NTP:修订间差异
无编辑摘要 |
小无编辑摘要 |
||
第27行: | 第27行: | ||
Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", has all the details. | Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", has all the details. | ||
When searching for the file, remember that the NTP RPM's filename usually starts with the word ntp followed by a version number as in ntp-4.1.2-5.i386.rpm. | When searching for the file, remember that the NTP RPM's filename usually starts with the word ntp followed by a version number as in ntp-4.1.2-5.i386.rpm. | ||
== <br> /etc/ntp.conf 文件 == | == <br> /etc/ntp.conf 文件 == | ||
第36行: | 第36行: | ||
<pre>server otherntp.server.org # A stratum 1 server at server.org | <pre>server otherntp.server.org # A stratum 1 server at server.org | ||
server ntp.research.gov # A stratum 2 server at research.gov | server ntp.research.gov # A stratum 2 server at research.gov | ||
</pre> | </pre> | ||
<br>2) Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server. | <br>2) Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server. | ||
<pre>restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noquery | <pre>restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noquery | ||
restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery | restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery | ||
</pre> | </pre> | ||
<br>The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers. | <br>The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers. | ||
3) If this server is also going to provide time for other computers, such as PCs, other Linux servers and networking devices, then you'll have to define the networks from which this server will accept NTP synchronization requests. You do so with a modified restrict statement removing the noquery keyword to allow the network to query your NTP server. The syntax is: | 3) If this server is also going to provide time for other computers, such as PCs, other Linux servers and networking devices, then you'll have to define the networks from which this server will accept NTP synchronization requests. You do so with a modified restrict statement removing the noquery keyword to allow the network to query your NTP server. The syntax is: | ||
<pre>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap | <pre>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap | ||
</pre> | </pre> | ||
<br>In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network. | <br>In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network. | ||
4) We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords: | 4) We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords: | ||
<pre>restrict 127.0.0.1 | <pre>restrict 127.0.0.1 | ||
</pre> | </pre> | ||
<br>5) Save the file and restart NTP for these settings to take effect. You can now configure other Linux hosts on your network to synchronize with this new master NTP server in a similar fashion.<br> | <br>5) Save the file and restart NTP for these settings to take effect. You can now configure other Linux hosts on your network to synchronize with this new master NTP server in a similar fashion.<br> | ||
= How To Get NTP Started = | = How To Get NTP Started = | ||
第59行: | 第59行: | ||
To get NTP configured to start at boot, use the line: | To get NTP configured to start at boot, use the line: | ||
<pre>[root@bigboy tmp]# chkconfig ntpd on | <pre>[root@bigboy tmp]# chkconfig ntpd on | ||
</pre> | </pre> | ||
To start, stop and restart NTP after booting, follow these examples: | To start, stop and restart NTP after booting, follow these examples: | ||
<pre>[root@bigboy tmp]# service ntpd start | <pre>[root@bigboy tmp]# service ntpd start | ||
[root@bigboy tmp]# service ntpd stop | [root@bigboy tmp]# service ntpd stop | ||
[root@bigboy tmp]# service ntpd restart | [root@bigboy tmp]# service ntpd restart | ||
</pre> | </pre> | ||
Testing And Troubleshooting NTP | Testing And Troubleshooting NTP | ||
After configuring and starting NTP, you should test it to make sure it is working. Here are some guidelines you can follow to get NTP working correctly. | After configuring and starting NTP, you should test it to make sure it is working. Here are some guidelines you can follow to get NTP working correctly. | ||
== | == 检查NTP运行 == | ||
To test whether the NTP process is running use the command | To test whether the NTP process is running use the command | ||
<pre>[root@bigboy tmp]# pgrep ntpd | <pre>[root@bigboy tmp]# pgrep ntpd | ||
</pre> | </pre> | ||
<br>You should get a response of plain old process ID numbers. | <br>You should get a response of plain old process ID numbers. | ||
== <br> | == <br>同步初始化 == | ||
If the time on the local server is very different from that of its primary time server your NTP daemon will eventually terminate itself leaving an error message in the /var/log/messages file. You should run the ntpdate -u command to force your server to become instantly synchronized with its NTP servers before starting the NTP daemon for the first time. The ntpdate command doesn't run continuously in the background, you will still have to run the ntpd daemon to get continuous NTP updates. | If the time on the local server is very different from that of its primary time server your NTP daemon will eventually terminate itself leaving an error message in the /var/log/messages file. You should run the ntpdate -u command to force your server to become instantly synchronized with its NTP servers before starting the NTP daemon for the first time. The ntpdate command doesn't run continuously in the background, you will still have to run the ntpd daemon to get continuous NTP updates. | ||
第108行: | 第108行: | ||
Thu Aug 12 08:03:45 PDT 2004 | Thu Aug 12 08:03:45 PDT 2004 | ||
[root@smallfry tmp]# | [root@smallfry tmp]# | ||
