NTP (Network Time Protocol)
  Download PDF

1. Overview

WebADM requires an accurate system clock and timezone. Your Linux server should be configured with NTP time synchronization. This guide will show how to install and configure the NTP server. Network Time Protocol traffic runs over port 123 UDP. At RCDevs Hardening Guide are firewall rules examples.

The RCDevs Virtual Appliance uses chrony instead of ntp.

2. CHRONY

2.1 Install Chrony

First, install the chrony package with the command yum install chrony.

[root@rcdevs1 ~]# yum install chrony
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirror.checkdomain.de
 * extras: centos.mirror.root.lu
 * updates: centos.mirror.root.lu
base                                                                               | 3.6 kB  00:00:00     
extras                                                                             | 3.4 kB  00:00:00     
updates                                                                            | 3.4 kB  00:00:00     
(1/2): extras/7/x86_64/primary_db                                                  | 179 kB  00:00:00     
(2/2): updates/7/x86_64/primary_db                                                 | 2.4 MB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package chrony.x86_64 0:3.2-2.el7 will be installed
--> Processing Dependency: libseccomp.so.2()(64bit) for package: chrony-3.2-2.el7.x86_64
--> Running transaction check
---> Package libseccomp.x86_64 0:2.3.1-3.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================
 Package                    Arch                   Version                     Repository            Size
==========================================================================================================
Installing:
 chrony                     x86_64                 3.2-2.el7                   base                 243 k
Installing for dependencies:
 libseccomp                 x86_64                 2.3.1-3.el7                 base                  56 k

Transaction Summary
==========================================================================================================
Install  1 Package (+1 Dependent package)

Total download size: 299 k
Installed size: 773 k
Is this ok [y/d/N]: y
Downloading packages:
(1/2): chrony-3.2-2.el7.x86_64.rpm                                                 | 243 kB  00:00:00     
(2/2): libseccomp-2.3.1-3.el7.x86_64.rpm                                           |  56 kB  00:00:00     
----------------------------------------------------------------------------------------------------------
Total                                                                     986 kB/s | 299 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : libseccomp-2.3.1-3.el7.x86_64                                                          1/2 
  Installing : chrony-3.2-2.el7.x86_64                                                                2/2 
  Verifying  : libseccomp-2.3.1-3.el7.x86_64                                                          1/2 
  Verifying  : chrony-3.2-2.el7.x86_64                                                                2/2 

Installed:
  chrony.x86_64 0:3.2-2.el7                                                                               

Dependency Installed:
  libseccomp.x86_64 0:2.3.1-3.el7                                                                         

Complete!
[root@rcdevs1 ~]# 

Let’s enable and start the chrony daemon service at boot.

[root@rcdevs1 ~]# systemctl start chronyd
[root@rcdevs1 ~]# systemctl status chronyd
● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-02-14 15:25:29 CET; 5s ago
     Docs: man:chronyd(8)
           man:chrony.conf(5)
  Process: 16590 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS)
  Process: 16586 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 16588 (chronyd)
   CGroup: /system.slice/chronyd.service
           └─16588 /usr/sbin/chronyd

Feb 14 15:25:29 rcdevs1.webadm1 systemd[1]: Starting NTP client/server...
Feb 14 15:25:29 rcdevs1.webadm1 chronyd[16588]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK...UG)
Feb 14 15:25:29 rcdevs1.webadm1 chronyd[16588]: Initial frequency -100.000 ppm
Feb 14 15:25:29 rcdevs1.webadm1 systemd[1]: Started NTP client/server.
Feb 14 15:25:35 rcdevs1.webadm1 chronyd[16588]: Selected source 188.42.54.79
Hint: Some lines were ellipsized, use -l to show in full.
[root@rcdevs1 ~]# systemctl enable chronyd
[root@rcdevs1 ~]# 

2.2 Time Zone

Be sure that the correct time zone is set. Verify it with the timedatectl command.

