How To Install NTP Server and Client on Fedora 43
Time synchronization stands as one of the most critical components of any modern Linux infrastructure. Accurate system time ensures proper logging, authentication mechanisms, database integrity, and coordinated operations across distributed systems. Without synchronized clocks, applications can malfunction, security certificates may fail, and troubleshooting becomes nearly impossible.
Fedora 43 uses Chrony as its default Network Time Protocol (NTP) implementation, replacing the older ntpd daemon. Chrony offers superior performance, faster synchronization, and better handling of intermittent network connections—making it ideal for both servers and desktop environments. This comprehensive guide walks through installing and configuring both NTP server and client setups on Fedora 43, complete with troubleshooting tips and best practices for production deployments.
Understanding NTP and Chrony in Fedora 43
What is NTP (Network Time Protocol)?
Network Time Protocol synchronizes computer clocks across networks with remarkable precision. NTP operates using a hierarchical structure called stratum levels, where each level represents the distance from an authoritative time source. Stratum 0 devices connect directly to atomic clocks or GPS receivers, serving as the ultimate time reference. Stratum 1 servers synchronize directly with Stratum 0 devices and distribute accurate time to Stratum 2 servers, which then serve client systems.
The protocol uses UDP port 123 for communication. Each additional stratum level introduces network delay, slightly reducing accuracy. Most internet-connected systems operate at Stratum 2 or higher, receiving time from publicly available NTP servers operated by organizations like NIST, universities, and technology companies.
Why Chrony Over Traditional NTP?
Chrony delivers significant advantages over the traditional ntpd implementation. The chronyd daemon synchronizes system clocks faster, particularly beneficial for laptops and systems with intermittent network connectivity. Chrony compensates effectively for fluctuating clock frequencies and adjusts automatically for network delays and latency variations.
Unlike ntpd, Chrony never steps the clock after initial synchronization, ensuring stable time intervals crucial for applications monitoring system performance or measuring durations. Resource consumption remains minimal, making Chrony suitable even for resource-constrained environments. Fedora adopted Chrony as the default time synchronization solution specifically for these performance and reliability benefits.
Modern Chrony versions support Network Time Security (NTS), providing encrypted and authenticated time synchronization to prevent man-in-the-middle attacks on time data.
Prerequisites and Requirements
Before proceeding with NTP server or client configuration, ensure the following requirements are met. A running Fedora 43 installation serves as the foundation, whether deployed as a server or workstation. Root or sudo privileges enable system-level configuration changes and service management. Active internet connectivity facilitates initial time synchronization with upstream servers.
Basic command-line proficiency helps navigate terminal operations and text editors. Firewall configuration knowledge assists with opening necessary ports for server deployments. While Chrony operates efficiently on minimal hardware, NTP servers benefit from stable network connections and ideally static IP addresses for client configuration simplicity.
Installing Chrony on Fedora 43
Check Current Installation Status
Most Fedora 43 installations include Chrony by default. Verify the current installation status before proceeding. Execute the following command to check if the Chrony package exists on your system:
rpm -qa | grep chronyThis command queries installed packages for Chrony. If installed, the output displays the package name and version number. Next, verify whether the chronyd service is running:
systemctl status chronydThe status command reveals whether the service is active, enabled at boot, and displays recent log entries. Green text indicating “active (running)” confirms proper operation.
Install Chrony Package
If Chrony is not installed, add it using Fedora’s DNF package manager. The installation process downloads necessary files and dependencies automatically. Execute this command with sudo privileges:
sudo dnf install chrony -yThe -y flag automatically confirms the installation without prompting for user input. DNF resolves dependencies, downloads the package, and installs the chronyd daemon and chronyc command-line utility. Installation typically completes within seconds on systems with adequate internet bandwidth.
Verify successful installation by checking the installed version:
chronyc --versionEnable and Start Chrony Service
After installation, enable the chronyd service to start automatically at system boot. This ensures time synchronization begins immediately when the system starts. Enable the service with:
sudo systemctl enable chronydStart the service immediately without rebooting:
sudo systemctl start chronydConfirm the service is running properly:
sudo systemctl status chronydThe output should indicate “active (running)” status with recent log entries showing time source connections. If the service fails to start, check the system journal for error messages using journalctl -u chronyd.