</pre> | </pre> | ||
== <br> | == <br>检定NTP 同步 == | ||
Use the ntpq command to see the servers with which you are synchronized. It provided you with a list of configured time servers and the delay, offset and jitter that your server is experiencing with them. For correct synchronization, the delay and offset values should be non-zero and the jitter value should be under 100. | Use the ntpq command to see the servers with which you are synchronized. It provided you with a list of configured time servers and the delay, offset and jitter that your server is experiencing with them. For correct synchronization, the delay and offset values should be non-zero and the jitter value should be under 100. | ||
第126行: | 第126行: | ||
*clock.via.net .GPS. 1 u 426 1024 377 107.424 -3.018 2.534 | *clock.via.net .GPS. 1 u 426 1024 377 107.424 -3.018 2.534 | ||
ntp1.conectiv.c 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00 | ntp1.conectiv.c 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00 | ||
</pre> | </pre> | ||
<br> | == <br>Linux NTP 客户端无法同步 == | ||
A telltale sign that you haven't got proper synchronization is when all the remote servers have jitters of 4000 with delay and reach values of 0. | A telltale sign that you haven't got proper synchronization is when all the remote servers have jitters of 4000 with delay and reach values of 0. | ||
第136行: | 第136行: | ||
snvl-smtp1.trim 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00 | snvl-smtp1.trim 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00 | ||
nist1.aol-ca.tr 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00 | nist1.aol-ca.tr 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00 | ||
</pre> | </pre> | ||
This could be caused by the following: | This could be caused by the following: | ||
第143行: | 第143行: | ||
In this example the restrict statement has only the client network defined without any keywords and the configuration line that works with other NTP versions has been commented out: | In this example the restrict statement has only the client network defined without any keywords and the configuration line that works with other NTP versions has been commented out: | ||
<br> | |||
<br> | |||
<br> | |||
#<pre>-- CLIENT NETWORK ------- | #<pre>-- CLIENT NETWORK ------- | ||
</pre> | |||
#restrict 172.16.1.0 mask 255.255.255.0 notrust nomodify notrap | #restrict 172.16.1.0 mask 255.255.255.0 notrust nomodify notrap | ||
restrict 172.16.1.0 mask 255.255.255.0 | |||
<br> | |||
<br> | |||
<br>Fedora Core 2 File Permissions | == <br> <br>Fedora Core 2 File Permissions == | ||
All the Fedora/RedHat NTP daemons write temporary files to the /etc/ntp directory. Unfortunately, in Fedora Core 2, the permissions on this directory don't allow writing of temporary files. Instead you have to set the group and owner of the directory to be ntp. | All the Fedora/RedHat NTP daemons write temporary files to the /etc/ntp directory. Unfortunately, in Fedora Core 2, the permissions on this directory don't allow writing of temporary files. Instead you have to set the group and owner of the directory to be ntp. | ||
第168行: | 第169行: | ||
Aug 12 00:29:45 smallfry ntpd[2097]: can't open /etc/ntp/drift.TEMP: Permission denied | Aug 12 00:29:45 smallfry ntpd[2097]: can't open /etc/ntp/drift.TEMP: Permission denied | ||
= 配置Cisco 设备去使用NTP服务器 = | |||
You can use NTP to synchronize time on a variety of devices including networking equipment. I have included the necessary NTP commands for a variety of Cisco Systems products because it is one of the most popular manufacturers of networking equipment and would feature in the overall architectures of many home office/small office (SOHO) environments and corporate departments. | You can use NTP to synchronize time on a variety of devices including networking equipment. I have included the necessary NTP commands for a variety of Cisco Systems products because it is one of the most popular manufacturers of networking equipment and would feature in the overall architectures of many home office/small office (SOHO) environments and corporate departments. | ||
<br>Cisco IOS | == <br>Cisco IOS == | ||
To make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201, use the commands: | To make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201, use the commands: | ||
<pre>ciscorouter> enable | |||
ciscorouter> enable | password: ********* | ||
ciscorouter# config t | |||
ciscorouter(config)# ntp update-calendar | |||
ciscorouter(config)# ntp server 192.168.1.100 | |||
ciscorouter(config)# ntp server 192.168.1.201 | |||
ciscorouter(config)# exit | |||
ciscorouter# wr mem | |||
</pre> | |||
The ntp server command forms a server association with another system, and ntp update-calendar configures the system to update its hardware clock from the software clock at periodic intervals. | The ntp server command forms a server association with another system, and ntp update-calendar configures the system to update its hardware clock from the software clock at periodic intervals. | ||
<br>CATOS | == <br>CATOS == | ||
To make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201, use the commands: | To make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201, use the commands: | ||
<pre>ciscoswitch> enable | |||
password: ********* | |||
ciscoswitch# set ntp client enable | |||
ciscoswitch# ntp server 192.168.1.100 | |||
ciscoswitch# ntp server 192.168.1.201 | |||
ciscoswitch# exit | |||
</pre> | |||
The ntp server command forms a server association with another system, and set ntp client enable activates the NTP client. | |||
= <br>NTP安全 = | |||
You should always be aware of how NTP can be affected by your network's security policy. Here are some common areas of concern.<br> | |||
== 防火墙和NTP == | |||
