8.127. ntp

Bug Fixes

BZ#673198

The ntpdate service did not wait for the NetworkManager service to configure the network before attempting to obtain the date and time update from the Internet. Consequently, ntpdate failed to set the system clock if the network was not configured. With this update, ntpdate attempts to obtain updates from the Internet in several increasing intervals if the initial attempt fails. The system clock is now set even when NetworkManager takes longer period of time to configure the network.

BZ#749530

The ntp-keygen utility always used the DES-CBC (Data Encryption Standard-Cipher Block Chaining) encryption algorithm to encrypt private NTP keys. However, DES-CBC is not supported in FIPS mode. Therefore, ntp-keygen generated empty private keys when it was used on systems with FIPS mode enabled. To solve this problem, a new "-C" option has been added to ntp-keygen that allows for selection of an encryption algorithm for private key files. Private NTP keys are now generated as expected on systems with FIPS mode enabled.

BZ#830821

The ntpstat utility did not include the root delay in the "time correct to within" value so the real maximum errors could have been larger than values reported by ntpstat. The ntpstat utility has been fixed to include the root delay as expected and the "time correct to within" values displayed by the utility are now correct.

BZ#862983

When adding NTP servers that were provided by DHCP (using dhclient-script) to the ntp.conf file, the ntp script did not verify whether ntp.conf already contained these servers. This could result in duplicate NTP server entries in the configuration file. This update modifies the ntp script so that duplicate NTP server entries can no longer occur in the ntp.conf file.

BZ#973807

When ntpd was configured as a broadcast client, it did not update the broadcast socket upon change of the network configuration. Consequently, the broadcast client stopped working after the network service had been restarted. This update modifies ntpd to update the broadcast client socket after network interface update so the client continues working after the network service restart as expected.

Enhancements

BZ#623616, BZ#667524

NTP now specifies four off-site NTP servers with the iburst configuration option in the default ntp.conf file, which results in faster initial time synchronization and improved reliability of the NTP service.

BZ#641800

Support for authentication using SHA1 symetric keys has been added to NTP. SHA1 keys can be generated by the ntp-keygen utility and configured in the /etc/ntp/keys file on the client and server machines.

BZ#835155

Support for signed responses has been added to NTP. This is required when using Samba 4 as an Active Directory (AD) Domain Controller (DC).

BZ#918275

A new miscellaneous ntpd option, "interface", has been added. This option allows control of which network addresses ntpd opens and whether to drop incoming packets without processing or not. For more information on use of the "interface" option, refer to the ntp_misc(5) man page.