[Freeipa-users] Unable to start IPA server after server reboot
Rich Megginson
rmeggins at redhat.com
Tue Aug 2 14:13:05 UTC 2011
On 08/02/2011 08:04 AM, Adam Young wrote:
> On 08/02/2011 09:42 AM, Ondrej Valousek wrote:
>> Hi Rob,
>> It was just "polaris" - so I tried:
>> [root at polaris etc]# hostname polaris.example.com
>>
>> and it started working - Magic!
>> That means that we rely on the fact that hostname is set to FQDN,
>> right? Isn't it too strong requirement?
>> Maybe we should guess FQDN using reverse lookups I do not know. The
>> bottom line is that at least the IPA installation script should warn
>> about the incorrect hostname.
>>
> This actually brought a chuckle....we've been through a few iterations
> of how to deal with this. The approach did do Reverse at one point,
> but that brought in a few other issues. Needless to say, we've felt
> your pain on numerous occasions.
>
> Kerberos depends on the hostname being right, and none of the auth
> works without Kerberos. This is an issue that seems to mess people up
> in testing and evaluation mode, but people want and need it to resolve
> correctly in live environments.
Most TLS/SSL implementations want to use the fqdn as well e.g. server
certs will have cn=fqdn,something... as the Subject: in the cert.
>
>
>
>> And the error message was bit confusing as well, because from that
>> one none can even guess what went wrong, I even tried to add 'ipactl
>> -d start' to print more debugging, but it did not help either.
>>
>> Just trying to bring some ideas, otherwise I am happy that it is
>> working again for me :-)
>> Thanks!
>>
>> Ondrej
>>
>>
>>
>>
>> On 02.08.2011 15:18, Rob Crittenden wrote:
>>> Is your hostname set to polaris.example.com or polaris (check
>>> /etc/sysconfig/network).
>>>
>>> What we search for is cn=$FQDN,cn=masters,cn=etc
>>>
>>> That explains the matched part. It matched everything except the
>>> hostname.
>>>
>>> rob
>>
>> ------------------------------------------------------------------------
>> The information contained in this e-mail and in any attachments is
>> confidential and is designated solely for the attention of the
>> intended recipient(s). If you are not an intended recipient, you must
>> not use, disclose, copy, distribute or retain this e-mail or any part
>> thereof. If you have received this e-mail in error, please notify the
>> sender by return e-mail and delete all copies of this e-mail from
>> your computer system(s). Please direct any additional queries to:
>> communications at s3group.com. Thank You. Silicon and Software Systems
>> Limited (S3 Group). Registered in Ireland no. 378073. Registered
>> Office: South County Business Park, Leopardstown, Dublin 18
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110802/8c7f65ce/attachment.htm>
More information about the Freeipa-users
mailing list