Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

OS X Server as NTP server

Apple used to provide an obvious option in Server Admin to enable an NTP time server, this option is not visible in Server.app


However, supposedly one can edit /etc/ntp-restrict.conf and thereby enable the NTPd server. This does not appear to be working for me but I suspect this is because the server in question is on a network disconnected from the Internet and outside world. This is why I want to use the Mac as the NTP server because a normal Internet NTP server cannot be used.


Does anyone know of a way to get the built-in NTPd to run in this sort of situation? If not does anyone have a suggestion for an alternative NTP server program for a Mac?


The server is running Yosemite 10.10.3 and Server.app 4.1

Posted on Jun 4, 2015 9:59 AM

Reply
Question marked as Best reply

Posted on Jun 11, 2015 4:27 AM

Ok I finally managed to solve this. First a summary of the issue.


OS X - both client and server include the standard ntpd software which can act as an NTP time server. It is common practice on larger networks i.e. anything bigger than a home network to nominate an internal server as your internal NTP server and then have that NTP server sync itself to two or more external higher stratum NTP servers. As a reminder directory services like Open Directory and Active Directory or more specifically Kerberos require that all the clocks of the computers on the network be within five minutes accuracy of each other.


A lot of people will either just leave their client Macs pointing directly to Apple's free NTP servers, or may have gotten as far as setting up a Mac as an NTP server and then pointing their clients to it. I had been able to setup a Mac server as an NTP server internally on our main network and it in turn was syncing to Apple's NTP server. An example guide on how to setup a Mac as an internal NTP server is here https://macmule.com/2013/12/15/how-to-use-osx-server-as-a-time-server/


The problem arose when I tried to do this on our other ultra-secure network which does not have an Internet connection at all. With no Internet connection the Mac server itself had no source to which it could sync, without a source to sync to it would not allow any clients to sync to it. This is as far as I got before I posted this original query. The above article does not cope with this situation.


I have now managed to find the solution. In a similar situation some larger organisations solve this by connecting a GPS clock to the server and configuring that as the the NTP source for their server. The ntpd server by having this as a valid time source is then happy to itself serve to client computers. I could have done this but it would have involved buying a GPS clock and all the hassle of trying to get that working with a Mac. I did however find that there is a way to define a local computer clock - literally something referred to as a LCL. See http://www.ntp.org/ntpfaq/NTP-s-refclk.htm


To cut a long story short, one needs to define a special local address for the Mac server to use its own clock as its own local clock source. This is done by adding the following two lines to /etc/ntp.conf on your server.


server 127.127.1.1

fudge 127.127.1.1 stratum 10


You then need to reload the ntpd process on the Mac server so it is forced to reread this preference file. I did this by force-quitting via Activity Monitor the ntpd process(es) but using the kill command or using launchctl are other methods.


Then all you need to do is point your client computers to your own internal NTP server.

11 replies
Question marked as Best reply

Jun 11, 2015 4:27 AM in response to John Lockwood

Ok I finally managed to solve this. First a summary of the issue.


OS X - both client and server include the standard ntpd software which can act as an NTP time server. It is common practice on larger networks i.e. anything bigger than a home network to nominate an internal server as your internal NTP server and then have that NTP server sync itself to two or more external higher stratum NTP servers. As a reminder directory services like Open Directory and Active Directory or more specifically Kerberos require that all the clocks of the computers on the network be within five minutes accuracy of each other.


A lot of people will either just leave their client Macs pointing directly to Apple's free NTP servers, or may have gotten as far as setting up a Mac as an NTP server and then pointing their clients to it. I had been able to setup a Mac server as an NTP server internally on our main network and it in turn was syncing to Apple's NTP server. An example guide on how to setup a Mac as an internal NTP server is here https://macmule.com/2013/12/15/how-to-use-osx-server-as-a-time-server/


The problem arose when I tried to do this on our other ultra-secure network which does not have an Internet connection at all. With no Internet connection the Mac server itself had no source to which it could sync, without a source to sync to it would not allow any clients to sync to it. This is as far as I got before I posted this original query. The above article does not cope with this situation.


I have now managed to find the solution. In a similar situation some larger organisations solve this by connecting a GPS clock to the server and configuring that as the the NTP source for their server. The ntpd server by having this as a valid time source is then happy to itself serve to client computers. I could have done this but it would have involved buying a GPS clock and all the hassle of trying to get that working with a Mac. I did however find that there is a way to define a local computer clock - literally something referred to as a LCL. See http://www.ntp.org/ntpfaq/NTP-s-refclk.htm


To cut a long story short, one needs to define a special local address for the Mac server to use its own clock as its own local clock source. This is done by adding the following two lines to /etc/ntp.conf on your server.


server 127.127.1.1

fudge 127.127.1.1 stratum 10


You then need to reload the ntpd process on the Mac server so it is forced to reread this preference file. I did this by force-quitting via Activity Monitor the ntpd process(es) but using the kill command or using launchctl are other methods.


