Christian Reina, CISSP's picture

This is probably a stupid question, but I tried to search your forum for anything regarding setting up ntp.

Our company only allows one specific ntp server and when i edit the time sync tab, i get the above msg.

Thanks! no rush

Forum: 
Alon Swartz's picture

The package ntpdate is not installed by default, but ntp (Network Time Protocol daemon and utility programs) is.

Installing ntpdate should be as simple as:
apt-get update
apt-get install ntpdate
I am assuming you are referring to the Webmin Time Sync tab. If you are, then this is a bug in the webmin packaging (webmin-time), and it should depend, or atleast recommend ntpdate, if configuring webmin-time to use the ntp package is not an option. If its not an option, and this is a bug, then we will include ntpdate in future appliance releases, and thanks for reporting it.
Christian Reina, CISSP's picture

You are correct. I'm referring to the Webmin Time Sync. I installed ntpdate and made changes to the ntp.conf file to point to the ip address.

ntpq -p shows the correct ntp server, but ntpdate -d ipaddress gives me the following error: 

Nov 13:26:00 ntpdate[11724]: no server suitable for synchronization found

The above error is identical to the one I get on webmin if I manually add the ip address or if I go in the module config and enter the ip as the default time server.

Thank you for your support

Christian Reina, CISSP | Security Professional

888.338.3666 | christian[at]christianreina.com

W W W . C H R I S T I A N R E I N A . C O M

Alon Swartz's picture

ntpdate seems to work on my side, both ntpdate pool.ntp.org and by specifying and IP address.

It sounds like a connectivity issue. Have you setup the firewall on the appliance? Maybe the firewall/router on your LAN is limiting traffic? Can you connect to the NTP server with netcat, port 123?

Maybe its time to break out the sniffer :)
Christian Reina, CISSP's picture

no issues with the firewall but web content filtering was blocking it.

Christian Reina, CISSP | Security Professional

888.338.3666 | christian[at]christianreina.com

W W W . C H R I S T I A N R E I N A . C O M

Peter Goodall's picture

Just to confirm - I have the current Mediawiki appliance 2009.10, and needed to install ntupdate to get time synchronization to work.

Thanks for all the great work.

--Peter Goodall

Alon Swartz's picture

Thanks for the confirmation. I have just updated webmin-time to depend on ntpdate, so it will be included in future appliance releases.
bulek's picture

Just a quick related question. If I want to permanently set up NTP server to certain URL of national NTP server - what config files do I have to change, so it will be setup by default ?

Thanks in advance

Neil Aggarwal's picture

The time servers are listed in /etc/ntp.conf

You should see a line like this:

 server ntp.ubuntu.com

You can set the server line to whatever you like.

bulek's picture

Hi, can I setup TKL to sync from certain or default NTP server automatically, or is perhaps already setup to do so ?

If not already setup to sync automatically, what should I do to make this work via TKLPatch ?

Thanks in advance,
Bulek.

Neil Aggarwal's picture

I believe all the TKL appliances are set by default to use NTP (I just checked the Joomla appliance and it uses ntp.ubuntu.com) so there is nothing you have to do.

The previous post was asking how he can set up an appliance to use a specific NTP server instead of the default ones.

John Carver's picture

ntpdate has been deprecated since about 2007.  It is incompatible with ntpd and if the ntpd daemon is running you get this error when using ntpdate.

# ntpdate pool.ntp.org
23 Jan 16:12:27 ntpdate[14411]: the NTP socket is in use, exiting

If webmin is still using ntpdate, a bug report should filed telling them to use ntpd -gq instead.  From the ntpd man page:

-g     Normally, ntpd exits with a message to the system log if the offset  exceeds  the  panic
       threshold,  which  is  1000  s by default.  This option allows the time to be set to any
       value without restriction; however, this can happen only  once.   If  the  threshold  is
       exceeded  after  that, ntpd will exit with a message to the system log.  This option can
       be used with the -q and -x options.

-q     Exit the ntpd just after the first time the clock is set.  This behavior mimics that  of
       the  ntpdate  program,  which  is to be retired.  The -g and -x options can be used with
       this option.  Note: The kernel time discipline is disabled with this option.

Ubuntu and TKL start ntpd with the -g option, so this shouldn't be necessary if ntpd is able to contact ntp.ubuntu.com during boot.

Information is free, knowledge is acquired, but wisdom is earned.

John Carver's picture

Webmin seems blissfully unaware of the existence of ntpd.  The 'Time server sync' tab on the System Time page allows ntpdate, if it is present, to be run periodically, probably via cron.  This functionality is redundant under TurnKey Linux which configures ntpd to set the time at boot and sync it ntp.ubuntu.com or other servers thereafter.  The 'Time server sync' tab should probably be hidden.  I know there are some configuration options in webmin, but it's been a long time since I've tried to customize webmin.  After poking around the webmin directory, it appears that the tab can be hidden by modifying the defaultacl.  Warning: I don't know if this causes any side effects.

In the file 
/usr/share/webmin/time/defaultacl 
change
ntp=1 to ntp=0

There once was a third-party NTP module for Webmin, but it is no longer available.  I wasn't able to locate an alternate source.  It would be nice to have a tabbed page to configure the ntp servers in /etc/ntp.conf and start/stop the ntpd daemon.  For now, the only way to control ntpd in Webmin is via the Command Console.

Information is free, knowledge is acquired, but wisdom is earned.

Liraz Siri's picture

Thank you for looking into this John. We'll see if maybe we should at least hide the 'time server sync' tab in the next release. Hopefully Webmin will support ntpd configuration in future versions. I've filed a bug report.
Liraz Siri's picture

I've also run into that issue with dovecot killing itself when the system goes back in time.

Unfortunately, we've since discovered that ntpdate is a necessary evil. ntpd tweaks your clock continually to keep it accurate. That only works for small time discrepancies. If your clock is way out of whack (e.g., the wrong date) ntpd won't help you.

Unfortunately, in certain situations involving virtualization it's easy for the clock to fail spectacularly and since certain services such as TKLBAM require an accurate clock to function, ntpdate is indispensable.

At least usually with virtualization the problem is that the clock is stuck in the past so if you shift it into the future, Dovecot should still work.

Jeremy Davis's picture

Although I suspect that your info is somewhat irrelevant for TurnKey. By default TurnKey does auto time updates from an external/remote ntp server.

Jeremy Davis's picture

But you could just use ping to see if the remote NTP server is available.

Jeremy Davis's picture

Perhaps there's even an NTP log? A google should hopefully head you in the right direction.

Otherwise I guess you could explicitly set a cron job to update time and set it to log to a custom file.

Add new comment