Ntpd

Setting up ntp on FreeBSD is very easy. It mostly works out of the box (if enabled). My problems began when I asking a few questions about how things were done with ntp. I found there wasn't really much documentation. This is a collection of info I've collected over time.

Ntpd development isn't very fast, so there isn't any reason to use the version in the ports collection. If you plan on enabling ntp, do so in rc with ntpd_enable="YES". Ntp has sanity limits on how far/fast it will change the time. It slews time instead of making large jumps - meaning it can take hours for a time sync. The workaround is ntpdate_enable="YES" in rc. This causes one hard time reset during boot. Whether you consider that safe or not depends on your environment.

Ntp works using UDP port 123. SNTP is basically Ntp without saving the state information needed to keep a correct clock. The old school hardcore alternative is rdate.

Syslog

You may find it useful to log ntp stuff with syslog. Ntpd likes to give status messages that mean nothing to anyone but developers, ntp obsessed gurus, or source code treasure hunters. In other words, a lot of spurrious stuff may get logged. In syslog.conf I put:

!ntpd
*.*             -/var/log/misc/ntp.log

Two status messages I did find some info on the web:

ntp.drift

This file keeps track of how insane your clock is, and what ntpd thinks is needed to correct it. If disconnected from the network (or not able to reach time sources for some other reason, this is the offset that ntpd would use to keep the clock correct. The default location is somewhere in /var/db, but I prefer to place this file in /etc/ntp/ntp.drift . This file can be manually initialized with 0.000 . Ntpd seems to prefer finding a number instead of an empty file.

ntp.keys

Ntp supports a few authentication methods to verify packets. I prefer the older symmetric method. A server and client agree on a shared secret, and use this to sign ntp messages. It's easy but poorly documented.

There is an easy way to set this up using the utility called ntp-keygen -M. Change your working directory to /etc/ntp/ and run ntp-keygen -M. This will generate a bunch of files (you don't need). The file of interest is called something like ntpkey_MD5key_{stuff}. This is what I rename to ntp.keys . The contents of this file look something like:

 1 MD5  ~mVNlTrS*]a'/;g # MD5 key
 2 MD5  HGC[,%.x^L{Wf*G # MD5 key
 3 MD5  1_-N>m,10=x8tj~ # MD5 key
 4 MD5  cY@$?]R`?/?,Z|z # MD5 key
 5 MD5  HQqzC7QXOr06Y[: # MD5 key
 6 MD5  5u$,5B3h{xzu&>' # MD5 key

The first number is the key number. These can be numbed from 1 to 65534. The second item is the algorithm MD5. If security is a concern, consider rotating keys. The third is the shared secret key. The server and client both agree on the key number and key itself. The key files don't have to be the same, and numbers can be in any order, but both server and client must agree on the key and its respective number.

ntp.conf

server      time.example.com prefer iburst key 4 maxpoll 9
server      127.127.1.0
fudge       127.127.1.0 stratum 12

restrict    time.example.com
restrict    127.0.0.1
restrict    127.127.1.0
restrict    default ignore

driftfile   /etc/ntp/ntp.drift
keys        /etc/ntp/ntp.keys

trustedkey  1 4

server Specifies the server to get time. At your master time server you will want at least 3 time sources unless you have time keeping hardware. I use 3 at the master server.

prefer give preference to this server. Generally this isn't needed.

iburst if the server connection is broken then re-established, send a short packet burst to speed up synchronization. Also assists during start up.

key # the symmetric key used to confirm packets are from this server. Wouldn't be specified unless you control both ends (serer and client).

minpoll / maxpoll Over time the period of polling changes. Quickly at first, and gradually increasing in duration (from minpoll to maxpoll) The default minpoll is 6 (64s), with the lowest value accepted 4 (16s). Maxpoll is the maximum time ntp will space between queries. The default is 10 (17 minutes) with a maximum of 17 (36 hours). The number is derived from a power of 2. Example: 2^4 = 16, 2^6 = 64. The default maxpoll (10) causes spurious messages in FreeBSD system logs. Setting maxpoll to 9 is a simple work around.

127.127.1.0 - this specifies the server internal clock. It's not an actual address (don't get that 1 and 0 mixed up btw). This isn't required, but can keep the time from drifting too far if it can't synchronize from the network.

fudge : used to set the internal clock at a VERY low time stratum (last resort). Dedicated time hardware is stratum 0. A computer which reads time from that hardware is stratum 1. Likely your master time server will be stratum 2 / 3, so this keeps the hardware clock a very low priority.

restrict - obviously restricts what the ntp server allows for queries. Unintuitively, restrict with a server and no options, means to not restrict that server. Not restricting the loopback (127.0.0.1) allows you to query the local server.

keys - location of the keys file discussed above.

driftfile - I prefer to manually put this somewhere I can look at

trustedkeys # - This specifies a key from the keyfile which is considered trusted. If a key is not trusted (by using this statement), the server will not sync time from this source. BOTH client AND server must have the key specified in the trustedkeys line. Both must agree on they key, and both must agree on the key number for that key. (basically have a master key file on a server, then paste that respective line in the client keys file). The time server itself may serve both encrypted and unencrypted data, but if it gets an encrypted request that is invalid, it will reject it.