[root@rcdevs1 ~]# timedatectl
      Local time: Thu 2019-02-14 14:32:02 CET
  Universal time: Thu 2019-02-14 13:32:02 UTC
        RTC time: Thu 2019-02-14 13:32:02
       Time zone: Europe/Luxembourg (CET, +0100)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2018-10-28 02:59:59 CEST
                  Sun 2018-10-28 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2019-03-31 01:59:59 CET
                  Sun 2019-03-31 03:00:00 CEST
[root@rcdevs1 ~]# 

To change it, get the list of all available time zones with timedatectl list-timezones and set it with timedatectl set-timezone Europe/Berlin for example.

[root@rcdevs1 ~]# timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
Africa/Algiers
...
[root@rcdevs1 ~]# timedatectl set-timezone Europe/Berlin
[root@rcdevs1 ~]# timedatectl
      Local time: Thu 2019-02-14 14:34:51 CET
  Universal time: Thu 2019-02-14 13:34:51 UTC
        RTC time: Thu 2019-02-14 13:34:52
       Time zone: Europe/Berlin (CET, +0100)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2018-10-28 02:59:59 CEST
                  Sun 2018-10-28 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2019-03-31 01:59:59 CET
                  Sun 2019-03-31 03:00:00 CEST
[root@rcdevs1 ~]# 

2.3 Public Pool Time Servers

At NTP Public Pool Time Servers, choose your Continent and Country. In this example, we choose Europe Luxembourg.

server 2.lu.pool.ntp.org
server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org

2.4 Configuration

Now, replace the default list of Public Pool Time Servers with the ones for your country. Set your Pool Time Server in the chrony configuration file /etc/chrony.conf.

[root@rcdevs1 ~]# vi /etc/chrony.conf 

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 2.lu.pool.ntp.org iburst
server 0.europe.pool.ntp.org iburst
server 1.europe.pool.ntp.org iburst

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *

# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2

# Allow NTP client access from local network.
#allow 192.168.0.0/16

# Serve time even if not synchronized to a time source.
#local stratum 10

# Specify file containing keys for NTP authentication.
#keyfile /etc/chrony.keys

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking
[root@rcdevs1 ~]#

Afterward, restart the chrony daemon with systemctl restart chronyd. Verify its status systemctl status chronyd -l.

[root@rcdevs1 ~]# systemctl restart chronyd
[root@rcdevs1 ~]# systemctl status chronyd -l
● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-02-14 15:30:59 CET; 5s ago
     Docs: man:chronyd(8)
           man:chrony.conf(5)
  Process: 16633 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS)
  Process: 16629 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 16631 (chronyd)
   CGroup: /system.slice/chronyd.service
           └─16631 /usr/sbin/chronyd

Feb 14 15:30:59 rcdevs1.webadm1 systemd[1]: Starting NTP client/server...
Feb 14 15:30:59 rcdevs1.webadm1 chronyd[16631]: chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 +DEBUG)
Feb 14 15:30:59 rcdevs1.webadm1 chronyd[16631]: Frequency -111.826 +/- 28.749 ppm read from /var/lib/chrony/drift
Feb 14 15:30:59 rcdevs1.webadm1 systemd[1]: Started NTP client/server.
Feb 14 15:31:04 rcdevs1.webadm1 chronyd[16631]: Received KoD RATE from 185.137.97.4
[root@rcdevs1 ~]# 

2.5 Sync Time

Force time sync with the command chronyc makestep and check its sources with chronyc sources.

[root@rcdevs1 ~]# chronyc makestep
200 OK
[root@rcdevs1 ~]# chronyc sources
210 Number of sources = 3
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^- 85.93.216.115                 2   6    17     8   +344us[ -370us] +/-   54ms
^- magma.woody.ch                3   6    17     8  +2587us[+1873us] +/-  112ms
^* cluster010.linocomm.net       2   6    17     8   -141us[ -855us] +/-   12ms
[root@rcdevs1 ~]# chronyc tracking
Reference ID    : 5B7958A1 (cluster010.linocomm.net)
Stratum         : 3
Ref time (UTC)  : Thu Feb 14 14:34:47 2019
System time     : 0.000000977 seconds slow of NTP time
Last offset     : -0.000713650 seconds
RMS offset      : 0.000713650 seconds
Frequency       : 36.484 ppm slow
Residual freq   : -154.181 ppm
Skew            : 50.081 ppm
Root delay      : 0.019481769 seconds
Root dispersion : 0.003368327 seconds
Update interval : 1.9 seconds
Leap status     : Normal
[root@rcdevs1 ~]# chronyc sourcestats
210 Number of sources = 3
Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
85.93.216.115               4   4     6    -43.605   2647.217  -1309us   397us
magma.woody.ch              4   3     6    -63.345    366.327   +174us    57us
cluster010.linocomm.net     4   3     6   -154.181   3291.510  -5875us   468us
[root@rcdevs1 ~]# 

2.6 Verify Sync

Do the following steps to verify that the NTP daemon is really synchronizing the time. Query the system clock with the command timedatectl status.

