec
The -u option makes the query from a non-privileged UDP source port, and may be necessary depending on what host-based or network firewalls are between your DAS client and your DAS server. You can also specify both DAS servers as NTP sources for redundancy:
[root@labdemo2 etc]# ntpdate -u das-s das-m 10 Jun 11:43:41 ntpdate[32711]: adjust time server 10.10.22.42 offset 0.055390 sec
If you want to run this command hourly, or daily, just place it in the appropriate cron directory. For example, to run the ntpdate command hourly, you would create a bash script called ntpdate-hourly:
#!/bin/bash # Run ntpdate hourly to keep clocks in sync ntpdate -u -s das-s das-m # End script
The -s option sends the command output to syslog instead of standard output, so that cron will not send you an e-mail every hour when the command runs successfully. You can see the result by looking at the /var/log/messages log file instead. The -u option allows the client to use an unprivileged source port for the query, which works best with many firewalls and NAT devices.
Now copy the script to the /etc/cron.hourly directory and change the permissions:
[root@labdemo2 root]# cp -v ntpdate-hourly /etc/cron.hourly `ntpdate-hourly' -> `/etc/cron.hourly/ntpdate-hourly' [root@labdemo2 root]# chmod 0750 /etc/cron.hourly/ntpdate-hourly
Your DAS clients should now be automatically updated with the correct time, and you will not have any Kerberos problems
related to time skew.
The NTP home page
Dr. David Mills' NTP page
FreeBSD NTP Setup Guide
Practical Guide to Date, Time, and Time Zones for Red Hat Linux
4.3 :: DAS Client Time Synchronization |
| Prev | Next | Index | |