Configuring NTP Server on Fedora 43
Understanding the Configuration File
Chrony’s main configuration file resides at /etc/chrony.conf. This file controls all aspects of chronyd behavior, including time sources, access control, logging, and synchronization parameters. Before making modifications, create a backup of the original configuration:
sudo cp /etc/chrony.conf /etc/chrony.conf.backupBackups enable quick restoration if configuration errors occur. The configuration file uses a straightforward syntax with one directive per line. Comments begin with #, ;, !, or % characters.
Configure Time Sources for the Server
NTP servers require reliable upstream time sources for accurate synchronization. Edit the configuration file using your preferred text editor:
sudo nano /etc/chrony.confOr use vi if preferred:
sudo vi /etc/chrony.confLocate the default pool directive, typically pool 2.fedora.pool.ntp.org iburst. Comment this line by adding a # at the beginning. Replace it with multiple reliable NTP servers for redundancy:
# pool 2.fedora.pool.ntp.org iburst
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburstThe iburst option sends multiple synchronization requests during initial connection, enabling faster initial synchronization. Using multiple servers (typically 3-4) provides redundancy if one source becomes unavailable.
Regional NTP pools often deliver better performance due to lower network latency. For North American servers, consider using us.pool.ntp.org. European servers benefit from europe.pool.ntp.org.
Configure Access Control
NTP servers require access control directives to permit client connections while preventing unauthorized access. Add allow directives specifying which networks can synchronize with your server. Add these lines to the configuration file:
allow 192.168.1.0/24
allow 10.0.0.0/8Replace the IP ranges with your actual network addresses. The CIDR notation (/24, /8) specifies the network mask. Multiple allow directives accommodate different subnets.
Security best practices dictate restricting access to trusted networks only. Overly permissive allow directives (like allow all) expose your server to potential abuse in amplification attacks.
Additional Server Configuration Options
Configure the local stratum for fallback operation when upstream sources become unavailable. Add this directive:
local stratum 10Stratum 10 indicates this server should only be used when no better sources exist. The drift file tracks clock frequency variations for improved accuracy:
driftfile /var/lib/chrony/driftThis file is typically configured by default. Configure logging for troubleshooting purposes:
logdir /var/log/chronyThe makestep directive allows chronyd to step the clock if the initial offset exceeds a threshold. This prevents slow convergence when system time is significantly incorrect:
makestep 1.0 3This configuration steps the clock if offset exceeds 1 second, but only during the first three clock updates.
Save and Apply Configuration
After making all necessary changes, save the configuration file. In nano, press Ctrl+X, then Y, then Enter. In vi, press Esc, type :wq, and press Enter.
Restart the chronyd service to apply changes:
sudo systemctl restart chronydVerify the service restarted successfully:
sudo systemctl status chronydCheck for configuration errors in the system journal:
sudo journalctl -u chronyd -n 50This command displays the last 50 log entries for the chronyd service. Look for error messages indicating syntax problems or connectivity issues.
Configuring Firewall for NTP Server
Understanding NTP Firewall Requirements
NTP servers must accept incoming connections on UDP port 123. Without proper firewall configuration, clients cannot reach your NTP server even with correct chrony.conf settings. Network Time Security (NTS) additionally requires TCP port 4460 if implementing encrypted time synchronization.
Configure Firewalld (Fedora Default)
Fedora 43 uses firewalld as its default firewall management system. First, verify firewalld is running:
sudo firewall-cmd --stateThe output should display “running”. Add the NTP service to the firewall configuration:
sudo firewall-cmd --permanent --add-service=ntpThe --permanent flag makes the rule persistent across reboots. Alternatively, specify the port directly:
sudo firewall-cmd --permanent --add-port=123/udpReload the firewall to activate new rules:
sudo firewall-cmd --reloadVerify Firewall Configuration
Confirm the NTP service appears in active rules:
sudo firewall-cmd --list-allThe output displays all active firewall rules including services and ports. Look for “ntp” in the services list or “123/udp” in the ports list. Test connectivity from a client machine to verify the firewall permits NTP traffic.
