ntpd -g does not sync the clock

authentication ntp ntpd

Normally after allowing NTP through any firewall, the first few packets are processed (increasing reach), a system peer is selected, and the initial step fixes the time. This system has reachable peers but rejected them all, which is odd.

After reviewing readvar output, rootdelay=0.000 doesn't make sense. Remote over the internet, cannot be zero. Possibly why you got a flash word of distance threshold exceeded.

A theory from IRC is that NTP packets are being mangled by some middlebox. Which if true would be bad as it apparently broke NTP. ntpd applies dscp to its packets but ntpdate does not. Try dscp 0 in ntp.conf Ask around if differentiated services aware boxes are in the path. Take a packet capture (tcpdump) of NTP packets and look at it in Wireshark. See if it can dissect both any DSCP fields, wrapping NTP packets with NTP timestamps.

Also study ntpd in an entirely different network to contrast what it looks like when working. ntpd can run on anything, so maybe a VM on your workstation.

My original answer with a critique of the config follows.

Your reach recorded there is only 1. Wait 3 minutes after starting ntpd. Takes some time to get the first couple packets returned.

Regarding your configuration:

server time.google.com minpoll 3 maxpoll 4

Consider adding iburst to your server and pool lines. Initial burst at startup of several packets with a short delay.

I am not convinced configuring minpool and maxpool is a good idea, neither is Red Hat. Too frequent for a sustained period and public NTP services may block you. ntpd is already good at dynamically selecting the pool interval.

Need more NTP servers, ideally 4 for detecting falsetickers with n+1 redundancy. Google public NTP has 4 frontends, which you can use with either the pool directive or multiple server lines. Feel free to add other NTP services as a second opinion, like 2.pool.ntp.org. (However you will have a messy leap second smear if your NTP servers don't agree on that.)

No, public NTP services do not require NTP authentication. Authentication is not your problem, allowing large steps and tweaking the poll rate is.

My suggested change for the server line is more like this:

pool time.google.com iburst

As to how you're starting ntpd:

ntpd -g -n -4 -c /etc/ntp.conf &

-g option is necessary to fix such a large offset of many hours, keep it. Allows infinite step once at start. Normally, large offset causes ntpd to panic. Use -g in any script that starts ntpd, so time will be fixed at boot.

I don't see the purpose of no fork plus shell backgrounding. For starting in the background, I use the system's service manager or init script. For example, a ntpd.service unit for Linux with systemd.

Delete -4. Google is IPv6 capable.

If you wish to set the time once and exit, the -q option is useful. For interactive use when troubleshooting, normal operation is leaving ntpd running. Do not use ntpdate, which is obsolete.

ntpd -g -q

Related

Configuring a cloud VM to be accessed by multiple users
Calculating the percentage of the total available memory on linux as an integer in bash
503 error on apache virtual hosts
Apache 2.4 - How to restrict traffic (by IP address) to all requests except the base path?
How can I use one EXE on Multiple machines?
Re-using SSH keys
Round robin DNS and fault tolerance (web service, windows 2008)?
How to make communication between Production network and Isolated Network using Linux machine as a router?
Removing Cert Server from AD
How do you start ColdFusion MX 7?
VSFTPD error 530 on fresh install
Can't access SQL Server 2008 with anything but 'Windows NT Integrated Security'