Arch Linux BasedManjaro

How To Install NTP Server and Client on Manjaro

Install NTP Server and Client on Manjaro

Time synchronization is one of those critical yet often overlooked aspects of Linux system administration. When your Manjaro system’s clock drifts even by a few seconds, it can cause cascading problems: authentication failures, corrupted logs, failed scheduled tasks, and database inconsistencies. The Network Time Protocol (NTP) solves this challenge by keeping your system clock accurate within milliseconds of Coordinated Universal Time (UTC). Whether you’re running a home server, managing enterprise infrastructure, or developing distributed applications, implementing proper time synchronization is essential. This comprehensive guide will walk through installing and configuring both NTP server and client on Manjaro Linux, covering everything from basic setup to advanced security configurations and troubleshooting techniques.

Understanding Network Time Protocol (NTP)

What is NTP and How It Works

Network Time Protocol represents one of the oldest Internet protocols still in widespread use today, designed specifically to synchronize computer clocks across networks. NTP operates using a hierarchical system of time sources, each level called a “stratum”. At the top of this hierarchy sit Stratum 0 devices—atomic clocks, GPS receivers, and other highly precise time sources. Stratum 1 servers connect directly to these devices, while Stratum 2 servers synchronize from Stratum 1, and so on.

The protocol uses UDP port 123 for both server and client communications, employing sophisticated algorithms to account for network latency and jitter. When your NTP client queries a server, it sends timestamps and receives responses that allow it to calculate the time offset and network delay. Through multiple polling cycles, NTP continuously adjusts your system clock, maintaining accuracy typically within 1-50 milliseconds on local networks. The beauty of NTP lies in its ability to gradually slew the clock rather than making abrupt jumps, preventing disruption to running applications and services.

NTP vs Chrony vs systemd-timesyncd on Manjaro

Manjaro users face three primary options for time synchronization, each with distinct advantages. Understanding these differences helps in selecting the right tool for specific requirements.

The systemd-timesyncd service comes preinstalled as Manjaro’s default time synchronization solution. This lightweight Simple Network Time Protocol (SNTP) client provides basic functionality adequate for desktop systems and workstations. It consumes minimal system resources and integrates seamlessly with systemd. However, systemd-timesyncd only functions as a client—it cannot serve time to other systems—and lacks advanced features like hardware clock support or sophisticated clock management.

Chrony represents a modern, versatile NTP implementation specifically designed for systems with intermittent network connectivity. It excels in environments where computers roam between networks, experience frequent shutdowns, or operate with unreliable Internet connections. Chrony synchronizes faster than traditional NTP, typically within seconds rather than minutes. The chronyc command-line tool provides robust monitoring and management capabilities. Chrony can function as both client and server, making it ideal for laptops, mobile workstations, and modern cloud environments.

Traditional NTP daemon (ntpd) offers the most comprehensive and time-tested solution for enterprise deployments. It provides extensive configuration options, supports serving multiple clients simultaneously, implements advanced authentication mechanisms, and handles complex network topologies. For dedicated time servers, data centers, or environments requiring strict RFC compliance, ntpd remains the gold standard.

Prerequisites and System Requirements

Before beginning the installation process, ensure your Manjaro system meets several essential requirements. First, update your system to the latest package versions using the following command:

sudo pacman -Syu

This command synchronizes package databases and upgrades all installed packages, preventing potential conflicts. You’ll need root or sudo privileges to install packages and modify system configuration files. A stable Internet connection is necessary for downloading NTP packages and synchronizing with upstream time servers.

Check your current time synchronization status by running:

timedatectl

This command displays your system’s current time settings, timezone configuration, and whether network time synchronization is active. Note the status of “System clock synchronized” and “NTP service”. Since Manjaro uses systemd-timesyncd by default, you’ll need to disable it before installing traditional NTP to avoid service conflicts.

Verify which time synchronization service is currently active:

systemctl status systemd-timesyncd.service

Basic familiarity with command-line operations, text editing (using nano, vim, or other editors), and Linux file permissions is helpful but not absolutely required—this guide provides detailed instructions for each step.

Installing NTP Client on Manjaro

Installing the NTP Package

The NTP package is available in Manjaro’s official repositories through the pacman package manager. Install it with a single command:

sudo pacman -S ntp

Pacman will display package information including size and dependencies. Press ‘Y’ to confirm the installation. The package includes the NTP daemon (ntpd), configuration files, and client utilities like ntpq and ntpdate. The installation typically completes within seconds on modern systems.