Configuring NTP Client on Fedora 43
Install Chrony on Client
Client systems require Chrony installation following the same procedure as servers. If not already installed, execute:
sudo dnf install chrony -yEnable the service for automatic startup:
sudo systemctl enable chronydConfigure Client to Use Specific NTP Server
Client configuration involves editing /etc/chrony.conf to specify time sources. Open the configuration file:
sudo nano /etc/chrony.confComment out default pool servers and add your internal NTP server:
# pool 2.fedora.pool.ntp.org iburst
server 192.168.1.100 iburstReplace 192.168.1.100 with your NTP server’s IP address. Using specific server directives instead of pool directives ensures clients synchronize with your internal server.
For redundancy, configure multiple time sources including backup public servers:
server 192.168.1.100 iburst prefer
server 192.168.1.101 iburst
server time.cloudflare.com iburst
server time.google.com iburstThe prefer option prioritizes the specified server.
Configure Client-Specific Options
Client configurations benefit from specific directives optimizing synchronization behavior. The makestep directive permits stepping the clock during initial synchronization:
makestep 1.0 3Configure the drift file location:
driftfile /var/lib/chrony/driftFor laptops or systems with intermittent connectivity, retain the rtcsync directive enabling hardware clock synchronization:
rtcsyncAlternative: Use Public NTP Pool
Clients without access to internal NTP servers can use public pool servers. Fedora’s default configuration uses 2.fedora.pool.ntp.org. Regional pools often provide better performance:
pool us.pool.ntp.org iburst
pool europe.pool.ntp.org iburstAlternative reliable public NTP services include:
server time.cloudflare.com iburst
server time.google.com iburst
server time.facebook.com iburstPublic servers work well for desktop systems and servers without strict time accuracy requirements.
Apply Client Configuration
Save configuration changes and restart the chronyd service:
sudo systemctl restart chronydVerify the service started successfully:
sudo systemctl status chronydVerifying NTP Synchronization
Using Chronyc Tracking Command
The chronyc tracking command displays current synchronization status. Execute:
chronyc trackingKey output fields include Reference ID (current time source), Stratum (distance from reference clock), System time offset (current time difference), and Leap status (indicating leap second handling). Positive system time indicates the local clock runs ahead of the reference; negative values indicate it runs behind.
Root delay and root dispersion measure total network path delay and estimated time accuracy. Lower values indicate better synchronization quality.
Checking Time Sources
View all configured time sources and their status:
chronyc sourcesFor detailed information, add the verbose flag:
chronyc sources -vSource indicators reveal selection status:
*indicates the currently selected synchronization source+marks acceptable alternative sources-indicates excluded sources?signals connectivity problems or unreachable sources
The Reach column displays an octal value representing the last eight connection attempts. A value of 377 (binary 11111111) indicates perfect connectivity.
Source Statistics
Detailed statistical information helps assess synchronization quality:
chronyc sourcestatsThis command displays frequency offset, standard deviation, and residual values for each configured source. Lower standard deviation values indicate more consistent time source behavior.
Using Timedatectl
The timedatectl command provides system-wide time synchronization status. Execute:
timedatectl statusLook for “System clock synchronized: yes” confirming successful synchronization. The output also displays current time, timezone, and whether NTP service is active. This command works regardless of the underlying time synchronization implementation (chrony or systemd-timesyncd).
Checking Client-Server Connectivity
On NTP servers, monitor connected clients:
sudo chronyc clientsThis command displays IP addresses of systems currently synchronizing with your server. View current synchronization activity:
chronyc activityMonitoring Logs
System logs provide detailed chronyd operational information:
sudo journalctl -u chronyd -n 50This displays the last 50 chronyd log entries. Follow logs in real-time during troubleshooting:
sudo journalctl -u chronyd -fPress Ctrl+C to stop following logs.
