Introduction

Since Kerberos networks require that all participating hosts have their clocks synchronized within 5 minutes of the KDCs, we need to implement some mechanism for doing this. There are several ways to keep your DAS clients synchronized:

Simply setting the clock manually will probably cause you headaches later, since it may not be clear why authentication is failing.

We will only look at two methods: running ntpd or running ntpdate via cron. Of the two methods, running the NTP daemon is preferred. However, there may be cases where you do not want the overhead of running ntpd and you want to use a simpler approach.

The NTP daemon listens on UDP port 123, and NTP clients may use a source port of 123, or standard non-privileged ports. Some firewalls do not accept traffic when clients use a UDP source port < 1024.

Assumptions

These are step-by-step instructions for configuring and testing NTP servers and clients. The instructions are Red Hat/Fedora specific, but the config files should work on Debian and Mandrake. There is a FreeBSD link in the References section. These instructions assume the following:

Instructions for Setting up ntpd on DAS Clients

Step 1: Make sure that the NTP package is installed

If you followed the baseline OS installation procedures for Red Hat 9, the package should already be installed. According to Red Hat, there are currently no security updates for it.

[root@das-m etc]# rpm -qa | grep ntp
ntp-4.1.2-0.rc1.2

The package includes ntpd, a utility called ntpdate, manpages, and other documentation.

Step 2: Test NTP connectivity to your DAS servers

To make sure that you can successfully make an NTP queries to DAS-M or DAS-S, use the ntpdate command like this:

[root@labdemo2 root]# ntpdate -q das-m das-s
server 10.10.22.42, stratum 3, offset 0.020712, delay 0.02576
server 10.10.22.40, stratum 3, offset 0.025256, delay 0.02583
10 Jun 10:11:08 ntpdate[30613]: adjust time server 10.10.22.42 offset 0.020712 sec

This queries the NTP servers, but does not set the clock. For more information, you can use the -d (debug) option instead, which also does not set the clock.

Step 3: Make sure your clock is not out to lunch

Use the date command to make sure that your timezone is correct, and that your system clock is not already way out of whack. Correct as necessary.

Step 4: Configure the /etc/ntp.conf config file

The /etc/ntp.conf file controls the behaviour of the NTP daemon. The config we are using will restrict access to the loopback, and specify das-m and das-s as the servers. It is fairly simple:

# DAS Client ntpd config
# Configured by Van, 8-8-2003
#
 
restrict default ignore
restrict 127.0.0.1
 
# Our Time Servers (das-s and das-m)
restrict 10.10.22.40 mask 255.255.255.255 nomodify notrap noquery
restrict 10.10.22.42 mask 255.255.255.255 nomodify notrap noquery
server 10.10.22.40    ## das-s
server 10.10.22.42    ## das-m
 
fudge   127.127.1.0 stratum 10
  
driftfile /etc/ntp/drift
broadcastdelay  0.008
  
authenticate no
  
keys            /etc/ntp/keys
  
# End Config

Step 5: Start the NTP daemon and make sure it is running

[root@labdemo2 log]# /etc/init.d/ntpd start
Starting ntpd:                                             [  OK  ]

[root@labdemo2 log]# pgrep -l ntp
30772 ntpd

[root@labdemo2 log]# netstat -una | grep 123
udp        0      0 10.10.22.41:123       0.0.0.0:*
udp        0      0 127.0.0.1:123           0.0.0.0:*
udp        0      0 0.0.0.0:123             0.0.0.0:*

Step 6: Configure ntpd to start automatically at boot time

[root@labdemo2 etc]# chkconfig ntpd off
[root@labdemo2 etc]# chkconfig --level 345 ntpd on
[root@labdemo2 etc]# chkconfig --list ntpd
ntpd            0:off   1:off   2:off   3:on    4:on    5:on    6:off

Step 7: Verify that your server is synchronized with its NTP source

It may take a number of minutes for the clock to synchronize. You can use the ntpdc command to view information about ntpd's status. It can be used in interactive mode, by simply entering ntpdc, or invoked with the -c switch to run the commands from the shell prompt. Here is a list of useful ntpdc commands:

When your NTP daemon is synchronized, it should look something like this, with a * on the far left:

[root@labdemo2 etc]# ntpdc -c peers
     remote           local      st poll reach  delay   offset    disp
=======================================================================
=das-m           10.10.22.41    3  512  377 0.00070  0.033431 0.00563
*das-s           10.10.22.41    3  512  376 0.00029  0.017484 0.00369

Instructions for Using ntpdate with cron

In some situations, running the ntpd on every DAS client is overkill. You can use ntpdate to set the time periodically via NTP. Here are the basic commands:

[root@labdemo2 etc]# ntpdate das-m
10 Jun 11:42:35 ntpdate[32709]: adjust time server 10.10.22.42 offset 0.085310 sec
[root@labdemo2 etc]# ntpdate -u das-m
10 Jun 11:42:41 ntpdate[32710]: adjust time server 10.10.22.42 offset 0.082466 sec

The -u option makes the query from a non-privileged UDP source port, and may be necessary depending on what host-based or network firewalls are between your DAS client and your DAS server. You can also specify both DAS servers as NTP sources for redundancy:

[root@labdemo2 etc]# ntpdate -u das-s das-m
10 Jun 11:43:41 ntpdate[32711]: adjust time server 10.10.22.42 offset 0.055390 sec

If you want to run this command hourly, or daily, just place it in the appropriate cron directory. For example, to run the ntpdate command hourly, you would create a bash script called ntpdate-hourly:

#!/bin/bash
# Run ntpdate hourly to keep clocks in sync
 
ntpdate -u -s das-s das-m
 
# End script

The -s option sends the command output to syslog instead of standard output, so that cron will not send you an e-mail every hour when the command runs successfully. You can see the result by looking at the /var/log/messages log file instead. The -u option allows the client to use an unprivileged source port for the query, which works best with many firewalls and NAT devices.

Now copy the script to the /etc/cron.hourly directory and change the permissions:

[root@labdemo2 root]# cp -v ntpdate-hourly /etc/cron.hourly
`ntpdate-hourly' -> `/etc/cron.hourly/ntpdate-hourly'
[root@labdemo2 root]# chmod 0750 /etc/cron.hourly/ntpdate-hourly



Your DAS clients should now be automatically updated with the correct time, and you will not have any Kerberos problems related to time skew.


References

The NTP home page
Dr. David Mills' NTP page
FreeBSD NTP Setup Guide
Practical Guide to Date, Time, and Time Zones for Red Hat Linux