Disabling systemd-timesyncd

Since Manjaro ships with systemd-timesyncd enabled by default, you must disable it to prevent conflicts with the NTP daemon. Both services attempt to control the system clock, and running them simultaneously causes synchronization failures and unpredictable behavior.

First, check the current status:

systemctl status systemd-timesyncd.service

If the service shows as “active (running)”, disable network time protocol through timedatectl:

sudo timedatectl set-ntp false

This command disables systemd-timesyncd and stops it from starting at boot. Verify the change:

systemctl status systemd-timesyncd.service

The output should show “inactive (dead)”. Some users prefer explicitly stopping and disabling the service:

sudo systemctl stop systemd-timesyncd.service
sudo systemctl disable systemd-timesyncd.service

Basic NTP Client Configuration

The main NTP configuration file resides at /etc/ntp.conf. This file controls all aspects of NTP behavior, including which servers to synchronize with, access restrictions, and logging options. Open the file with your preferred text editor:

sudo nano /etc/ntp.conf

The default configuration includes several commented lines and basic server entries. For optimal performance, configure NTP servers geographically close to your location. The NTP Pool Project (pool.ntp.org) provides a large cluster of time servers distributed worldwide.

Replace or add server entries appropriate for your region. For Asia-Pacific users:

server 0.asia.pool.ntp.org iburst
server 1.asia.pool.ntp.org iburst
server 2.asia.pool.ntp.org iburst
server 3.asia.pool.ntp.org iburst

For European users:

server 0.europe.pool.ntp.org iburst
server 1.europe.pool.ntp.org iburst
server 2.europe.pool.ntp.org iburst
server 3.europe.pool.ntp.org iburst

The iburst option sends a burst of packets during initial synchronization, significantly reducing the time required to achieve accurate time. Without iburst, NTP might take 15-20 minutes to synchronize; with it, synchronization typically occurs within minutes.

Additional useful configuration directives include:

# Drift file location
driftfile /var/lib/ntp/ntp.drift

# Log file location
logfile /var/log/ntp.log

# Restrict default access
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Allow localhost full access
restrict 127.0.0.1
restrict ::1

The drift file records your system clock’s frequency error, helping NTP maintain accuracy even between synchronization intervals. Save the configuration file and exit the editor (Ctrl+X, then Y, then Enter in nano).

Starting and Enabling NTP Client Service

With configuration complete, start the NTP daemon:

sudo systemctl start ntpd

No output indicates successful startup. Enable automatic startup at boot time:

sudo systemctl enable ntpd

This command creates symbolic links ensuring ntpd starts automatically whenever the system boots. Verify the service status:

systemctl status ntpd

A successful configuration shows “active (running)” in green text, along with recent log entries indicating the daemon has started and begun synchronizing with configured servers.

Verifying NTP Client Synchronization

Proper verification ensures your NTP configuration works correctly before relying on it for critical operations. The ntpq utility provides detailed information about NTP peer status.

Query configured NTP peers:

ntpq -p

This command displays a table with columns showing:

  • remote: Server hostname or IP address
  • refid: Reference ID (upstream time source the server uses)
  • st: Stratum level (lower numbers indicate closer to authoritative time sources)
  • t: Type of peer (u = unicast, b = broadcast, etc.)
  • when: Time since last response (seconds)
  • poll: Polling interval (seconds)
  • reach: Reachability register (octal representation of last 8 polling attempts)
  • delay: Round-trip delay to peer (milliseconds)
  • offset: Time difference between local clock and peer (milliseconds)
  • jitter: Variation in delay (milliseconds)

Status symbols in the first column indicate peer status:

  • *: Current synchronization source (system peer)
  • +: Acceptable peer, considered for synchronization
  • -: Acceptable peer, excluded by clustering algorithm
  • x: False ticker (disagreement with other sources)
  • ~: Peer selected for combining
  • #: Good peer but not selected
  • blank: Peer rejected for various reasons

Initially, all peers may show blank status as NTP evaluates their reliability. Wait 5-10 minutes, then rerun ntpq -p. You should see an asterisk (*) next to one server, indicating successful synchronization.

Alternative verification methods include:

timedatectl

This shows overall system time status. Look for “System clock synchronized: yes” and “NTP service: active”.

For quick synchronization status:

ntpstat

This command returns either “synchronized” with offset and polling interval information, or “unsynchronised” if NTP hasn’t locked onto a time source yet.

Common issues during initial synchronization include “INIT” status or “(INIT)” appearing in the when column. This simply means NTP hasn’t completed its first polling cycle yet—give it a few more minutes. If servers show “x” status, they’re being rejected due to time disagreement with other sources; this usually resolves automatically as NTP evaluates multiple sources.

