How To Install NTP Server and Client on Manjaro
Time synchronization is one of those critical yet often overlooked aspects of Linux system administration. When your Manjaro system’s clock drifts even by a few seconds, it can cause cascading problems: authentication failures, corrupted logs, failed scheduled tasks, and database inconsistencies. The Network Time Protocol (NTP) solves this challenge by keeping your system clock accurate within milliseconds of Coordinated Universal Time (UTC). Whether you’re running a home server, managing enterprise infrastructure, or developing distributed applications, implementing proper time synchronization is essential. This comprehensive guide will walk through installing and configuring both NTP server and client on Manjaro Linux, covering everything from basic setup to advanced security configurations and troubleshooting techniques.
Understanding Network Time Protocol (NTP)
What is NTP and How It Works
Network Time Protocol represents one of the oldest Internet protocols still in widespread use today, designed specifically to synchronize computer clocks across networks. NTP operates using a hierarchical system of time sources, each level called a “stratum”. At the top of this hierarchy sit Stratum 0 devices—atomic clocks, GPS receivers, and other highly precise time sources. Stratum 1 servers connect directly to these devices, while Stratum 2 servers synchronize from Stratum 1, and so on.
The protocol uses UDP port 123 for both server and client communications, employing sophisticated algorithms to account for network latency and jitter. When your NTP client queries a server, it sends timestamps and receives responses that allow it to calculate the time offset and network delay. Through multiple polling cycles, NTP continuously adjusts your system clock, maintaining accuracy typically within 1-50 milliseconds on local networks. The beauty of NTP lies in its ability to gradually slew the clock rather than making abrupt jumps, preventing disruption to running applications and services.
NTP vs Chrony vs systemd-timesyncd on Manjaro
Manjaro users face three primary options for time synchronization, each with distinct advantages. Understanding these differences helps in selecting the right tool for specific requirements.
The systemd-timesyncd service comes preinstalled as Manjaro’s default time synchronization solution. This lightweight Simple Network Time Protocol (SNTP) client provides basic functionality adequate for desktop systems and workstations. It consumes minimal system resources and integrates seamlessly with systemd. However, systemd-timesyncd only functions as a client—it cannot serve time to other systems—and lacks advanced features like hardware clock support or sophisticated clock management.
Chrony represents a modern, versatile NTP implementation specifically designed for systems with intermittent network connectivity. It excels in environments where computers roam between networks, experience frequent shutdowns, or operate with unreliable Internet connections. Chrony synchronizes faster than traditional NTP, typically within seconds rather than minutes. The chronyc command-line tool provides robust monitoring and management capabilities. Chrony can function as both client and server, making it ideal for laptops, mobile workstations, and modern cloud environments.
Traditional NTP daemon (ntpd) offers the most comprehensive and time-tested solution for enterprise deployments. It provides extensive configuration options, supports serving multiple clients simultaneously, implements advanced authentication mechanisms, and handles complex network topologies. For dedicated time servers, data centers, or environments requiring strict RFC compliance, ntpd remains the gold standard.
Prerequisites and System Requirements
Before beginning the installation process, ensure your Manjaro system meets several essential requirements. First, update your system to the latest package versions using the following command:
sudo pacman -Syu
This command synchronizes package databases and upgrades all installed packages, preventing potential conflicts. You’ll need root or sudo privileges to install packages and modify system configuration files. A stable Internet connection is necessary for downloading NTP packages and synchronizing with upstream time servers.
Check your current time synchronization status by running:
timedatectl
This command displays your system’s current time settings, timezone configuration, and whether network time synchronization is active. Note the status of “System clock synchronized” and “NTP service”. Since Manjaro uses systemd-timesyncd by default, you’ll need to disable it before installing traditional NTP to avoid service conflicts.
Verify which time synchronization service is currently active:
systemctl status systemd-timesyncd.service
Basic familiarity with command-line operations, text editing (using nano, vim, or other editors), and Linux file permissions is helpful but not absolutely required—this guide provides detailed instructions for each step.
Installing NTP Client on Manjaro
Installing the NTP Package
The NTP package is available in Manjaro’s official repositories through the pacman package manager. Install it with a single command:
sudo pacman -S ntp
Pacman will display package information including size and dependencies. Press ‘Y’ to confirm the installation. The package includes the NTP daemon (ntpd), configuration files, and client utilities like ntpq and ntpdate. The installation typically completes within seconds on modern systems.