NTP servers communicate with one another using UDP with a destination port of 123. Unlike most UDP protocols, the source port isn't a high port (above 1023), but 123 also. You'll have to allow UDP traffic on source/destination port 123 between your server and the Stratum 1/2 server with which you are synchronizing. | |||
A sample Linux iptables firewall script snippet is in Appendix II, "Codes, Scripts, and Configurations".<br> | |||
== NTP认证 == | |||
There may be cases where you want to not only restrict NTP synchronization to specific networks but also to require a synchronization password. This is beyond the scope of this book, but is covered in detail at the NTP website www.ntp.org.<br> | |||
= 配置windows NTP 客户端 = | |||
Windows clients that are part of an Active Directory domain automatically get their time synchronized from the domain server. If your client is not part of a domain you can add your new NTP server to your Windows client. Here's how: | Windows clients that are part of an Active Directory domain automatically get their time synchronized from the domain server. If your client is not part of a domain you can add your new NTP server to your Windows client. Here's how: | ||
第202行: | 第219行: | ||
1. Click on the time at the bottom right hand side of your screen.<br> 2. Click on the "Internet Time" tab of the dialog box<br> 3. Click the check box labeled "Automatically synchronize with an Internet time server" and enter the name or IP address in the box underneath it.<br> 4. Click on the "Update Now" button | 1. Click on the time at the bottom right hand side of your screen.<br> 2. Click on the "Internet Time" tab of the dialog box<br> 3. Click the check box labeled "Automatically synchronize with an Internet time server" and enter the name or IP address in the box underneath it.<br> 4. Click on the "Update Now" button | ||
You will get a message saying "Your time has been successfully synchronized" when the operation is complete.<br> | You will get a message saying "Your time has been successfully synchronized" when the operation is complete.<br> | ||
= 结尾 = | |||
It is important that all the systems under your control have the same accurate time. It can help to give a very clear indication of a chain of events that involve multiple devices and it can also help in the synchronization of time sensitive-transactions. | It is important that all the systems under your control have the same accurate time. It can help to give a very clear indication of a chain of events that involve multiple devices and it can also help in the synchronization of time sensitive-transactions. |
2008年6月22日 (日) 20:14的版本
文章出处: |
{{#if: | {{{2}}} | http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch24_:_The_NTP_Server }} |
点击翻译: |
English {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/af | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|Afrikaans| [[::NTP/af|Afrikaans]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/ar | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|العربية| [[::NTP/ar|العربية]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/az | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|azərbaycanca| [[::NTP/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/bcc | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|جهلسری بلوچی| [[::NTP/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/bg | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|български| [[::NTP/bg|български]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/br | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|brezhoneg| [[::NTP/br|brezhoneg]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/ca | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|català| [[::NTP/ca|català]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/cs | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|čeština| [[::NTP/cs|čeština]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/de | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|Deutsch| [[::NTP/de|Deutsch]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/el | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|Ελληνικά| [[::NTP/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/es | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|español| [[::NTP/es|español]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/fa | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|فارسی| [[::NTP/fa|فارسی]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/fi | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|suomi| [[::NTP/fi|suomi]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/fr | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|français| [[::NTP/fr|français]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/gu | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|ગુજરાતી| [[::NTP/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/he | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|עברית| [[::NTP/he|עברית]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/hu | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|magyar| [[::NTP/hu|magyar]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/id | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|Bahasa Indonesia| [[::NTP/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/it | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|italiano| [[::NTP/it|italiano]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/ja | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|日本語| [[::NTP/ja|日本語]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/ko | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|한국어| [[::NTP/ko|한국어]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/ksh | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|Ripoarisch| [[::NTP/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/mr | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|मराठी| [[::NTP/mr|मराठी]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/ms | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|Bahasa Melayu| [[::NTP/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/nl | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|Nederlands| [[::NTP/nl|Nederlands]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/no | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|norsk| [[::NTP/no|norsk]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/oc | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|occitan| [[::NTP/oc|occitan]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/pl | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|polski| [[::NTP/pl|polski]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/pt | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|português| [[::NTP/pt|português]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/ro | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|română| [[::NTP/ro|română]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/ru | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|русский| [[::NTP/ru|русский]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/si | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|සිංහල| [[::NTP/si|සිංහල]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/sq | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|shqip| [[::NTP/sq|shqip]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/sr | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|српски / srpski| [[::NTP/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/sv | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|svenska| [[::NTP/sv|svenska]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/th | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|ไทย| [[::NTP/th|ไทย]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/tr | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|Türkçe| [[::NTP/tr|Türkçe]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/vi | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|Tiếng Việt| [[::NTP/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/yue | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|粵語| [[::NTP/yue|粵語]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/zh | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|中文| [[::NTP/zh|中文]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/zh-hans | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|中文(简体)| [[::NTP/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server | Quick_HOWTO_:_Ch24_:_The_NTP_Server | {{#if: | :}}NTP}}/zh-hant | • {{#if: Quick_HOWTO_:_Ch24_:_The_NTP_Server|中文(繁體)| [[::NTP/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:Quick_HOWTO_:_Ch24_:_The_NTP_Server|:NTP|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :NTP/zh | | {{#ifexist: NTP/zh | | {{#ifeq: {{#titleparts:NTP|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:NTP|1|-1|}} | zh | | }}
简介
The Network Time Protocol (NTP) is a protocol used to help synchronize your Linux system's clock with an accurate time source. There are that allow the general public to synchronize with them. They are divided into two types:
* Stratum 1: NTP sites using an atomic clock for timing.
* Stratum 2: NTP sites with slightly less accurate time sources.
It is good practice to have at least one server on your network be the local time server for all your other devices. This makes the correlation of system events on different systems much easier. It also reduces Internet bandwidth usage due to NTP traffic and reduces the need to manage firewall rules for each NTP client on your network. Sometimes, not all your servers will have Internet access; in such cases you'll need a central server that all can access.
For a list of available Stratum 1 and 2 servers consult http://www.ntp.org/
下载和安装NTP包
Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", has all the details.
When searching for the file, remember that the NTP RPM's filename usually starts with the word ntp followed by a version number as in ntp-4.1.2-5.i386.rpm.
/etc/ntp.conf 文件
The /etc/ntp.conf file is the main configuration file for Linux NTP in which you place the IP addresses of the stratum 1 and stratum 2 servers you want to use. Here are the steps to create a configuration file using a pair of sample Internet-based NTP servers:
1) First we specify the servers you're interested in:
server otherntp.server.org # A stratum 1 server at server.org server ntp.research.gov # A stratum 2 server at research.gov
2) Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server.
restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noquery restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery
The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers.
3) If this server is also going to provide time for other computers, such as PCs, other Linux servers and networking devices, then you'll have to define the networks from which this server will accept NTP synchronization requests. You do so with a modified restrict statement removing the noquery keyword to allow the network to query your NTP server. The syntax is:
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network.
4) We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords:
restrict 127.0.0.1
5) Save the file and restart NTP for these settings to take effect. You can now configure other Linux hosts on your network to synchronize with this new master NTP server in a similar fashion.
How To Get NTP Started
You have to restart the NTP process every time you make a change to the configuration file for the changes to take effect on the running process.
