NTP service setup under Linux environment

##################################################################################

Lab Environment: Red Hat 6.8

VMware Workstation 12.5

NTP Server NAME:OCBSAP01

NTP Client Name:ocbsweb01

Experimental purpose: To set up an NTP server, using an NTP server in the Internet for Network school,

and allow clients in the subnet 192.168.10.0/24 to use the server for network-time

Experimental extranet NTP address: cn.pool.ntp.org

###################################################################################

NTP server network Time Protocol (NTP) is a protocol used to synchronize the computer's timing, which allows the computer to synchronize its servers or clock sources (such as quartz clocks, GPS, etc.) to provide high-precision time correction (less than 1 milliseconds between the LAN and the standard gap , dozens of milliseconds over the WAN), and can be encrypted in a way that protects against malicious protocol attacks.

UDP 123 port used by protocol

#################### #Server-end Operation #####################################

1, check whether the NTP software is installed, here is the system comes with version ntp-4.2.6p5-10.el6.x86_64

[Email protected]/]# Rpm-qa | grep ntp-ntp-4.2.6p5-10.el6.x86_64ntpdate-4.2.6p5-10.el6.x86_64

2, edit the NTP configuration file/etc/ntp.conf, first back up, and then echo >/etc/ntp.conf empty file to copy the following configuration

Restrict parameter explanation:

Restrict control the relevant permissions.

Syntax: Restrict IP address mask Subnet mask parameter

Where the IP address can also be default, default refers to all IP,

The parameters are as follows:

Ignore: Turn off all NTP Online Services

Nomodify: The client cannot change the time parameters on the server side, but the client can perform the network calibration via the server.

Notrust: The client source will be treated as untrusted subnet unless authenticated

Noquery: No time query for clients: Client cannot query NTP server using commands such as Ntpq,ntpc

Notrap: Do not provide trap remote login: Deny the matching host to provide mode, Control message Trap service. The Trap service is a subsystem of the NTPDQ Control Message Protocol, which is used for remote event logger applications.

Nopeer: Used to prevent the host from attempting to peer to the server and allow the fraudulent server to control the clock

Kod: The Kod package is sent when an access violation occurs.

RESTRICT-6 represents the permission settings for the IPV6 address.

Note: If the parameter is not set, it means that there is no limit to the IP (or subnet)!

The contents of the 2.1 configuration file are as follows:

driftfile/var/lib/ntp/drift# defaults to deny all servers restrict default Kod nomodify notrap nopeer noqueryrestrict-6 default Kod nomod Ify notrap nopeer noquery# Add a network segment that synchronizes NTP Clent, allowing the client of the 192.168.10.0 network segment to synchronize time restrict 192.168.10.0 mask 255.255.255.0 nomod Ify notraprestrict 127.0.0.1 restrict-6:: 1#server 0.rhel.pool.ntp.org iburst#server 1.rhel.pool.ntp.org iburst#server 2.rhel.pool.ntp.org iburst#server 3.rhel.pool.ntp.org iburst# Add an extranet sync address, which is the previous server cn.pool.ntp.org Minpoll 4 Maxpoll 4 perfer#server 127.127.1.0fudge 127.127.1.0 stratum 10includefile/etc/ntp/crypto/pwkeys/etc/ntp/keys# Specify the log file location logfile/var/log/ntplogconfig allstatistics clockstats cryptostats loopstats peerstats

3. Start the NTP service

[[Email protected] etc]# service NTPD start

Starting ntpd: [OK]

4. View NTP server Status

[Email protected] ~]# ntpq-p

Remote refID St T when poll reach delay offset jitter

==============================================================================

*time6.aliyun.co 10.137.38.86 2 U 5 16 1 48.348 43.397 0.000

Explanation of relevant parameters:

Remote: Refers to the name of the NTP server that first responds to this request

refID: Refers to the parent NTP server source that provides time synchronization to the local NTP server.

ST: This value is used to represent the layer level of the parent NTP server source. Because NTP is a layered structure, there are top servers, multiple layers of NTP server sources, and then clients. So the server can be set to 1-16 from the high to the low level. In order to slow down the load and network congestion, you should avoid connecting directly to a Tier 1-level server.

T: This value is used to indicate the type of remote server, with the following types: U for unicast or multicast client, b for broadcast or multicast server, l for local (reference clock), S for Peer NTP server, a for multicast server, b for broadcast server, M for multicast server

When: The value is the current time value from the last time the packet was received

Poll: This value is the polling interval for the local NTP server and the parent NTP server source, which is how often each of the two parties synchronizes (in seconds). When NTP starts running, the poll value will be small, and the frequency of synchronization with the parent NTP server source will increase, so it can be adjusted to the correct time range as soon as possible. Then the poll value will gradually increase, and the frequency of synchronization will be correspondingly reduced.

Reach: This is an octal value that is used to test whether a connection to the server can be made. Each successful connection will increase its value

Delay: This value is the round-trip delay for NTP messages from the local NTP server and the parent NTP server source.

Offset: The value is the time difference between the local NTP server and the parent NTP server source. The closer the value is to 0, the more accurate the time we have with the parent NTP server source. (Daily attention to this article)

Jitter: This value is used to count the distribution of offset (time difference) in a particular contiguous number of connections. The lower the absolute value of the value, the more accurate the time we have with the parent NTP server source.