Disabling systemd-timesyncd
Since Manjaro ships with systemd-timesyncd enabled by default, you must disable it to prevent conflicts with the NTP daemon. Both services attempt to control the system clock, and running them simultaneously causes synchronization failures and unpredictable behavior.
First, check the current status:
systemctl status systemd-timesyncd.service
If the service shows as “active (running)”, disable network time protocol through timedatectl:
sudo timedatectl set-ntp false
This command disables systemd-timesyncd and stops it from starting at boot. Verify the change:
systemctl status systemd-timesyncd.service
The output should show “inactive (dead)”. Some users prefer explicitly stopping and disabling the service:
sudo systemctl stop systemd-timesyncd.service
sudo systemctl disable systemd-timesyncd.service
Basic NTP Client Configuration
The main NTP configuration file resides at /etc/ntp.conf
. This file controls all aspects of NTP behavior, including which servers to synchronize with, access restrictions, and logging options. Open the file with your preferred text editor:
sudo nano /etc/ntp.conf
The default configuration includes several commented lines and basic server entries. For optimal performance, configure NTP servers geographically close to your location. The NTP Pool Project (pool.ntp.org) provides a large cluster of time servers distributed worldwide.
Replace or add server entries appropriate for your region. For Asia-Pacific users:
server 0.asia.pool.ntp.org iburst
server 1.asia.pool.ntp.org iburst
server 2.asia.pool.ntp.org iburst
server 3.asia.pool.ntp.org iburst
For European users:
server 0.europe.pool.ntp.org iburst
server 1.europe.pool.ntp.org iburst
server 2.europe.pool.ntp.org iburst
server 3.europe.pool.ntp.org iburst
The iburst
option sends a burst of packets during initial synchronization, significantly reducing the time required to achieve accurate time. Without iburst, NTP might take 15-20 minutes to synchronize; with it, synchronization typically occurs within minutes.
Additional useful configuration directives include:
# Drift file location
driftfile /var/lib/ntp/ntp.drift
# Log file location
logfile /var/log/ntp.log
# Restrict default access
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Allow localhost full access
restrict 127.0.0.1
restrict ::1
The drift file records your system clock’s frequency error, helping NTP maintain accuracy even between synchronization intervals. Save the configuration file and exit the editor (Ctrl+X, then Y, then Enter in nano).
Starting and Enabling NTP Client Service
With configuration complete, start the NTP daemon:
sudo systemctl start ntpd
No output indicates successful startup. Enable automatic startup at boot time:
sudo systemctl enable ntpd
This command creates symbolic links ensuring ntpd starts automatically whenever the system boots. Verify the service status:
systemctl status ntpd
A successful configuration shows “active (running)” in green text, along with recent log entries indicating the daemon has started and begun synchronizing with configured servers.
Verifying NTP Client Synchronization
Proper verification ensures your NTP configuration works correctly before relying on it for critical operations. The ntpq
utility provides detailed information about NTP peer status.
Query configured NTP peers:
ntpq -p
This command displays a table with columns showing:
- remote: Server hostname or IP address
- refid: Reference ID (upstream time source the server uses)
- st: Stratum level (lower numbers indicate closer to authoritative time sources)
- t: Type of peer (u = unicast, b = broadcast, etc.)
- when: Time since last response (seconds)
- poll: Polling interval (seconds)
- reach: Reachability register (octal representation of last 8 polling attempts)
- delay: Round-trip delay to peer (milliseconds)
- offset: Time difference between local clock and peer (milliseconds)
- jitter: Variation in delay (milliseconds)
Status symbols in the first column indicate peer status:
- *: Current synchronization source (system peer)
- +: Acceptable peer, considered for synchronization
- -: Acceptable peer, excluded by clustering algorithm
- x: False ticker (disagreement with other sources)
- ~: Peer selected for combining
- #: Good peer but not selected
- blank: Peer rejected for various reasons
Initially, all peers may show blank status as NTP evaluates their reliability. Wait 5-10 minutes, then rerun ntpq -p
. You should see an asterisk (*) next to one server, indicating successful synchronization.
Alternative verification methods include:
timedatectl
This shows overall system time status. Look for “System clock synchronized: yes” and “NTP service: active”.
For quick synchronization status:
ntpstat
This command returns either “synchronized” with offset and polling interval information, or “unsynchronised” if NTP hasn’t locked onto a time source yet.
Common issues during initial synchronization include “INIT” status or “(INIT)” appearing in the when column. This simply means NTP hasn’t completed its first polling cycle yet—give it a few more minutes. If servers show “x” status, they’re being rejected due to time disagreement with other sources; this usually resolves automatically as NTP evaluates multiple sources.