[root@rcdevs1 ~]# timedatectl status
      Local time: Thu 2019-02-14 15:36:48 CET
  Universal time: Thu 2019-02-14 14:36:48 UTC
        RTC time: Thu 2019-02-14 14:36:48
       Time zone: Europe/Luxembourg (CET, +0100)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2018-10-28 02:59:59 CEST
                  Sun 2018-10-28 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2019-03-31 01:59:59 CET
                  Sun 2019-03-31 03:00:00 CEST
[root@rcdevs1 ~]# 

Verify if the NTP synchronization works. First, disable NTP synchronization with timedatectl set-ntp false. Afterward, change the system clock with timedatectl set-time 10:00:00, for example.

[root@rcdevs1 ~]# timedatectl set-ntp false
[root@rcdevs1 ~]# timedatectl set-time 10:00:00
[root@rcdevs1 ~]# timedatectl status
      Local time: Thu 2019-02-14 10:00:07 CET
  Universal time: Thu 2019-02-14 09:00:07 UTC
        RTC time: Thu 2019-02-14 09:00:08
       Time zone: Europe/Luxembourg (CET, +0100)
     NTP enabled: no
NTP synchronized: no
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2018-10-28 02:59:59 CEST
                  Sun 2018-10-28 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2019-03-31 01:59:59 CET
                  Sun 2019-03-31 03:00:00 CEST
[root@rcdevs1 ~]# 

Now, enable the NTP synchronization with timedatectl set-ntp true and verify it with timedatectl status.

[root@rcdevs1 ~]# timedatectl set-ntp true
[root@rcdevs1 ~]# timedatectl status
      Local time: Thu 2019-02-14 15:39:02 CET
  Universal time: Thu 2019-02-14 14:39:02 UTC
        RTC time: Thu 2019-02-14 09:00:58
       Time zone: Europe/Luxembourg (CET, +0100)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2018-10-28 02:59:59 CEST
                  Sun 2018-10-28 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2019-03-31 01:59:59 CET
                  Sun 2019-03-31 03:00:00 CEST
[root@rcdevs1 ~]# 

More information about chrony at Chrony.

3. NTP

3.1 Install NTP

First, install the ntp package with the command yum install ntp.

[root@rcdevs1 ~]# yum install ntp
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.intergenia.de
 * extras: ftp.halifax.rwth-aachen.de
 * updates: mirror2.hs-esslingen.de
Resolving Dependencies
--> Running transaction check
---> Package ntp.x86_64 0:4.2.6p5-28.el7.centos will be installed
--> Processing Dependency: ntpdate = 4.2.6p5-28.el7.centos for package: ntp-4.2.6p5-28.el7.centos.x86_64
--> Processing Dependency: libopts.so.25()(64bit) for package: ntp-4.2.6p5-28.el7.centos.x86_64
--> Running transaction check
---> Package autogen-libopts.x86_64 0:5.18-5.el7 will be installed
---> Package ntpdate.x86_64 0:4.2.6p5-28.el7.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package              Arch        Version                       Repository
                                                                           Size
================================================================================
Installing:
 ntp                  x86_64      4.2.6p5-28.el7.centos         base      549 k
Installing for dependencies:
 autogen-libopts      x86_64      5.18-5.el7                    base       66 k
 ntpdate              x86_64      4.2.6p5-28.el7.centos         base       86 k

Transaction Summary
================================================================================
Install  1 Package (+2 Dependent packages)