To get NTP configured to start at boot, use the line:
[root@bigboy tmp]# chkconfig ntpd on
To start, stop and restart NTP after booting, follow these examples:
[root@bigboy tmp]# service ntpd start [root@bigboy tmp]# service ntpd stop [root@bigboy tmp]# service ntpd restart
Testing And Troubleshooting NTP
After configuring and starting NTP, you should test it to make sure it is working. Here are some guidelines you can follow to get NTP working correctly.
检查NTP运行
To test whether the NTP process is running use the command
[root@bigboy tmp]# pgrep ntpd
You should get a response of plain old process ID numbers.
同步初始化
If the time on the local server is very different from that of its primary time server your NTP daemon will eventually terminate itself leaving an error message in the /var/log/messages file. You should run the ntpdate -u command to force your server to become instantly synchronized with its NTP servers before starting the NTP daemon for the first time. The ntpdate command doesn't run continuously in the background, you will still have to run the ntpd daemon to get continuous NTP updates.
Take a look at some sample output of the ntpdate command in which a server whose initial time was set to midnight, was correctly set to 8:03 am.
- The date was originally set to midnight which was verified by using the date command.
[root@smallfry tmp]# date Thu Aug 12 00:00:00 PDT 2004 [root@smallfry tmp]#
- The ntpdate command is run three times to synchronize smallfry's clock to server 192.168.1.100, but it must be run while the ntpd process is stopped. So you'll have to stop ntpd, run ntpdate and then start ntpd again.
[root@smallfry tmp]# service ntpd stop [root@smallfry tmp]# ntpdate -u 192.168.1.100 Looking for host 192.168.1.100 and service ntp host found : bigboy.my-site.com 12 Aug 08:03:38 ntpdate[2472]: step time server 192.168.1.100 offset 28993.084943 sec [root@smallfry tmp]# ntpdate -u 192.168.1.100 Looking for host 192.168.1.100 and service ntp host found : bigboy.my-site.com 12 Aug 08:03:40 ntpdate[2472]: step time server 192.168.1.100 offset 2.467652 sec [root@smallfry tmp]# ntpdate -u 192.168.1.100 Looking for host 192.168.1.100 and service ntp host found : bigboy.my-site.com 12 Aug 08:03:42 ntpdate[2472]: step time server 192.168.1.100 offset 0.084943 sec [root@smallfry tmp]# service ntpd start [root@smallfry tmp]#
- The date is now corrected.
[root@smallfry tmp]# date Thu Aug 12 08:03:45 PDT 2004 [root@smallfry tmp]#
检定NTP 同步
Use the ntpq command to see the servers with which you are synchronized. It provided you with a list of configured time servers and the delay, offset and jitter that your server is experiencing with them. For correct synchronization, the delay and offset values should be non-zero and the jitter value should be under 100.
[root@bigboy tmp]# ntpq -p
Here is some sample output of the command:
remote refid st t when poll reach delay offset jitter ============================================================================== -jj.cs.umb.edu gandalf.sigmaso 3 u 95 1024 377 31.681 -18.549 1.572 milo.mcs.anl.go ntp0.mcs.anl.go 2 u 818 1024 125 41.993 -15.264 1.392 -mailer1.psc.edu ntp1.usno.navy. 2 u 972 1024 377 38.206 19.589 28.028 -dr-zaius.cs.wis ben.cs.wisc.edu 2 u 502 1024 357 55.098 3.979 0.333 +taylor.cs.wisc. ben.cs.wisc.edu 2 u 454 1024 347 54.127 3.379 0.047 -ntp0.cis.strath harris.cc.strat 3 u 507 1024 377 115.274 -5.025 1.642 *clock.via.net .GPS. 1 u 426 1024 377 107.424 -3.018 2.534 ntp1.conectiv.c 0.0.0.0 16 u - 1024 0 0.000 0.000 4000.00
Linux NTP 客户端无法同步
A telltale sign that you haven't got proper synchronization is when all the remote servers have jitters of 4000 with delay and reach values of 0.
remote refid st t when poll reach delay offset jitter ============================================================================= LOCAL(0) LOCAL(0) 10 l - 64 7 0.000 0.000 0.008 ntp-cup.externa 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00 snvl-smtp1.trim 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00 nist1.aol-ca.tr 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
This could be caused by the following:
- Older versions of the NTP package that don't work correctly if you use the DNS name for the NTP servers. In these cases you will want to use the actual IP addresses instead.
* A firewall blocking access to your Stratum 1 and 2 NTP servers. This could be located on one of the networks between the NTP server and its time source, or firewall software such as iptables could be running on the server itself.