#################### #Client-end Operation #####################################

1, use the ntpdate command, check whether the command is installed if not installed RPM installation

[Email protected] ~]# Rpm-qa | grep ntpdatentpdate-4.2.6p5-10.el6.x86_64

Test the time to modify the current Clent end.

[Email protected] ~]# date-s 2014/05/05

Monday, May 05, 2014 00:00:00 CST

[[Email protected] ~]# Date

Monday, May 05, 2014 00:00:01 CST

2. Client side synchronization time from server side

[[email protected] ~]# ntpdate 192.168.10.12812 Jan 11:17:37 ntpdate[6694]: Adjust time server 192.168.10.128 offset 0.004 131 sec

Note: Notice that the firewall is off, and the client will wait a few minutes for the NTPD to synchronize with its time, otherwise the "No server suitable for synchronization found" error is prompted.

3, client automatic synchronization time, edit/etc/ntp.conf,chkconfig ntpd--level

Logout as downstream

#server 0.rhel.pool.ntp.org Iburst

#server 1.rhel.pool.ntp.org Iburst

#server 2.rhel.pool.ntp.org Iburst

#server 3.rhel.pool.ntp.org Iburst

Add Server 192.168.10.128 minpoll 4 maxpoll 4 perfer or host name

######################## #Client端验证操作 #############################

1, check the NTP server has no and upper NTP connectivity, here can see the IP of NTP server, the following shows that Clent and NTP server before communication no problem

[[email protected] ~]# Ntpstat synchronised to NTP server (192.168.10.128) @ Stratum 4 time correct to within 333 ms Polling server every

2. Use ntpdate-d 192.168.10.128 for Time service verification and view synchronization details

[[email protected] ~]# ntpdate -d 192.168.10.12812 jan 11:27:51  ntpdate[6722]: ntpdate [email protected] tue jan 26 13:50:53 utc  2016  (1) looking for host 192.168.10.128 and service ntphost found  : ocbsap01transmit (192.168.10.128) receive (192.168.10.128) transmit (192.168.10.128) receive ( 192.168.10.128) Transmit (192.168.10.128) receive (192.168.10.128) transmit (192.168.10.128) receive (192.168.10.128) server 192.168.10.128, port 123stratum 3, precision -24, leap 00,  trust 000refid [192.168.10.128], delay 0.02585, dispersion  0.00017transmitted 4, in filter 4reference time:     de02a7b8.6b274a2a  fri, jan 12 2018 11:19:20.418originate timestamp:  de02a9b7.417bb6cb  fri, jan 12 2018 11:27:51.255transmit timestamp:  de02a9b7.40d639fc  fri, jan 12 2018  11:27:51.253filter delay:  0.02629  0.02661  0.02585   0.02655          0.00000  0.00000   0.00000  0.00000 filter offset: 0.001500 0.001742 0.001690 0.001996          0.000000 0.000000 0.000000 0.000000delay  0.02585, DISPERSION 0.00017OFFSET 0.00169012 JAN 11:27:51 NTPDATE[6722]:  adjust time server 192.168.10.128 offset 0.001690 sec

################################### #常见报错 #####################################################

1, when using ntpdate-d to query will be found to cause no server suitable for synchronization found

Error 1. Server Dropped:strata too high

The NTP client runs Ntpdate ServerIP, and no server suitable for synchronization found error occurs.

The NTP client was viewed with ntpdate-d ServerIP and found "Server Dropped:strata too High" error, and "Stratum 16" is displayed.

And under normal circumstances stratum this worthwhile range is "0~15".

This is because NTP server is not synchronized with itself or its server.

The following definition is to keep the NTP server in sync with itself, and if the server defined in/ntp.conf is not available, the local time will be used as the NTP service for the NTP client.

Server 127.127.1.0

Fudge 127.127.1.0 Stratum 8

After you restart the NTP service on an NTP server, the NTP server itself or its server synchronization takes a period of time,

This process may be 5 minutes, and the ntpdate command will produce a no server suitable for synchronization found error at the time of the client running.

So how do you know when NTP server has completed the process of synchronizing itself?

Error 2. Server Dropped:no Data

The error message when executing netdate-d from the client is as follows:

Transmit (192.168.30.22)

Transmit (192.168.30.22)

Transmit (192.168.30.22)

Transmit (192.168.30.22)

Transmit (192.168.30.22)

192.168.30.22:server Dropped:no Data

Server 192.168.30.22, Port 123

.....

Jul 17:42:24 ntpdate[14148]: No server suitable for synchronization found

This problem can occur because:

Check the version of NTP, if you are using ntp4.2 (including 4.2) after the version, in the definition of restrict used notrust, will lead to the above error.

Use the following command to check the version of NTP:

# NTPQ-C Version

The following is a description from the NTP official website:

The behavior of Notrust changed between versions 4.1 and 4.2.

In 4.1 (and earlier) notrust meant "Don T trust this host/subnet for time".

In 4.2 (and later) Notrust means "Ignore all NTP packets that is not cryptographically authenticated." This forces remotes servers to authenticate themselves to your (client) ntpd

Solve:

Remove the notrust.

NTP service setup under Linux environment