Total download size: 701 k
Installed size: 1.6 M
Is this ok [y/d/N]: y
Downloading packages:
(1/3): autogen-libopts-5.18-5.el7.x86_64.rpm               |  66 kB   00:00     
(2/3): ntpdate-4.2.6p5-28.el7.centos.x86_64.rpm            |  86 kB   00:00     
(3/3): ntp-4.2.6p5-28.el7.centos.x86_64.rpm                | 549 kB   00:00     
--------------------------------------------------------------------------------
Total                                              1.4 MB/s | 701 kB  00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : autogen-libopts-5.18-5.el7.x86_64                            1/3 
  Installing : ntpdate-4.2.6p5-28.el7.centos.x86_64                         2/3 
  Installing : ntp-4.2.6p5-28.el7.centos.x86_64                             3/3 
  Verifying  : ntpdate-4.2.6p5-28.el7.centos.x86_64                         1/3 
  Verifying  : autogen-libopts-5.18-5.el7.x86_64                            2/3 
  Verifying  : ntp-4.2.6p5-28.el7.centos.x86_64                             3/3 

Installed:
  ntp.x86_64 0:4.2.6p5-28.el7.centos                                            

Dependency Installed:
  autogen-libopts.x86_64 0:5.18-5.el7   ntpdate.x86_64 0:4.2.6p5-28.el7.centos  

Complete!
[root@rcdevs1 ~]# 

Let’s enable and start the NTP daemon service at boot.

[root@rcdevs1 ~]# systemctl enable ntpd
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.
[root@rcdevs1 ~]# systemctl start ntpd
[root@rcdevs1 ~]# reboot
[root@rcdevs1 ~]# systemctl status ntpd -l
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-02-14 11:27:43 CET; 16s ago
  Process: 6148 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 6165 (ntpd)
   CGroup: /system.slice/ntpd.service
           └─6165 /usr/sbin/ntpd -u ntp:ntp -g

Feb 14 11:27:43 rcdevs1.webadm1 systemd[1]: Started Network Time Service.
Feb 14 11:27:45 rcdevs1.webadm1 ntpd_intres[6182]: DNS 0.centos.pool.ntp.org -> 185.137.97.4
Feb 14 11:27:45 rcdevs1.webadm1 ntpd_intres[6182]: DNS 1.centos.pool.ntp.org -> 94.242.208.130
Feb 14 11:27:45 rcdevs1.webadm1 ntpd_intres[6182]: DNS 2.centos.pool.ntp.org -> 185.137.97.5
Feb 14 11:27:45 rcdevs1.webadm1 ntpd_intres[6182]: DNS 3.centos.pool.ntp.org -> 46.29.177.17
Feb 14 11:27:46 rcdevs1.webadm1 ntpd[6165]: Listen normally on 4 ens33 192.168.3.80 UDP 123
Feb 14 11:27:46 rcdevs1.webadm1 ntpd[6165]: new interface(s) found: waking up resolver
Feb 14 11:27:48 rcdevs1.webadm1 ntpd[6165]: Listen normally on 5 ens33 fe80::20c:29ff:fe1d:5dff UDP 123
Feb 14 11:27:48 rcdevs1.webadm1 ntpd[6165]: new interface(s) found: waking up resolver
Feb 14 11:27:53 rcdevs1.webadm1 ntpd[6165]: 0.0.0.0 c614 04 freq_mode
[root@rcdevs1 ~]# 

3.2 Time Zone

Be sure that the correct time zone is set. Verify it with the timedatectl command.

[root@rcdevs1 ~]# timedatectl
      Local time: Thu 2019-02-14 14:32:02 CET
  Universal time: Thu 2019-02-14 13:32:02 UTC
        RTC time: Thu 2019-02-14 13:32:02
       Time zone: Europe/Luxembourg (CET, +0100)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2018-10-28 02:59:59 CEST
                  Sun 2018-10-28 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2019-03-31 01:59:59 CET
                  Sun 2019-03-31 03:00:00 CEST
[root@rcdevs1 ~]# 

To change it, get the list of all available time zones with timedatectl list-timezones and set it with timedatectl set-timezone Europe/Berlin for example.