* The notrust nomodify notrap keywords are present in the restrict statement for the NTP client. In some versions of the Fedora Core 2's implementation of NTP, clients will not be able to synchronize with a Fedora Core 2 time server unless the notrust nomodify notrap keywords are removed from the NTP client's restrict statement.
In this example the restrict statement has only the client network defined without any keywords and the configuration line that works with other NTP versions has been commented out:
-- CLIENT NETWORK -------
- restrict 172.16.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 172.16.1.0 mask 255.255.255.0
Fedora Core 2 File Permissions
All the Fedora/RedHat NTP daemons write temporary files to the /etc/ntp directory. Unfortunately, in Fedora Core 2, the permissions on this directory don't allow writing of temporary files. Instead you have to set the group and owner of the directory to be ntp.
[root@bigboy tmp]# chown ntp:ntp /etc/ntp
If you don't, you'll get errors like this in the /var/log/messages file.
Aug 12 00:29:45 smallfry ntpd[2097]: can't open /etc/ntp/drift.TEMP: Permission denied
配置Cisco 设备去使用NTP服务器
You can use NTP to synchronize time on a variety of devices including networking equipment. I have included the necessary NTP commands for a variety of Cisco Systems products because it is one of the most popular manufacturers of networking equipment and would feature in the overall architectures of many home office/small office (SOHO) environments and corporate departments.
Cisco IOS
To make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201, use the commands:
ciscorouter> enable password: ********* ciscorouter# config t ciscorouter(config)# ntp update-calendar ciscorouter(config)# ntp server 192.168.1.100 ciscorouter(config)# ntp server 192.168.1.201 ciscorouter(config)# exit ciscorouter# wr mem
The ntp server command forms a server association with another system, and ntp update-calendar configures the system to update its hardware clock from the software clock at periodic intervals.
CATOS
To make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201, use the commands:
ciscoswitch> enable password: ********* ciscoswitch# set ntp client enable ciscoswitch# ntp server 192.168.1.100 ciscoswitch# ntp server 192.168.1.201 ciscoswitch# exit
The ntp server command forms a server association with another system, and set ntp client enable activates the NTP client.
NTP安全
You should always be aware of how NTP can be affected by your network's security policy. Here are some common areas of concern.
防火墙和NTP
NTP servers communicate with one another using UDP with a destination port of 123. Unlike most UDP protocols, the source port isn't a high port (above 1023), but 123 also. You'll have to allow UDP traffic on source/destination port 123 between your server and the Stratum 1/2 server with which you are synchronizing.
A sample Linux iptables firewall script snippet is in Appendix II, "Codes, Scripts, and Configurations".
NTP认证
There may be cases where you want to not only restrict NTP synchronization to specific networks but also to require a synchronization password. This is beyond the scope of this book, but is covered in detail at the NTP website www.ntp.org.
配置windows NTP 客户端
Windows clients that are part of an Active Directory domain automatically get their time synchronized from the domain server. If your client is not part of a domain you can add your new NTP server to your Windows client. Here's how:
1. Click on the time at the bottom right hand side of your screen.
2. Click on the "Internet Time" tab of the dialog box
3. Click the check box labeled "Automatically synchronize with an Internet time server" and enter the name or IP address in the box underneath it.
4. Click on the "Update Now" button
You will get a message saying "Your time has been successfully synchronized" when the operation is complete.
结尾
It is important that all the systems under your control have the same accurate time. It can help to give a very clear indication of a chain of events that involve multiple devices and it can also help in the synchronization of time sensitive-transactions.
Having an NTP server on your local network can make this easier to do. Sometimes it isn't desirable for all your NTP clients to have access to the Internet to synchronize with stratum 1 and 2 servers, even when they all have access there is the risk of them losing synchronization if the central connection to the Internet is lost. The maintenance of firewall rules for multiple NTP connections to the Internet can also be daunting especially if the management of the firewall is handled by another group.
A local NTP server can ensure that the clients all have the same time relative to the server even when Internet connectivity is temporarily lost thereby reducing the problems of them being out of synchronization with each other. The firewall rules can also be greatly simplified. A local NTP server is frequently a good thing to have for these reasons.
取自"http://wiki.ubuntu.org.cn/index.php?title=Quick_HOWTO_:_Ch24_:_The_NTP_Server&variant=zh-cn"