Installing NTP Server on Manjaro

NTP Server Installation Steps

Installing NTP server capabilities uses the same package as the client. If you’ve already installed the ntp package following the client instructions above, you’re ready to proceed with server configuration. If not, install it now:

sudo pacman -S ntp

The distinction between NTP client and server lies entirely in configuration—the same daemon software handles both roles.

Configuring NTP Server

Server configuration requires more detailed attention to access control and upstream time sources. Edit the NTP configuration file:

sudo nano /etc/ntp.conf

Configure upstream servers from which your server will synchronize. Use lower-stratum, reliable sources:

# Upstream time servers (will be Stratum 2 sources)
server 0.manjaro.pool.ntp.org iburst
server 1.manjaro.pool.ntp.org iburst
server 2.manjaro.pool.ntp.org iburst
server 3.manjaro.pool.ntp.org iburst

Implement access restrictions to control which clients can query your server. The restrict directive provides fine-grained access control:

# Default policy: deny all access
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Allow localhost full access
restrict 127.0.0.1
restrict ::1

# Allow local network clients to synchronize
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Understanding restrict flags:

  • kod: Send “Kiss-o’-Death” packets to reduce unwanted traffic
  • nomodify: Deny attempts to modify server configuration
  • notrap: Disable trap service (remote logging)
  • nopeer: Deny peer associations
  • noquery: Deny status queries
  • noserve: Deny all packets except queries

The configuration above allows clients on the 192.168.1.0/24 network to synchronize time but prevents them from modifying server settings or establishing peer relationships. Adjust the network address and subnet mask to match your local network topology.

For environments requiring broadcast time distribution:

# Broadcast on local network
broadcast 192.168.1.255

Save the configuration file and exit the editor.

Firewall Configuration for NTP Server

Opening firewall ports is essential for allowing clients to access your NTP server. NTP uses UDP port 123 for all communications.

If using firewalld (common on some Manjaro installations):

sudo firewall-cmd --permanent --add-service=ntp
sudo firewall-cmd --reload

The first command adds NTP as a permanent allowed service; the second applies the changes.

For ufw (Uncomplicated Firewall):

sudo ufw allow 123/udp
sudo ufw reload

If using iptables directly:

sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

Security considerations: expose NTP servers only to trusted networks when possible. NTP amplification attacks exploit publicly accessible NTP servers to overwhelm targets with traffic. Implement rate limiting if exposing your server to the Internet:

sudo iptables -A INPUT -p udp --dport 123 -m limit --limit 10/minute -j ACCEPT

Starting NTP Server Service

Start the NTP daemon:

sudo systemctl start ntpd

Enable automatic startup:

sudo systemctl enable ntpd

Verify the service is running:

systemctl status ntpd

Confirm the daemon is listening on UDP port 123:

sudo ss -tulpn | grep :123

This should show output indicating ntpd is bound to port 123 on relevant interfaces. If using netstat instead:

sudo netstat -tulpn | grep :123

Configuring NTP Clients to Use Local NTP Server

Once your Manjaro NTP server is operational, configure client systems to utilize it for time synchronization.

On each client system, edit /etc/ntp.conf:

sudo nano /etc/ntp.conf

Add your local NTP server address, using the prefer keyword to prioritize it:

# Local NTP server (preferred)
server 192.168.1.100 prefer iburst

# Fallback public servers
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst

The prefer keyword tells NTP to favor this server when multiple sources are available. Include fallback public servers to maintain synchronization if your local server becomes unavailable—this ensures resilience.

For easier management, add an entry to /etc/hosts:

sudo nano /etc/hosts

Add a line:

192.168.1.100    timeserver.local

Now reference the server by hostname in ntp.conf:

server timeserver.local prefer iburst

Restart the NTP service on client systems:

sudo systemctl restart ntpd

Verify client synchronization with the local server:

ntpq -p

Your local server should appear in the list and eventually show an asterisk (*) indicating it’s the selected synchronization source. The “reach” column should show 377 (octal) when fully synchronized, indicating successful communication for the last eight polling attempts.

Security Best Practices for NTP

Authentication and Access Control

Implementing authentication prevents unauthorized systems from poisoning your time source or exploiting your NTP infrastructure. NTP supports symmetric key authentication using MD5.