[root@rcdevs1 ~]# timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Addis_Ababa
Africa/Algiers
...
[root@rcdevs1 ~]# timedatectl set-timezone Europe/Berlin
[root@rcdevs1 ~]# timedatectl
      Local time: Thu 2019-02-14 14:34:51 CET
  Universal time: Thu 2019-02-14 13:34:51 UTC
        RTC time: Thu 2019-02-14 13:34:52
       Time zone: Europe/Berlin (CET, +0100)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2018-10-28 02:59:59 CEST
                  Sun 2018-10-28 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2019-03-31 01:59:59 CET
                  Sun 2019-03-31 03:00:00 CEST
[root@rcdevs1 ~]# 

3.3 Public Pool Time Servers

At NTP Public Pool Time Servers, choose your Continent and Country. In this example, we choose Europe Luxembourg.

server 2.lu.pool.ntp.org
server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org

3.4 Configuration

Now, replace the default list of Public Pool Time Servers with the ones for your country. Therefore, edit the following NTP daemon configuration file /etc/ntp.conf and also add logfile /var/log/ntp.log.

[root@rcdevs1 ~]# vi /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
#restrict ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 2.lu.pool.ntp.org iburst
server 0.europe.pool.ntp.org iburst
server 1.europe.pool.ntp.org iburst

#broadcast 192.168.1.255 autokey        # broadcast server
#broadcastclient                        # broadcast client
#broadcast 224.0.1.1 autokey            # multicast server
#multicastclient 224.0.1.1              # multicast client
#manycastserver 239.255.254.254         # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

logfile /var/log/ntp.log

[root@rcdevs1 ~]# 

Afterward, restart the NTP daemon with systemctl restart ntpd. Verify its status systemctl status ntpd -l and log files /var/log/ntp.log.

[root@rcdevs1 ~]# systemctl restart ntpd
[root@rcdevs1 ~]# systemctl status ntpd -l
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-02-14 11:41:51 CET; 2s ago
  Process: 7327 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 7328 (ntpd)
   CGroup: /system.slice/ntpd.service
           └─7328 /usr/sbin/ntpd -u ntp:ntp -g

Feb 14 11:41:51 rcdevs1.webadm1 systemd[1]: Starting Network Time Service...
Feb 14 11:41:51 rcdevs1.webadm1 ntpd[7328]: proto: precision = 0.029 usec
Feb 14 11:41:51 rcdevs1.webadm1 ntpd[7328]: 0.0.0.0 c01d 0d kern kernel time sync enabled
Feb 14 11:41:51 rcdevs1.webadm1 systemd[1]: Started Network Time Service.
[root@rcdevs1 ~]# cat /var/log/ntp.log 
14 Feb 11:41:51 ntpd[7328]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
14 Feb 11:41:51 ntpd[7328]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
14 Feb 11:41:51 ntpd[7328]: Listen and drop on 1 v6wildcard :: UDP 123
14 Feb 11:41:51 ntpd[7328]: Listen normally on 2 lo 127.0.0.1 UDP 123
14 Feb 11:41:51 ntpd[7328]: Listen normally on 3 ens33 192.168.3.80 UDP 123
14 Feb 11:41:51 ntpd[7328]: Listen normally on 4 lo ::1 UDP 123
14 Feb 11:41:51 ntpd[7328]: Listen normally on 5 ens33 fe80::20c:29ff:fe1d:5dff UDP 123
14 Feb 11:41:51 ntpd[7328]: Listening on routing socket on fd #22 for interface updates
14 Feb 11:41:51 ntpd[7328]: 0.0.0.0 c016 06 restart
14 Feb 11:41:51 ntpd[7328]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
14 Feb 11:41:51 ntpd[7328]: 0.0.0.0 c011 01 freq_not_set
14 Feb 11:41:58 ntpd[7328]: 0.0.0.0 c614 04 freq_mode
[root@rcdevs1 ~]# 

3.5 Sync Time

Force a time synchronization and specify an NTP server with the command ntpdate -u 2.lu.pool.ntp.org.

[root@rcdevs1 ~]# ntpdate -u 2.lu.pool.ntp.org
14 Feb 13:51:17 ntpdate[16373]: adjust time server 85.93.216.115 offset 0.018919 sec
[root@rcdevs1 ~]# 

Show the NTP report with ntpstat.