Troubleshooting Common Issues
Chrony Service Not Starting
Service startup failures typically result from configuration syntax errors or missing dependencies. Check service status for error messages:
systemctl status chronydReview detailed error information:
sudo journalctl -xe | grep chronydCommon causes include typos in /etc/chrony.conf, incorrect file permissions, or SELinux policy violations. Verify configuration file syntax and correct any errors.
Time Not Synchronizing
Synchronization failures often stem from network connectivity issues, firewall blockages, or incorrect server configuration. Verify configured sources are reachable:
chronyc sourcesSources showing ? in the first column indicate connectivity problems. Test basic network connectivity:
ping 0.pool.ntp.orgOn servers, verify the firewall permits UDP port 123. On clients, ensure the specified NTP server address is correct and reachable.
“No Suitable Source” Error
This error indicates chronyd cannot reach any configured time sources. Verify DNS resolution for hostname-based server entries:
nslookup pool.ntp.orgIf DNS resolution fails, use IP addresses instead of hostnames in chrony.conf. Check network routing between client and server. Verify the NTP server is actually running chronyd.
Clock Offset Too Large
Large time offsets may prevent synchronization depending on makestep configuration. Manually step the clock:
sudo chronyc makestepAdjust the makestep threshold in /etc/chrony.conf to permit larger automatic corrections:
makestep 10.0 3This allows stepping the clock if offset exceeds 10 seconds during the first three updates.
Firewall Blocking NTP Traffic
Firewall misconfigurations prevent client-server communication. Verify active firewall rules:
sudo firewall-cmd --list-allTest port connectivity from clients:
nc -vuz server-ip-address 123If firewall rules appear correct but connectivity fails, check SELinux status:
getenforceTemporarily set SELinux to permissive mode for testing:
sudo setenforce 0If this resolves the issue, configure appropriate SELinux policies rather than permanently disabling SELinux.
Permission Denied Errors
File permission problems prevent chronyd from accessing configuration or drift files. Verify chrony.conf permissions:
ls -l /etc/chrony.confCorrect permissions if necessary:
sudo chmod 644 /etc/chrony.confEnsure the chronyd user can access the drift file directory:
sudo chown -R chrony:chrony /var/lib/chronyBest Practices and Security Considerations
NTP Server Best Practices
Reliable NTP servers use multiple upstream time sources (minimum 3-4) for redundancy and improved accuracy. Select geographically close servers to minimize network latency. Mix different stratum levels—using both Stratum 1 and Stratum 2 servers provides diversity.
Regular monitoring detects synchronization problems before they impact dependent systems. Keep Chrony updated with current security patches:
sudo dnf update chronyAccess Control Best Practices
Restrict client access to trusted networks only. Use specific IP ranges rather than permissive allow directives. Document allowed networks in configuration file comments for future reference:
# Allow main office network
allow 192.168.1.0/24
# Allow branch office network
allow 10.10.0.0/16Regularly audit connected clients to detect unauthorized access attempts:
sudo chronyc clientsSecurity Hardening
Modern security practices include implementing Network Time Security (NTS) for encrypted time synchronization. Configure NTS-enabled public servers:
server time.cloudflare.com iburst nts
server nts.ntp.se iburst ntsEnable NTS certificate storage in chrony.conf:
ntsdumpdir /var/lib/chronyNTS prevents man-in-the-middle attacks on time data, critical for security-sensitive environments. Rate limiting prevents abuse and amplification attacks. Disable unnecessary features to reduce attack surface.
Monitoring and Maintenance
Implement automated monitoring of time drift and synchronization status. Create alerts for synchronization failures or excessive clock offset. Establish regular log review schedules to identify potential problems early:
sudo journalctl -u chronyd --since "1 week ago"Always backup configuration files before making changes. Test configuration modifications in non-production environments first. Document all customizations for future reference and troubleshooting.
Congratulations! You have successfully installed NTP. Thanks for using this tutorial for installing the NTP “Network Time Protocol” on Fedora 43 Linux system. For additional help or useful information, we recommend you check the official NTP website.