Installing NTP Server on Manjaro
NTP Server Installation Steps
Installing NTP server capabilities uses the same package as the client. If you’ve already installed the ntp package following the client instructions above, you’re ready to proceed with server configuration. If not, install it now:
sudo pacman -S ntp
The distinction between NTP client and server lies entirely in configuration—the same daemon software handles both roles.
Configuring NTP Server
Server configuration requires more detailed attention to access control and upstream time sources. Edit the NTP configuration file:
sudo nano /etc/ntp.conf
Configure upstream servers from which your server will synchronize. Use lower-stratum, reliable sources:
# Upstream time servers (will be Stratum 2 sources)
server 0.manjaro.pool.ntp.org iburst
server 1.manjaro.pool.ntp.org iburst
server 2.manjaro.pool.ntp.org iburst
server 3.manjaro.pool.ntp.org iburst
Implement access restrictions to control which clients can query your server. The restrict
directive provides fine-grained access control:
# Default policy: deny all access
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Allow localhost full access
restrict 127.0.0.1
restrict ::1
# Allow local network clients to synchronize
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
Understanding restrict flags:
- kod: Send “Kiss-o’-Death” packets to reduce unwanted traffic
- nomodify: Deny attempts to modify server configuration
- notrap: Disable trap service (remote logging)
- nopeer: Deny peer associations
- noquery: Deny status queries
- noserve: Deny all packets except queries
The configuration above allows clients on the 192.168.1.0/24 network to synchronize time but prevents them from modifying server settings or establishing peer relationships. Adjust the network address and subnet mask to match your local network topology.
For environments requiring broadcast time distribution:
# Broadcast on local network
broadcast 192.168.1.255
Save the configuration file and exit the editor.
Firewall Configuration for NTP Server
Opening firewall ports is essential for allowing clients to access your NTP server. NTP uses UDP port 123 for all communications.
If using firewalld (common on some Manjaro installations):
sudo firewall-cmd --permanent --add-service=ntp
sudo firewall-cmd --reload
The first command adds NTP as a permanent allowed service; the second applies the changes.
For ufw (Uncomplicated Firewall):
sudo ufw allow 123/udp
sudo ufw reload
If using iptables directly:
sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
Security considerations: expose NTP servers only to trusted networks when possible. NTP amplification attacks exploit publicly accessible NTP servers to overwhelm targets with traffic. Implement rate limiting if exposing your server to the Internet:
sudo iptables -A INPUT -p udp --dport 123 -m limit --limit 10/minute -j ACCEPT
Starting NTP Server Service
Start the NTP daemon:
sudo systemctl start ntpd
Enable automatic startup:
sudo systemctl enable ntpd
Verify the service is running:
systemctl status ntpd
Confirm the daemon is listening on UDP port 123:
sudo ss -tulpn | grep :123
This should show output indicating ntpd is bound to port 123 on relevant interfaces. If using netstat instead:
sudo netstat -tulpn | grep :123
Configuring NTP Clients to Use Local NTP Server
Once your Manjaro NTP server is operational, configure client systems to utilize it for time synchronization.
On each client system, edit /etc/ntp.conf
:
sudo nano /etc/ntp.conf
Add your local NTP server address, using the prefer
keyword to prioritize it:
# Local NTP server (preferred)
server 192.168.1.100 prefer iburst
# Fallback public servers
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
The prefer
keyword tells NTP to favor this server when multiple sources are available. Include fallback public servers to maintain synchronization if your local server becomes unavailable—this ensures resilience.
For easier management, add an entry to /etc/hosts
:
sudo nano /etc/hosts
Add a line:
192.168.1.100 timeserver.local
Now reference the server by hostname in ntp.conf:
server timeserver.local prefer iburst
Restart the NTP service on client systems:
sudo systemctl restart ntpd
Verify client synchronization with the local server:
ntpq -p
Your local server should appear in the list and eventually show an asterisk (*) indicating it’s the selected synchronization source. The “reach” column should show 377 (octal) when fully synchronized, indicating successful communication for the last eight polling attempts.
Security Best Practices for NTP
Authentication and Access Control
Implementing authentication prevents unauthorized systems from poisoning your time source or exploiting your NTP infrastructure. NTP supports symmetric key authentication using MD5.