[root@rcdevs1 ~]# ntpstat
synchronised to NTP server (185.137.97.5) at stratum 3 
   time correct to within 80 ms
   polling server every 64 s
[root@rcdevs1 ~]# 

3.6 Verify Sync

Do the following steps to verify that the NTP daemon is really synchronizing the time. Query the system clock with the command timedatectl status.

[root@rcdevs1 ~]# timedatectl status
      Local time: Thu 2019-02-14 11:53:44 CET
  Universal time: Thu 2019-02-14 10:53:44 UTC
        RTC time: Thu 2019-02-14 10:53:44
       Time zone: Europe/Luxembourg (CET, +0100)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2018-10-28 02:59:59 CEST
                  Sun 2018-10-28 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2019-03-31 01:59:59 CET
                  Sun 2019-03-31 03:00:00 CEST
[root@rcdevs1 ~]#

Verify if the NTP synchronization works. First, disable NTP synchronization with timedatectl set-ntp false. Afterward, change the system clock with timedatectl set-time 10:00:00, for example.

[root@rcdevs1 ~]# timedatectl set-ntp false
[root@rcdevs1 ~]# timedatectl set-time 10:00:00
[root@rcdevs1 ~]# timedatectl status
      Local time: Thu 2019-02-14 10:00:01 CET
  Universal time: Thu 2019-02-14 09:00:01 UTC
        RTC time: Thu 2019-02-14 09:00:02
       Time zone: Europe/Luxembourg (CET, +0100)
     NTP enabled: no
NTP synchronized: no
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2018-10-28 02:59:59 CEST
                  Sun 2018-10-28 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2019-03-31 01:59:59 CET
                  Sun 2019-03-31 03:00:00 CEST
[root@rcdevs1 ~]# 

Now, enable the NTP synchronization with timedatectl set-ntp true and verify it with timedatectl status.

[root@rcdevs1 ~]# timedatectl set-ntp true
[root@rcdevs1 ~]# timedatectl status
      Local time: Thu 2019-02-14 11:56:54 CET
  Universal time: Thu 2019-02-14 10:56:54 UTC
        RTC time: Thu 2019-02-14 09:00:53
       Time zone: Europe/Luxembourg (CET, +0100)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
                  Sun 2018-10-28 02:59:59 CEST
                  Sun 2018-10-28 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at
                  Sun 2019-03-31 01:59:59 CET
                  Sun 2019-03-31 03:00:00 CEST
[root@rcdevs1 ~]# 

4. WebADM

WebADM connects regularly the an NTP server to check the server’s clock. If it detects a drift then a message will be shown in the WebADM GUI under Admin and in the Background Job Log File under Databases.

screenshot

-bash-4.2# cat /opt/webadm/logs/bgjobs.log | grep NTP
[2019-02-12 15:52:47] [5756] Checking NTP server time drift... Ok (exact match)
[2019-02-28 13:43:25] [5568] Checking NTP server time drift... Ok (exact match)
[2019-02-28 13:50:16] [6055] Checking NTP server time drift... Ok (113 seconds)
-bash-4.2# 

However, WebADM never synchronizes the server’s clock. One can point the WebADM to any NTP server by adding it to the configuration file /opt/webadm/conf/webadm.conf.

-bash-4.2# vi /opt/webadm/conf/webadm.conf
#
# WebADM Server Configuration
#
...
# Misc options
#treeview_width 300
#treeview_items 1500
#default_portal Admin
#ldap_uidcase No
ntp_server "2.lu.pool.ntp.org"

-bash-4.2# /opt/webadm/bin/webadm restart
Stopping WebADM HTTP server... Ok
Stopping WebADM PKI server... Ok
Stopping WebADM Session server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok

No Enterprise license found (using bundled Freeware license)
Please contact sales@rcdevs.com for commercial information

Starting WebADM Session server... Ok
Starting WebADM PKI server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok

Checking server connections. Please wait... 
Connected LDAP server: LDAP Server (127.0.0.1)
Connected SQL server: SQL Server (127.0.0.1)
Connected PKI server: PKI Server (127.0.0.1)
Connected Session server: Session Server (::1)

Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok
-bash-4.2#