Re: [Freeipa-users] Unable to start IPA server after server reboot

2011-08-02 Thread Rob Crittenden

Ondrej Valousek wrote:

  Hi list,

I have a problem with my IPA server:
Symptoms:

[root@polaris etc]# /etc/init.d/ipa start
Starting Directory Service
Starting dirsrv:
 EXAMPLE-COM... [  OK  ]
 PKI-IPA... [  OK  ]
Failed to read data from Directory Service: Unknown error when
retrieving list of services from LDAP: {'matched':
'cn=masters,cn=ipa,cn=etc,dc=example,dc=com', 'desc': 'No such object'}
Shutting down
Shutting down dirsrv:
 EXAMPLE-COM... [  OK  ]
 PKI-IPA... [  OK  ]

I am able to start the services (dirsrv, named, krb5kdc) separately
though and then read the configuration fine:

[root@polaris log]# kinit admin
Password for ad...@example.com:
[root@polaris etc]# ldapsearch -Y GSSAPI -h localhost -b
cn=masters,cn=ipa,cn=etc,dc=example,dc=com
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base cn=masters,cn=ipa,cn=etc,dc=example,dc=com with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# masters, ipa, etc, example.com
dn: cn=masters,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: top
cn: masters

# polaris.example.com, masters, ipa, etc, example.com
dn: cn=polaris.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
objectClass: top
objectClass: nsContainer
cn: polaris.example.com

# CA, polaris.example.com, masters, ipa, etc, example.com
dn: cn=CA,cn=polaris.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
objectClass: nsContainer
objectClass: ipaConfigObject
objectClass: top
ipaConfigString: enabledService
ipaConfigString: startOrder 50
cn: CA
.

Does it ring any bell to you?
Note that the IPA server was running fine right after the installation


Is your hostname set to polaris.example.com or polaris (check 
/etc/sysconfig/network).


What we search for is cn=$FQDN,cn=masters,cn=etc

That explains the matched part. It matched everything except the hostname.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to start IPA server after server reboot

2011-08-02 Thread Adam Young

On 08/02/2011 09:42 AM, Ondrej Valousek wrote:

Hi Rob,
It was just polaris - so I tried:
[root@polaris etc]# hostname polaris.example.com

and it started working - Magic!
That means that we rely on the fact that hostname is set to FQDN, 
right? Isn't it too strong requirement?
Maybe we should guess FQDN using reverse lookups I do not know. The 
bottom line is that at least the IPA installation script should warn 
about the incorrect hostname.


This actually brought a chucklewe've been through a few iterations 
of how to deal with this.  The approach did do Reverse at one point, but 
that brought in a few other issues.  Needless to say, we've felt your 
pain on numerous occasions.


Kerberos depends on the hostname being right, and none of the auth works 
without Kerberos.  This is an issue that seems to mess people up in 
testing and evaluation mode, but people want and need it to resolve 
correctly in live environments.




And the error message was bit confusing as well, because from that one 
none can even guess what went wrong, I even tried to add 'ipactl -d 
start' to print more debugging, but it did not help either.


Just trying to bring some ideas, otherwise I am happy that it is 
working again for me :-)

Thanks!

Ondrej




On 02.08.2011 15:18, Rob Crittenden wrote:
Is your hostname set to polaris.example.com or polaris (check 
/etc/sysconfig/network).


What we search for is cn=$FQDN,cn=masters,cn=etc

That explains the matched part. It matched everything except the 
hostname.


rob 



The information contained in this e-mail and in any attachments is 
confidential and is designated solely for the attention of the 
intended recipient(s). If you are not an intended recipient, you must 
not use, disclose, copy, distribute or retain this e-mail or any part 
thereof. If you have received this e-mail in error, please notify the 
sender by return e-mail and delete all copies of this e-mail from your 
computer system(s). Please direct any additional queries to: 
communicati...@s3group.com. Thank You. Silicon and Software Systems 
Limited (S3 Group). Registered in Ireland no. 378073. Registered 
Office: South County Business Park, Leopardstown, Dublin 18




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to start IPA server after server reboot

2011-08-02 Thread Rob Crittenden

Ondrej Valousek wrote:

  Hi Rob,
It was just polaris - so I tried:
[root@polaris etc]# hostname polaris.example.com

and it started working - Magic!
That means that we rely on the fact that hostname is set to FQDN, right?
Isn't it too strong requirement?
Maybe we should guess FQDN using reverse lookups I do not know. The
bottom line is that at least the IPA installation script should warn
about the incorrect hostname.

And the error message was bit confusing as well, because from that one
none can even guess what went wrong, I even tried to add 'ipactl -d
start' to print more debugging, but it did not help either.

Just trying to bring some ideas, otherwise I am happy that it is working
again for me :-)
Thanks!

Ondrej


Kerberos and SSL really want fully-qualified names.

We've done some upstream work to address detecting when the hostname is 
not a fqdn. I filed a new ticket for the poor error message.


thanks for the suggestions.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users