john john via FreeIPA-users wrote:
Thank you for your answer,
I have a few questions:
- Should I perform "kinit admin" before "ipactl stop" command?
No, a ticket is not required.
- How did you determine that it was March 8 that I need to set the date on the server?
Several certificates updated on March 5 and 7.
IIRC some of the certificates were renewed in March and some weren't and expired in April. You want to be in the sweet spot of time so that all of the certificates are valid and not expired.
Maybe I need to set the date before March 5? 3. IPA configured with next services:
ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: STOPPED ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful
Do I understand correctly to start the dirsrv service I need to run the "systemctl start dirsrv@EXAMPLE.COM" command? The entry EXAMPLE.COM specified in the "/etc/ipa/default.conf" parameter "realm = EXAMPLE.COM".
Replaces dots with dashes in the realm. Or you can use dirsrv.target.
If I right then krb5kdc is krb5kdc.service, named didn't configured, httpd is httpd.service, pki-tomcatd is pki-tomcatd@pki-tomcat.service
Correct. Note that you don't need to include the .service part when using systemctl if you want to save some typing.
We have to do this manually rather than ipactl since it would start ntpd and bring time back to current.
rob