Then all you need to do is point your client computers to your own internal NTP server.

Nov 23, 2017 10:03 AM in response to John Lockwood

Hi John,


I read your solution and I am having some difficulties. I have attempted to fudge the stratum to something other than 16 (I tried 8 and 10) but when I attempt an ntpdate -vd from the client, the output I get from ntpdate shows that the stratum in still 16 and then ignores the server. I am running 10.12.6 Sierra. Have you had success on Sierra?


Regards,

Steve

Nov 23, 2017 10:24 AM in response to video_newbie

My original purpose of doing this was to have an NTP server on Macs that had no Internet access. Therefore the Stratum level is irrelevant since the only available NTP servers are the Macs.


I point the Mac clients to one of the two Mac NTP servers in System Preferences and then on the Mac clients I can use the command


ntpd -q


to force them to sync to the Mac NTP server. I typically do this using Apple Remote Desktop Admin and sending the command to all the client Macs at the same time.


Note: Using ntpd -q is only done to force an immediate sync, they will otherwise as normal sync when booted etc. I use ntpd -q when I adjust the clocks on the two Mac NTP servers. Because they themselves cannot sync to a real clock they drift and if anything drift a lot faster than normal because each amplifies the others drift. Since they are the OD servers as long as they and all the clients are in sync the fact they are inaccurate is a lesser issue.

Jun 4, 2015 12:00 PM in response to Erich Wetzel

I have looked at similar articles to the one you link to and this is my source for the need to modify /etc/ntp-restrict.conf however /etc/hostconfig no longer exists with Yosemite and Server 4.1 Apple now exclusively use launchctl and I believe the appropriate one in this case is /System/Library/LaunchDaemons/org.ntp.ntpd.plist if I try loading it it says it is already loaded and running Activity Monitor shows an ntpd process already running.


My suspicion is that if the ntpd process cannot communicate with a parent ntp server then it will not accept requests from ntp clients. Remember my server is not connected to the Internet.

Jul 12, 2016 8:00 AM in response to ademg

Hmm, /dev/cu.usbserial looks like an entry for a USB serial port to me. I know that ntpd can be configured to use an external GPS device connected via a serial and hence USB to serial connection but I did not think my two lines would have triggered that.


I have not yet upgraded my OD server to El Capitan so I have not yet seen this myself.

Jul 12, 2016 8:13 AM in response to John Lockwood

Hi John


Thank you for ultrafast response.


ntpd deamon uses "/dev/gps0" for getting GPS data and I have a symbolic link to "/dev/cu.usbserial" but the big problem is sandboxd (I am very new on Mac operating system and my aim is to test ntp performance of this os) does not allow to read from serial port. I googled about sandboxd but can't find a solution for it to allow any program. I though that sandboxd is a kind of firewall program but it looks like a more powerful.


Best regards


Adem

Jul 12, 2016 8:36 AM in response to ademg

Apple want apps to run in a 'sandbox' whereby an individual app cannot interfere with another app or the operating system, this prevents an app contain malware from being able to spread. See https://developer.apple.com/library/mac/documentation/Security/Conceptual/AppSan dboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html


I presume you created a hard symbolic link rather than a soft one?


The fact you have an entry of /dev/cu.usbserial suggests you have a USB to serial adapter connected, what make and model? We can check it has an El Capitan compatible driver. You could also try using a serial port program to talk to it to see if it can communicate with the GPS device.


See https://www.decisivetactics.com/products/serial/

http://www.emtec.com/zoc/features.html

there is even a builtin program you can run via Terminal.app called screen


e.g.


screen /dev/cu.usbserial 9600

Jul 12, 2016 1:09 PM in response to John Lockwood

I use Prolific based USB to serial adapter and u-blox GPS receiver. To monitor GPS activity I use minicom (compiled on Mac from source code) and every think is working perfectly. Using minicom I can connect to "/dev/cu.usbserial" device and I can see GPS messages like GPRMC, GPZDA etc. After that I created soft symbolic link ("/dev/gps0 and /dev/pps0") to "/dev/cu.usbserial". I also edited "/etc/ntp.conf" file for communicate with GPS receiver (server 127.127.20.0 for /dev/gps0 device and server 127.127.22.0 for /dev/pps0 device since my next aim is to check pps performance of mac kernel). I am ntp system developer in National Metrology Institute of Turkey (UME) and normally we use FreeBSD to develop own ntp server. Above configuration can run on FreeBSD system without any problem.

OS X Server as NTP server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.