[OpenAFS] Time on AFS-cell

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 28 Feb 2005 15:50:36 -0500

On Monday, February 28, 2005 08:33:40 -0800 ted creedon 
<tcreedon@easystreet.com> wrote:

> NTP needs to run on all servers and workstations, use the real ntp not the
> one bundled with AFS. Use the --nosettime switch to disable ntp in the AFS
> server.

This is somewhat misleading.

All servers and clients need time synchronization.  If you have more than 
one database server, the database servers must be within about 15 seconds 
of each other, or voting will not work correctly.  All other servers and 
clients need to have time within about 5 minutes of the database servers 
(or KDC's, if you are running a full Kerberos realm), or authentication 
will not work.

You can synchronize time using NTP (http://www.ntp.org) or using the 
time-synchronization feature built in to the AFS cache manager.  Either 
approach will provide sufficient accuracy to make AFS work.  Because the 
built-in mechanism works by syncing clients' clocks to the fileservers, it 
cannot be used to set fileserver clocks; fileservers pretty much MUST run 

The built-in mechanism will be used automatically by any machine running 
afsd, unless you start afsd (not the fileserver) with the switch 
'-nosettime' (one dash, not two).  You must do this on any machine running 
an NTP client, or NTP and afsd will fight over control of the system clock. 
That also means you need to do it on every fileserver.  Perhaps at some 
point in the future, this will become the default.

> To keep your ISP happy, suggest pointing one or two AFS servers at 2 of
> the the nearest Cicso routers and point the remainder of the local boxes
> at the AFS servers (typically time should come from at least 2 servers in
> case one fails).

You should set up a local NTP server (ideally, three servers), and 
configure the rest of your machines to talk to it.  That will improve 
synchronization within your cell, which is what you really care about, and 
reduce load on your external network connection.  You should ask your 
upstream network provider if they operate NTP servers at which you can 
point your local NTP servers -- DO NOT just assume that any nearby Cisco 
router is a good choice.  While devices running IOS are capable of acting 
as NTP servers, they are not always configured to do so, they may not be 
configured with a reliable upstream time source, and even if they are, that 
does not necessarily mean that it is OK to use them.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA