A 5 minute guide to OpenNTPD.

Contributed by sean on 2006-12-07 from the computers-make-horrible-clocks dept.

One of the annoying problems with running very busy machines (especially Windows based ones) is keeping time synchronized. Despite my best efforts I've seen hours of clock skew on machines that rarely get a minute of idle time during some crunch periods and it is a certainty that complaints of clock skew will end up in my inbox shortly there after. This is also an issue with regards to 'user error.'

I've tried many different things to get it to work right using a LAN local time standard as opposed to an Internet based one. The reason being that a few hundred machines all on the same network requesting time from pool.ntp.org isn't exactly efficient use of resources.

OpenNTPD has come to my rescue.
It is very simple and hard to screw up.

Take some random OpenBSD machine on your network, allow UDP port 123 (namely time) to come and go to that machine. Edit a few lines in /etc/ntpd.conf (for most use uncommenting a few lines is more accurate).

In order to serve up the SNTP protocol you need to tell ntpd(8) to listen on some address. To do this just open up /etc/ntpd.conf and add "listen on W.X.Y.Z" where W.X.Y.Z. is some local IP address.

You could also use '*' (ie. all) or '::1' (ie. localhost) in place of the explict IP address.

NOTE: You cannot just use an interface name (ie. fxp0) or interface groups like you would in PF (at least not yet).

Make sure to choose a remote time standard (with either the server or servers lines, sensor to be discussed later).

Restart ntpd (if already running) or invoke as /usr/sbin/ntpd as no parameters are needed for default operation.

You should now be good to go.
There is one caveat though, if the local time is totally hosed (like the machine was powered off for months and the clock battery died) you will have to force a local sync before any of this will work. Fortunately it is easy to do with rdate(8).

rdate pool.ntp.org

Configure the clients to poll that machine as the local time standard (which sync's itself to the Internet based time standard) and be done with it. The only platform whose client configuration wasn't immediately obvious was Windows. Seeing as though I don't really care to learn much more about it, the following was the minimum amount of effort required to get it running.

Running as a user with Administrative privileges on a particular Windows 2000+ machine.

net time /setsntp:W.X.Y.Z
net stop w32time
net start w32time
net time /querysntp

The last line isn't required but is a confirmation the setting took. I know after doing this Windows XP will poll for time updates every hour. Roll out the above any way you see fit to the rest of your 'virus runtime environments ' (as beck@ refered to the platform). It isn't immediately obvious if and how it would be possible to change the polling interval but this should do for most of us.

(Comments are closed)

Comments

By phessler (209.204.157.100) on 2006-12-07 14:39

'time.nist.gov' is BAD, use 'pool.ntp.org' you don't want to overload the master time server for the world, when something Just As Good (for these purposes) is avaliable.
Comments
1. By sean (139.142.208.98) on 2006-12-07 16:02
  
  > 'time.nist.gov' is BAD, use 'pool.ntp.org' you don't want to overload the master time server for the world, when something Just As Good (for these purposes) is avaliable.
  
  That is a good point. time.nist.gov is like reflex for me. I'll update the article to change it.
  Comments
  1. By Richard Johnson (128.117.43.105) on 2006-12-07 20:09
    
    > > 'time.nist.gov' is BAD, use 'pool.ntp.org' you don't want to overload the master time server for the world, when something Just As Good (for these purposes) is avaliable.
    >
    > That is a good point. time.nist.gov is like reflex for me. I'll update the article to change it.
    
    It's a reflex for a lot of people. It's fine to use it, by policy, but you'll probably get better response from other servers.
    
    That's not because it's an alpha with a disciplined oscillator and a modem to make sure it's still in synch with the atomic clock at NIST; it keeps time quite, quite well that way. Instead, it's because it's seeing up to 80,000 packets per second as of June 2006, and your UDP queries may not be seen.
By Anonymous Coward (209.91.190.26) on 2006-12-07 14:46

startup ntpd with the '-s' flag, and you don't need the rdate before it.
Comments
1. By sthen (85.158.44.148) on 2006-12-07 19:55
  
  > startup ntpd with the '-s' flag, and you don't need the rdate before it.
  
  ...but you do need working DNS to avoid long delays in /etc/rc.
  Comments
  1. By Anonymous Coward (58.84.102.143) on 2006-12-10 23:21
    
    > ...but you do need working DNS to avoid long delays in /etc/rc.
    
    where rdate uses a psychic connection and doesn't need DNS?
By frantisek holop (165.72.200.11) on 2006-12-07 16:05

just a note, xp machines sometime throw an error. no obvious reason (for me).
i don't think this is openntpd specific, seen it with "proper" nptd servers also.
By Anonymous Coward (193.63.217.208) on 2006-12-07 16:05

Forgive my possibly lacking understanding of NTP etiquette but isn't the described solution the preferred one? Set up your own stratum on your local network and slave all your systems to your local NTP server... Slaving all your separate systems to pool.ntp.org seems like a slightly insane idea.