Generate authentication keys:
sudo ntp-keygen -M
This creates key files in /etc/ntp/
. Alternatively, create keys manually. Edit or create /etc/ntp.keys
:
sudo nano /etc/ntp.keys
Add key definitions (use random 32-character hexadecimal strings):
1 M a1b2c3d4e5f67890abcdef1234567890
2 M 9876543210fedcba0987654321abcdef
The format is: key_number type key_value. Secure the keys file:
sudo chmod 600 /etc/ntp.keys
sudo chown root:root /etc/ntp.keys
Reference the keys file in /etc/ntp.conf
:
# Authentication configuration
keys /etc/ntp.keys
trustedkey 1 2
requestkey 1
controlkey 2
Configure servers to use authentication:
server 192.168.1.100 key 1
Implement strict access controls in ntp.conf:
# Deny everything by default
restrict default ignore
restrict -6 default ignore
# Allow specific networks
restrict 192.168.1.0 mask 255.255.255.0 kod limited nomodify notrap nopeer
The limited
flag enables rate limiting, protecting against DoS attacks.
Firewall and Network Security
Proper firewall configuration minimizes attack surface while maintaining functionality. Restrict UDP port 123 access to specific trusted networks:
sudo iptables -A INPUT -p udp --dport 123 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 123 -j DROP
This allows NTP traffic only from the 192.168.1.0/24 subnet. Implement connection tracking for stateful filtering:
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
NTP amplification attacks exploit mode 6 and mode 7 monitoring commands. Disable them in ntp.conf:
disable monitor
This prevents monlist queries used in amplification attacks.
Regular Maintenance
Maintain NTP security through ongoing vigilance. Keep the NTP package updated:
sudo pacman -Syu ntp
Monitor NTP logs regularly. View recent logs:
sudo journalctl -u ntpd --since today
For persistent logging, configure log files in ntp.conf:
logfile /var/log/ntp.log
logconfig =syncall +clockall
Implement log rotation to prevent disk space exhaustion. Create /etc/logrotate.d/ntp
:
/var/log/ntp.log {
monthly
rotate 12
compress
missingok
notifempty
}
Document your NTP architecture including server addresses, authentication keys, and configuration details. Store documentation securely for disaster recovery scenarios. Regular testing of time synchronization accuracy ensures continued reliability.
Advanced NTP Configuration Options
Stratum Configuration
Understanding stratum levels enables optimal network architecture. Stratum 0 devices are reference clocks—GPS receivers, atomic clocks, radio clocks. Stratum 1 servers connect directly to Stratum 0 devices via serial or PPS connections. Each subsequent stratum synchronizes from the level above, with Stratum 16 considered unsynchronized.
For networks with a local reference clock (GPS receiver), configure NTP to use it:
# GPS reference clock on serial port
server 127.127.28.0 minpoll 4 maxpoll 4
fudge 127.127.28.0 time1 0.0 refid GPS
The address 127.127.t.u follows a special format where ‘t’ represents the clock type (28 for SHM shared memory) and ‘u’ the unit number. This configuration makes your server a Stratum 1 source.
Enterprise networks should implement multiple stratum levels. Deploy dedicated Stratum 2 servers synchronized to public Stratum 1 sources, then configure internal Stratum 3 servers and clients to use your Stratum 2 infrastructure.
Multiple NTP Server Redundancy
Resilient time architectures require multiple time sources. Deploy at least four NTP servers for adequate redundancy—this allows NTP algorithms to detect and reject false tickers. With fewer than three servers, NTP cannot perform quality checks effectively.
Configure multiple servers in ntp.conf:
server ntp1.example.com iburst
server ntp2.example.com iburst
server ntp3.example.com iburst
server ntp4.example.com iburst
Distribute servers across different network segments and Internet providers when possible. This ensures time continuity even during network failures. Consider geographic diversity—servers in different physical locations provide additional resilience against regional outages.
Use pool servers for automatic redundancy:
pool 0.pool.ntp.org iburst
pool 1.pool.ntp.org iburst
The pool
directive causes NTP to resolve multiple IP addresses from DNS, automatically populating your server list.
Performance Tuning
Optimize NTP behavior by adjusting polling intervals. The minpoll
and maxpoll
directives control minimum and maximum polling intervals as powers of two:
server time.example.com iburst minpoll 4 maxpoll 10
This sets minimum polling to 16 seconds (2^4) and maximum to 1024 seconds (2^10). Default values are typically minpoll 6 (64 seconds) and maxpoll 10 (1024 seconds). Reduce minpoll for tighter synchronization on local networks; increase maxpoll to reduce network traffic for stable, remote servers.