Is it working?

Ntpd is oddly good at running but not working. What you will want to use is the ntpq -p command (-p lists the server status). This gives the list of servers connected to, with status and statistics that are somewhat meaningful. The following information was taken from [here]

remote refid st t when poll reach delay offset jitter ============================================================================== -xxx.xxxx.net 128.4.1.1 2 u 818 512 376 77.420 -7.022 1.912 +xxxxx.xxxxxxxxx 128.249.1.10 3 u 316 512 377 64.589 -0.798 1.583 *xxx.xxxxxxxx.ne 69.25.96.13 2 u 361 512 377 105.995 3.863 0.456 LOCAL(0) .LOCL. 12 l 56 64 377 0.000 0.000 0.000

* = current time source
# = source selected, distance exceeds maximum value
o = source selected, Pulse Per Second (PPS) used
+ = source selected, included in final set
x = source false ticker
. = source selected from end of candidate list
- = source discarded by cluster algorithm
blank = source discarded high stratum, failed sanity

t: types available
l = local (such as a GPS, WWVB)
u = unicast (most common)
m = multicast
b = broadcast
- = netaddr

refid: - remote source's synchronization source,

stratum: - stratum level of the source

when: - number of seconds passed since last response

poll: - polling interval, in seconds, for source

reach: - indicates success/failure to reach source, 377 all attempts successful

delay: - round trip time in milliseconds to receive a reply

offset: - time difference in milliseconds between the client server and source

disp/jitter: - difference in milliseconds between two samples

Look for lines with zero values. reach shows successful packet responses. If this is zero then, then no successful connection was made. If using ntp authentication, this means it's not working. If a server continuously shows up prefixed with a blank, this time source is likely junk and you'll want to consider another time source. Both time.apple.com and time.windows.com seem to be poor quality time sources. Typically you'll have one server prefixed with '*' and the rest with '+' when working properly. The local line only shows if you configured a local clock on the host (127.127.1.0).

Why does ntpd listen on EVERY interface?

That's a good question that no one seems to have an answer for. On a normal machine this means ntpd will show 3 listening ports (1 network, 1 loopback, 1 all interfaces), but if you have say 16 interfaces / network aliases, ntpd attaches itself to all of them. This obnoxious behavior is my biggest gripe with ntpd, and there doesn't seem to be any way around it.

Chrony

Many of my complaints with ntpd have been handled in chrony, a program which has been around for a while and is well maintained. Diagnostics are far easier, and with the recent addition of NTS (ntp authentication) I decided to give it a go. I've mixed and matched systems, with some using ntpd, and some using openntpd. I've found chrony to be reliable and sensible to replace all instances of ntp software. That's not always a choice, and ntpd is fine in most situations.

Windows Domain Controllers

For peon edition of windows, you can set the internet time server by right clicking on the tray and setting up the time properties. In a windows domain environment clients get time from domain controllers, which use the system hardware clock by default. In Hyper-V, they use the time syncro service provided by the host. Opinions on whether this is good or bad has changed a few times, but as of 2012 Microsoft recommends NTP.

Windows domains use Kerberos tickets which are time sensitive, so keeping good time is important. Left to its own devices, an entire domain can be be at the mercy of pc quality a hardware clock: consistent, but probably wrong. Windows allows setting ntp as the time source, but it's not the default. If using virtualization, disable the time service for that VM. Using a command prompt: it goes something like this.

net stop w32time
w32tm /unregister
w32tm /register
sc config w32time type= own
net start w32time
w32tm /config /update 
      /manualpeerlist:"time.example.com",0x8 
      /syncfromflags:MANUAL /reliable:yes
w32tm /resync

This hasn't worked for me, but this is what most recommend. I'd get "access denied" messages quite often.

The other method uses the registry. This makes easy with another domain controller already configured; just export the registry keys. Look under HKLM/System/CurrentControlSet/services/w32Time .

Under Parameters the key for Type should be set to NTP. Enabled set to 1 NtpServer should be set to your target server(s). Usually this looks something like "192.168.0.2,0x8". Depending on how your network looks, and your reliability situation, you will want to research what other options you may need to set. But this works for now.

Here's a related Microsoft Kb Article - assuming it's not broken by now since they almost always are. Some of the settings are also explained in this article. Typical for MS documentation, it does things like referencing values from 1-8 with explanations, then says the default is 10. Just be thankful the link works.