Perhaps my perspective is skewed by having OpenBSD as my router/firewall so having it serve up NTP as well was a no-brainer...
Comments
1. By phessler (209.204.157.100) on 2006-12-07 16:09
  
  > Forgive my possibly lacking understanding of NTP etiquette but isn't the described solution the preferred one? Set up your own stratum on your local network and slave all your systems to your local NTP server... Slaving all your separate systems to pool.ntp.org seems like a slightly insane idea.
  >
  > Perhaps my perspective is skewed by having OpenBSD as my router/firewall so having it serve up NTP as well was a no-brainer...
  
  my objection is slaving any system to nist. slave that one guy to the pool, and its perfectly fine. I do that at multiple sites.
2. By Anonymous Coward (63.237.125.20) on 2006-12-07 16:18
  
  > Forgive my possibly lacking understanding of NTP etiquette but isn't the described solution the preferred one? Set up your own stratum on your local network and slave all your systems to your local NTP server... Slaving all your separate systems to pool.ntp.org seems like a slightly insane idea.
  >
  > Perhaps my perspective is skewed by having OpenBSD as my router/firewall so having it serve up NTP as well was a no-brainer...
  
  No he is correct.
  
  The OpenBSD server running ntpd syncs to pool.ntp.org with:
  "server pool.ntp.org" in ntpd.conf
  
  then serves out time locally with:
  "listen on W.X.Y.Z"
  
  and the M$ workstations sync to his OpenBSD server at W.X.Y.Z
  "net time /setsntp:W.X.Y.Z"
  Comments
  1. By Anonymous Coward (63.237.125.20) on 2006-12-07 16:34
    
    -"server pool.ntp.org" in ntpd.conf
    +"servers pool.ntp.org" in ntpd.conf
By Anonymous Coward (63.237.125.20) on 2006-12-07 16:33

It ought to be noted that to start ntpd after you reboot you need:

ntpd_flags=""

in rc.conf.local, or rc.conf
Comments
1. By Anonymous Coward (66.225.187.196) on 2006-12-07 17:22
  
  > It ought to be noted that to start ntpd after you reboot you need:
  >
  > ntpd_flags=""
  >
  > in rc.conf.local, or rc.conf
  
  ntpd_flags="-s"
  
  and it removes the need for ntpdate.
By Anonymous Coward (69.70.68.38) on 2006-12-07 20:33

Those net commands are good in login scripts, but otherwise, a pain for say, just a desktop - unless you create a .bat or .cmd file or which ever other way...

WinXP (not sure of Win2k and less), double click on the clock, then click on 'internet time' tab and set to pool.ntp.org, or other, or better yet, local OpenNTP server name or IP and you're set. In an MS Windows 'Domain / AD' environment, there's probly other ways to set the NTP server to, via GPO's?
Comments
1. By wob (12.109.229.8) wob@bonch.org on 2006-12-08 20:23
  
  > Those net commands are good in login scripts, but otherwise, a pain for say, just a desktop - unless you create a .bat or .cmd file or which ever other way...
  >
  > WinXP (not sure of Win2k and less), double click on the clock, then click on 'internet time' tab and set to pool.ntp.org, or other, or better yet, local OpenNTP server name or IP and you're set. In an MS Windows 'Domain / AD' environment, there's probly other ways to set the NTP server to, via GPO's?
  
  I am currently running Windows XP Professional SP2 on my laptop and I do not have this option under my clock. If I use my home machine (used for games), I DO have this option, and it runs WIndows XP Media edition SP2.
  
  So, YMMV if this tab will exist in WinXP or not. Gotta love the consistency of windows...
2. By RC (71.105.39.54) on 2006-12-09 08:10
  
  For older versions of Windows, http://nettime.sf.net/
By Anonymous Coward (81.149.188.25) on 2006-12-08 06:39

Anyone else have problems with OpenNTPD not keeping clocks in sync if you boot with a multiprocessor kernel on i386? in 4.0
Comments
1. By Otto Moerbeek (87.210.142.234) otto@drijf.net on 2006-12-08 07:18 http://www.drijf.net
  
  > Anyone else have problems with OpenNTPD not keeping clocks in sync if you boot with a multiprocessor kernel on i386? in 4.0
  
  Please provide a proper report of what you are seeing to misc@ or bugs@
2. By scot bontrager (216.62.11.163) MyFirstName...@indievisible.org on 2006-12-12 03:35
  
  > Anyone else have problems with OpenNTPD not keeping clocks in sync if you boot with a multiprocessor kernel on i386? in 4.0
  >
  >
  
  It was wonky (0.5s slew at any given moment) on amd64-MP 3.8-3.9 but much better since 4.0. It has always been fine on i386.
  Comments
  1. By Anonymous Coward (192.165.213.18) on 2006-12-14 08:03
    
    > > Anyone else have problems with OpenNTPD not keeping clocks in sync if you boot with a multiprocessor kernel on i386? in 4.0
    > >
    > >
    >
    > It was wonky (0.5s slew at any given moment) on amd64-MP 3.8-3.9 but much better since 4.0. It has always been fine on i386.
    
    It seems to be a problem on HP DL380's, DL360's are fine. I'll endeavour to submit details.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (9)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]