The drift file records frequency correction needed for your system clock:
driftfile /var/lib/ntp/ntp.drift
This allows NTP to maintain reasonable accuracy even when network connectivity is temporarily lost. The drift value represents parts-per-million frequency error of your system clock oscillator.
Monitoring and Troubleshooting NTP
Monitoring Commands and Tools
Continuous monitoring ensures time synchronization reliability. Use watch
for real-time updates:
watch -n 10 ntpq -p
This refreshes the peer status display every 10 seconds, allowing observation of synchronization progress.
For detailed peer information:
ntpq -c peers
ntpq -c associations
View system variables:
ntpq -c sysinfo
Check NTP daemon logs:
sudo journalctl -u ntpd -f
The -f
flag follows log output in real-time. Filter for specific events:
sudo journalctl -u ntpd | grep -i error
If configured with a log file:
tail -f /var/log/ntp.log
Common Issues and Solutions
Problem: “no server suitable for synchronization found”
This error indicates NTP cannot communicate with any configured servers. Verify network connectivity:
ping 0.pool.ntp.org
Check firewall rules aren’t blocking outbound UDP port 123 traffic. Verify DNS resolution works correctly. Try using IP addresses instead of hostnames temporarily.
Problem: Conflicting time services
If systemd-timesyncd or Chrony still runs alongside ntpd, conflicts occur. Verify only one service is active:
systemctl status systemd-timesyncd
systemctl status chronyd
systemctl status ntpd
Disable conflicting services:
sudo systemctl stop systemd-timesyncd chronyd
sudo systemctl disable systemd-timesyncd chronyd
Problem: Large time offset
If system time differs significantly from NTP servers, ntpd may refuse to synchronize to prevent sudden time jumps. Check offset:
ntpq -p
For large offsets, manually set time once:
sudo ntpd -gq
The -g
flag allows large time corrections; -q
exits after setting time once. Then start ntpd normally:
sudo systemctl start ntpd
Problem: Incorrect timezone versus synchronization
Time synchronization issues sometimes stem from timezone configuration, not NTP. Check timezone:
timedatectl list-timezones | grep Asia
Set correct timezone:
sudo timedatectl set-timezone Asia/Jakarta
Problem: Firewall blocking NTP traffic
If clients cannot reach your NTP server, verify firewall configuration:
sudo iptables -L -n -v | grep 123
Temporarily disable firewall for testing:
sudo systemctl stop firewalld
If this resolves the issue, add proper firewall rules rather than leaving it disabled.
Performance Verification
Assess synchronization quality using offset and jitter values. Offset represents time difference between local clock and NTP source—values under 10ms indicate good synchronization. Jitter measures timing variations—values under 50ms are generally acceptable.
Check detailed statistics:
ntpq -c rv
This displays system variables including offset, jitter, frequency, and stratum. The “reach” value of 377 (octal) indicates successful communication in all recent polling attempts—this corresponds to binary 11111111, meaning eight consecutive successes.
Monitor stratum levels across your network to ensure hierarchical accuracy. Stratum should never exceed 15 (16 means unsynchronized).
Alternative: Using Chrony on Manjaro
For users seeking a modern alternative, Chrony provides excellent performance with less configuration complexity. Install Chrony:
sudo pacman -S chrony
Chrony offers several advantages over traditional ntpd. It synchronizes faster—often within seconds of startup—compared to ntpd’s several minutes. It handles intermittent network connectivity gracefully, making it ideal for laptops and roaming systems. It performs better with virtualized environments where the system clock might experience significant jumps.
The main configuration file is /etc/chrony.conf
:
sudo nano /etc/chrony.conf
Basic configuration:
# NTP servers
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
# Drift file
driftfile /var/lib/chrony/drift
# Allow local clients
allow 192.168.1.0/24
# Log directory
logdir /var/log/chrony
Start and enable Chrony:
sudo systemctl start chronyd
sudo systemctl enable chronyd
Manage Chrony using chronyc:
chronyc tracking
chronyc sources
chronyc sourcestats
Choose Chrony over ntpd when operating laptops, systems with unreliable network connections, or virtual machines. Chrony’s adaptive polling and robust handling of clock corrections make it particularly suitable for modern, mobile computing environments.
Migration from ntpd to Chrony requires stopping and disabling ntpd:
sudo systemctl stop ntpd
sudo systemctl disable ntpd
Configuration syntax differs slightly between the two, but the concepts remain similar—both use server directives, access controls, and drift files.
Congratulations! You have successfully installed NTP. Thanks for using this tutorial to set up NTP on Manjaro Linux. For additional help or useful information, we recommend you check the official NTP website.