John Lockwood

Q: OS X Server as NTP server

Apple used to provide an obvious option in Server Admin to enable an NTP time server, this option is not visible in Server.app

 

However, supposedly one can edit /etc/ntp-restrict.conf and thereby enable the NTPd server. This does not appear to be working for me but I suspect this is because the server in question is on a network disconnected from the Internet and outside world. This is why I want to use the Mac as the NTP server because a normal Internet NTP server cannot be used.

 

Does anyone know of a way to get the built-in NTPd to run in this sort of situation? If not does anyone have a suggestion for an alternative NTP server program for a Mac?

 

The server is running Yosemite 10.10.3 and Server.app 4.1

Posted on Jun 4, 2015 9:59 AM

Close

Q: OS X Server as NTP server

  • All replies
  • Helpful answers

  • by Erich Wetzel,

    Erich Wetzel Erich Wetzel Jun 4, 2015 10:10 AM in response to John Lockwood
    Level 2 (341 points)
    Jun 4, 2015 10:10 AM in response to John Lockwood

    You probably found this already but it seems to be working for our server OS 10.10.3 and Server 4.1. I cannot remember anything about actually implementing it. However, it must have worked since our clients seem to be keeping time.

     

    http://blog.philippklaus.de/2012/11/setup-an-ntp-server-in-mac-os-x-10-8/

  • by John Lockwood,

    John Lockwood John Lockwood Jun 4, 2015 12:00 PM in response to Erich Wetzel
    Level 6 (9,230 points)
    Servers Enterprise
    Jun 4, 2015 12:00 PM in response to Erich Wetzel

    I have looked at similar articles to the one you link to and this is my source for the need to modify /etc/ntp-restrict.conf however /etc/hostconfig no longer exists with Yosemite and Server 4.1 Apple now exclusively use launchctl and I believe the appropriate one in this case is /System/Library/LaunchDaemons/org.ntp.ntpd.plist if I try loading it it says it is already loaded and running Activity Monitor shows an ntpd process already running.

     

    My suspicion is that if the ntpd process cannot communicate with a parent ntp server then it will not accept requests from ntp clients. Remember my server is not connected to the Internet.

  • by John Lockwood,Solvedanswer

    John Lockwood John Lockwood Jun 11, 2015 4:27 AM in response to John Lockwood
    Level 6 (9,230 points)
    Servers Enterprise
    Jun 11, 2015 4:27 AM in response to John Lockwood

    Ok I finally managed to solve this. First a summary of the issue.

     

    OS X - both client and server include the standard ntpd software which can act as an NTP time server. It is common practice on larger networks i.e. anything bigger than a home network to nominate an internal server as your internal NTP server and then have that NTP server sync itself to two or more external higher stratum NTP servers. As a reminder directory services like Open Directory and Active Directory or more specifically Kerberos require that all the clocks of the computers on the network be within five minutes accuracy of each other.

     

    A lot of people will either just leave their client Macs pointing directly to Apple's free NTP servers, or may have gotten as far as setting up a Mac as an NTP server and then pointing their clients to it. I had been able to setup a Mac server as an NTP server internally on our main network and it in turn was syncing to Apple's NTP server. An example guide on how to setup a Mac as an internal NTP server is here https://macmule.com/2013/12/15/how-to-use-osx-server-as-a-time-server/

     

    The problem arose when I tried to do this on our other ultra-secure network which does not have an Internet connection at all. With no Internet connection the Mac server itself had no source to which it could sync, without a source to sync to it would not allow any clients to sync to it. This is as far as I got before I posted this original query. The above article does not cope with this situation.

     

    I have now managed to find the solution. In a similar situation some larger organisations solve this by connecting a GPS clock to the server and configuring that as the the NTP source for their server. The ntpd server by having this as a valid time source is then happy to itself serve to client computers. I could have done this but it would have involved buying a GPS clock and all the hassle of trying to get that working with a Mac. I did however find that there is a way to define a local computer clock - literally something referred to as a LCL. See http://www.ntp.org/ntpfaq/NTP-s-refclk.htm

     

    To cut a long story short, one needs to define a special local address for the Mac server to use its own clock as its own local clock source. This is done by adding the following two lines to /etc/ntp.conf on your server.

     

    server 127.127.1.1

    fudge 127.127.1.1 stratum 10

     

    You then need to reload the ntpd process on the Mac server so it is forced to reread this preference file. I did this by force-quitting via Activity Monitor the ntpd process(es) but using the kill command or using launchctl are other methods.

     

    Then all you need to do is point your client computers to your own internal NTP server.

  • by ademg,

    ademg ademg Jul 12, 2016 7:50 AM in response to John Lockwood
    Level 1 (16 points)
    Desktops
    Jul 12, 2016 7:50 AM in response to John Lockwood

    Hi John,

     

    I want to apply same method for my Mac with El Capitan operating system but i got a message like this

     

    sandboxd[127] ([565]): ntpd(565) deny file-read-data /dev/cu.usbserial

     

    Any advice will be so helpful

     

    Best regards,

     

    Adem

  • by John Lockwood,

    John Lockwood John Lockwood Jul 12, 2016 8:00 AM in response to ademg
    Level 6 (9,230 points)
    Servers Enterprise
    Jul 12, 2016 8:00 AM in response to ademg

    Hmm, /dev/cu.usbserial looks like an entry for a USB serial port to me. I know that ntpd can be configured to use an external GPS device connected via a serial and hence USB to serial connection but I did not think my two lines would have triggered that.

     

    I have not yet upgraded my OD server to El Capitan so I have not yet seen this myself.

  • by ademg,

    ademg ademg Jul 12, 2016 8:13 AM in response to John Lockwood
    Level 1 (16 points)
    Desktops
    Jul 12, 2016 8:13 AM in response to John Lockwood

    Hi John

     

    Thank you for ultrafast response.

     

    ntpd deamon uses "/dev/gps0" for getting GPS data and I have a symbolic link to "/dev/cu.usbserial" but the big problem is sandboxd (I am very new on Mac operating system and my aim is to test ntp performance of this os) does not allow to read from serial port. I googled about sandboxd but can't find a solution for it to allow any program. I though that sandboxd is a kind of firewall program but it looks like a more powerful.

     

    Best regards

     

    Adem

  • by John Lockwood,

    John Lockwood John Lockwood Jul 12, 2016 8:36 AM in response to ademg
    Level 6 (9,230 points)
    Servers Enterprise
    Jul 12, 2016 8:36 AM in response to ademg

    Apple want apps to run in a 'sandbox' whereby an individual app cannot interfere with another app or the operating system, this prevents an app contain malware from being able to spread. See https://developer.apple.com/library/mac/documentation/Security/Conceptual/AppSan dboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html

     

    I presume you created a hard symbolic link rather than a soft one?

     

    The fact you have an entry of /dev/cu.usbserial suggests you have a USB to serial adapter connected, what make and model? We can check it has an El Capitan compatible driver. You could also try using a serial port program to talk to it to see if it can communicate with the GPS device.

     

    See https://www.decisivetactics.com/products/serial/

    http://www.emtec.com/zoc/features.html

    there is even a builtin program you can run via Terminal.app called screen

     

    e.g.

     

    screen /dev/cu.usbserial 9600

  • by ademg,

    ademg ademg Jul 12, 2016 1:09 PM in response to John Lockwood
    Level 1 (16 points)
    Desktops
    Jul 12, 2016 1:09 PM in response to John Lockwood

    I use Prolific based USB to serial adapter and u-blox GPS receiver. To monitor GPS activity I use minicom (compiled on Mac from source code) and every think is working perfectly. Using minicom I can connect to "/dev/cu.usbserial" device and I can see GPS messages like GPRMC, GPZDA etc. After that I created soft symbolic link ("/dev/gps0 and /dev/pps0") to "/dev/cu.usbserial". I also edited "/etc/ntp.conf" file for communicate with GPS receiver (server 127.127.20.0 for /dev/gps0 device and server 127.127.22.0 for /dev/pps0 device since my next aim is to check pps performance of mac kernel). I am ntp system developer in National Metrology Institute of Turkey (UME) and normally we use FreeBSD to develop own ntp server. Above configuration can run on FreeBSD system without any problem.