Adding ntp server to SecuritySpy
  • Hi Ben - I used to have ntp running on my SecuritySpy server, and cameras got the time from that. I have set the cameras up with no internet access.

    Apple has stopped shipping the ntp server with macOS in Mojave (and possibly High Sierra) and I've been unable to compile it from source.

    Would it be possible to add ntp functionality to SecuritySpy? I'm sure others would find it useful.

    Thanks, James.
  • It's unfortunate that Apple have stripped this from Mojave. It's not really something that we can implement in SecuritySpy - NTP servers require access to port 123, and to listen on that port, macOS applications have to be run as root (which is the case for any port below 1024). This is for security purposes, and running any standard application as root is not advisable. Also, this feature would not be useful for most users, and we would prefer to spend our development time elsewhere.

    Still, it is possible to download and compile your own NTP server tool:

    - If you haven't done so already, install Apple's Command Line Tools.

    - Download the OpenNTPD source code (click Releases on the left and click on any download link).

    - Once downloaded, double-click on the zip file and it will expand to a folder.

    - Open Terminal and cd into that folder (e.g. "cd /Users/ben/Downloads/openntpd-6.2p3")

    - Run the following Terminal commands, each ending with a return:

    ./configure --with-privsep-user=root
    make
    make install

    This installs the "ntpd" tool at /usr/local/sbin and a "ntpd.conf" configuration file at /usr/local/etc (you get get to these folders using the "Go to Folder..." option in the Go menu in the Finder.

    You will need to edit the configuration file to give it some valid ntp servers, and also allow access to your NTP server from other devices on the local network. Here is an example conf file:

    server time.apple.com
    listen on *

    Then run the ntpd tool like this:

    sudo /usr/local/sbin/ntpd

    You should now have an NTP server running on your Mac - confirm this in Activity Monitor by searching for the "ntpd" process(es). Note that it may take a few minutes to initially synchronise and be able to give out the time to network devices. Also you would have to jump through a few more hoops to get it to start automatically upon reboot (you should be able to find instructions if you Google this, it's quite a common thing to do).

    You can get the current status of the ntpd server like this:

    /usr/local/sbin/ntpctl -s all

    You can test your time server from Terminal with the sntp tool:

    sntp ip-address-of-mac

    I'm sure you're already aware, but the Mac should have a static IP address for this purpose, set in the Network system preference.

    Hope this helps!
  • I also struggle with time issues with my many installations. There are several time servers for windows, most free. I am considering using a $99 Stick PC for only this purpose. There are linux based hardware units that use GPS to get the time, but they are $300. It seems strange that there are no simple Mac applications for this (perhaps for the security reasons Ben points out.) I am hoping that a local time server will be more robust, considering it is on the lan. I am about to try Ben's instructions. If you don't hear back from me, send in a rescue team.
  • Wow, thanks for your detailed reply Ben. I'll give OpenNTPD a try.
    Thanks again.
    James.
  • I had no luck with OpenNTPD on Mojave. After getting Xcode Command Line Utilities installed (pre-requisite to configure/make) and replacing the ntpd.conf file with the example @Ben provided I kept getting syntax errors for the fudge line. Also, it would not let me cd to the directory and run the binary by name. I instead had to call it in a single line as: sudo /usr/local/sbin/ntpd

    All that said, I'm looking for any troubleshooting resources for others that have tried to install this on macOS Mojave.
  • @cstout. I also had some issues. Had to create the _ntp user by:

    sudo dscl . create /Users/_ntp
    sudo dscl . create /Users/_ntp UserShell /sbin/nologin
    sudo dscl . delete /Users/_ntp AuthenticationAuthority
    sudo dscl . create /Users/_ntp UniqueID 400
    sudo dscl . create /Users/_ntp PrimaryGroupID 400
    sudo dscl . create /Users/_ntp RealName "OpenNTPD user"
    sudo dseditgroup -o create _ntp
    sudo dscl . append /Groups/_ntp GroupMembership _ntp

    the sntp command also gave errors. I had to run:

    sudo touch /var/db/ntp-kod
    sudo chmod 666 /var/db/ntp-kod
    export EVENT_NOKQUEUE=1

    I also can't start ntpd without getting syntax errors unless I only use 'server' commands in the config file. And then it doesn't seem to be listening. :-(
  • Apologies all, there were some mistakes in my instructions. I have now fixed my above post. It's best if you can all remove all relevant files (including source code) and start again from scratch to get this working.
  • @Ben, the updated directions worked great for the install, but I'm not sure about the testing results and whether or not this output is normal:

    sh-3.2# /usr/local/sbin/ntpctl -s all
    1/1 peers valid, clock unsynced

    peer
    wt tl st next poll offset delay jitter
    17.253.4.125 time.apple.com
    1 10 1 23s 33s 0.093ms 19.763ms 1.260ms

    sh-3.2# sntp 10.0.1.2
    sntp 4.2.8p10@1.3728-o Tue Mar 21 14:36:42 UTC 2017 (136.200.1~4587)
    kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory
    sock_cb: 10.0.1.2 not in sync, skipping this server
  • Oh, Google...what a resource.

    Ran these two commands and test succeeded:

    sh-3.2# sudo touch /var/db/ntp-kod

    sh-3.2# sudo chmod 666 /var/db/ntp-kod

    sh-3.2# sntp 10.0.1.2
    sntp 4.2.8p10@1.3728-o Tue Mar 21 14:36:42 UTC 2017 (136.200.1~4587)
    2019-03-27 13:39:45.773810 (+0700) +0.00003 +/- 0.006524 10.0.1.2 s2 no-leap
  • @cstout - great, that looks like it's working for you!

    The "not in sync" message usually just means you have to wait 5-10 minutes for the server to properly synchronise and be able to respond properly to requests.

    I also get the "Cannot open KoD db file" message. This seems to be harmless as the server still gives out proper time even with this file missing, but it's good you have found a way to prevent this as it's not clear what this is for, and it might be important for something!
  • Wow, thanks Ben, that's much better!

    BTW, if you get "kq_init: detected broken kqueue; not using.: No such file or directory" just run:
    export EVENT_NOKQUEUE=1

    Fantastic to have it working now. (the 5 minutes wait was frustrating!)

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!