Generate authentication keys:

sudo ntp-keygen -M

This creates key files in /etc/ntp/. Alternatively, create keys manually. Edit or create /etc/ntp.keys:

sudo nano /etc/ntp.keys

Add key definitions (use random 32-character hexadecimal strings):

1 M a1b2c3d4e5f67890abcdef1234567890
2 M 9876543210fedcba0987654321abcdef

The format is: key_number type key_value. Secure the keys file:

sudo chmod 600 /etc/ntp.keys
sudo chown root:root /etc/ntp.keys

Reference the keys file in /etc/ntp.conf:

# Authentication configuration
keys /etc/ntp.keys
trustedkey 1 2
requestkey 1
controlkey 2

Configure servers to use authentication:

server 192.168.1.100 key 1

Implement strict access controls in ntp.conf:

# Deny everything by default
restrict default ignore
restrict -6 default ignore

# Allow specific networks
restrict 192.168.1.0 mask 255.255.255.0 kod limited nomodify notrap nopeer

The limited flag enables rate limiting, protecting against DoS attacks.

Firewall and Network Security

Proper firewall configuration minimizes attack surface while maintaining functionality. Restrict UDP port 123 access to specific trusted networks:

sudo iptables -A INPUT -p udp --dport 123 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 123 -j DROP

This allows NTP traffic only from the 192.168.1.0/24 subnet. Implement connection tracking for stateful filtering:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

NTP amplification attacks exploit mode 6 and mode 7 monitoring commands. Disable them in ntp.conf:

disable monitor

This prevents monlist queries used in amplification attacks.

Regular Maintenance

Maintain NTP security through ongoing vigilance. Keep the NTP package updated:

sudo pacman -Syu ntp

Monitor NTP logs regularly. View recent logs:

sudo journalctl -u ntpd --since today

For persistent logging, configure log files in ntp.conf:

logfile /var/log/ntp.log
logconfig =syncall +clockall

Implement log rotation to prevent disk space exhaustion. Create /etc/logrotate.d/ntp:

/var/log/ntp.log {
    monthly
    rotate 12
    compress
    missingok
    notifempty
}

Document your NTP architecture including server addresses, authentication keys, and configuration details. Store documentation securely for disaster recovery scenarios. Regular testing of time synchronization accuracy ensures continued reliability.

Advanced NTP Configuration Options

Stratum Configuration

Understanding stratum levels enables optimal network architecture. Stratum 0 devices are reference clocks—GPS receivers, atomic clocks, radio clocks. Stratum 1 servers connect directly to Stratum 0 devices via serial or PPS connections. Each subsequent stratum synchronizes from the level above, with Stratum 16 considered unsynchronized.

For networks with a local reference clock (GPS receiver), configure NTP to use it:

# GPS reference clock on serial port
server 127.127.28.0 minpoll 4 maxpoll 4
fudge 127.127.28.0 time1 0.0 refid GPS

The address 127.127.t.u follows a special format where ‘t’ represents the clock type (28 for SHM shared memory) and ‘u’ the unit number. This configuration makes your server a Stratum 1 source.

Enterprise networks should implement multiple stratum levels. Deploy dedicated Stratum 2 servers synchronized to public Stratum 1 sources, then configure internal Stratum 3 servers and clients to use your Stratum 2 infrastructure.

Multiple NTP Server Redundancy

Resilient time architectures require multiple time sources. Deploy at least four NTP servers for adequate redundancy—this allows NTP algorithms to detect and reject false tickers. With fewer than three servers, NTP cannot perform quality checks effectively.

Configure multiple servers in ntp.conf:

server ntp1.example.com iburst
server ntp2.example.com iburst
server ntp3.example.com iburst
server ntp4.example.com iburst

Distribute servers across different network segments and Internet providers when possible. This ensures time continuity even during network failures. Consider geographic diversity—servers in different physical locations provide additional resilience against regional outages.

Use pool servers for automatic redundancy:

pool 0.pool.ntp.org iburst
pool 1.pool.ntp.org iburst

The pool directive causes NTP to resolve multiple IP addresses from DNS, automatically populating your server list.

Performance Tuning

Optimize NTP behavior by adjusting polling intervals. The minpoll and maxpoll directives control minimum and maximum polling intervals as powers of two:

server time.example.com iburst minpoll 4 maxpoll 10

This sets minimum polling to 16 seconds (2^4) and maximum to 1024 seconds (2^10). Default values are typically minpoll 6 (64 seconds) and maxpoll 10 (1024 seconds). Reduce minpoll for tighter synchronization on local networks; increase maxpoll to reduce network traffic for stable, remote servers.

The drift file records frequency correction needed for your system clock:

driftfile /var/lib/ntp/ntp.drift

This allows NTP to maintain reasonable accuracy even when network connectivity is temporarily lost. The drift value represents parts-per-million frequency error of your system clock oscillator.

Monitoring and Troubleshooting NTP

Monitoring Commands and Tools

Continuous monitoring ensures time synchronization reliability. Use watch for real-time updates:

watch -n 10 ntpq -p

This refreshes the peer status display every 10 seconds, allowing observation of synchronization progress.

For detailed peer information:

ntpq -c peers
ntpq -c associations

View system variables:

ntpq -c sysinfo

Check NTP daemon logs:

sudo journalctl -u ntpd -f

The -f flag follows log output in real-time. Filter for specific events:

sudo journalctl -u ntpd | grep -i error

If configured with a log file:

tail -f /var/log/ntp.log

Common Issues and Solutions

Problem: “no server suitable for synchronization found”

This error indicates NTP cannot communicate with any configured servers. Verify network connectivity:

ping 0.pool.ntp.org

Check firewall rules aren’t blocking outbound UDP port 123 traffic. Verify DNS resolution works correctly. Try using IP addresses instead of hostnames temporarily.

Problem: Conflicting time services

If systemd-timesyncd or Chrony still runs alongside ntpd, conflicts occur. Verify only one service is active:

systemctl status systemd-timesyncd
systemctl status chronyd
systemctl status ntpd

Disable conflicting services:

sudo systemctl stop systemd-timesyncd chronyd
sudo systemctl disable systemd-timesyncd chronyd

Problem: Large time offset

If system time differs significantly from NTP servers, ntpd may refuse to synchronize to prevent sudden time jumps. Check offset:

ntpq -p

For large offsets, manually set time once:

sudo ntpd -gq

The -g flag allows large time corrections; -q exits after setting time once. Then start ntpd normally:

sudo systemctl start ntpd

Problem: Incorrect timezone versus synchronization

Time synchronization issues sometimes stem from timezone configuration, not NTP. Check timezone:

timedatectl list-timezones | grep Asia

Set correct timezone:

sudo timedatectl set-timezone Asia/Jakarta

Problem: Firewall blocking NTP traffic

If clients cannot reach your NTP server, verify firewall configuration:

sudo iptables -L -n -v | grep 123

Temporarily disable firewall for testing:

sudo systemctl stop firewalld

If this resolves the issue, add proper firewall rules rather than leaving it disabled.

Performance Verification

Assess synchronization quality using offset and jitter values. Offset represents time difference between local clock and NTP source—values under 10ms indicate good synchronization. Jitter measures timing variations—values under 50ms are generally acceptable.

Check detailed statistics:

ntpq -c rv

This displays system variables including offset, jitter, frequency, and stratum. The “reach” value of 377 (octal) indicates successful communication in all recent polling attempts—this corresponds to binary 11111111, meaning eight consecutive successes.

Monitor stratum levels across your network to ensure hierarchical accuracy. Stratum should never exceed 15 (16 means unsynchronized).

Alternative: Using Chrony on Manjaro

For users seeking a modern alternative, Chrony provides excellent performance with less configuration complexity. Install Chrony:

sudo pacman -S chrony

Chrony offers several advantages over traditional ntpd. It synchronizes faster—often within seconds of startup—compared to ntpd’s several minutes. It handles intermittent network connectivity gracefully, making it ideal for laptops and roaming systems. It performs better with virtualized environments where the system clock might experience significant jumps.

The main configuration file is /etc/chrony.conf:

sudo nano /etc/chrony.conf

Basic configuration:

# NTP servers
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

# Drift file
driftfile /var/lib/chrony/drift

# Allow local clients
allow 192.168.1.0/24

# Log directory
logdir /var/log/chrony

Start and enable Chrony:

sudo systemctl start chronyd
sudo systemctl enable chronyd

Manage Chrony using chronyc:

chronyc tracking
chronyc sources
chronyc sourcestats

Choose Chrony over ntpd when operating laptops, systems with unreliable network connections, or virtual machines. Chrony’s adaptive polling and robust handling of clock corrections make it particularly suitable for modern, mobile computing environments.

Migration from ntpd to Chrony requires stopping and disabling ntpd:

sudo systemctl stop ntpd
sudo systemctl disable ntpd

Configuration syntax differs slightly between the two, but the concepts remain similar—both use server directives, access controls, and drift files.

Congratulations! You have successfully installed NTP. Thanks for using this tutorial to set up NTP on Manjaro Linux. For additional help or useful information, we recommend you check the official NTP website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Back to top button