john john via FreeIPA-users wrote:
Thank you for your answer,
I have a few questions:
1. Should I perform "kinit admin" before "ipactl stop" command?
No, a ticket is not required.
2. How did you determine that it was March 8 that I need to set the
date on the server?
Several certificates updated on March 5 and 7.
IIRC some of the certificates were renewed in March and some weren't and
expired in April. You want to be in the sweet spot of time so that all
of the certificates are valid and not expired.
Maybe I need to set the date before March 5?
3. IPA configured with next services:
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: STOPPED
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
Do I understand correctly to start the dirsrv service I need to run the "systemctl
start dirsrv(a)EXAMPLE.COM" command? The entry
EXAMPLE.COM specified in the
"/etc/ipa/default.conf" parameter "realm = EXAMPLE.COM".
Replaces dots with dashes in the realm. Or you can use dirsrv.target.
If I right then krb5kdc is krb5kdc.service, named didn't
configured, httpd is httpd.service, pki-tomcatd is pki-tomcatd(a)pki-tomcat.service
Correct. Note that you don't need to include the .service part when
using systemctl if you want to save some typing.
We have to do this manually rather than ipactl since it would start ntpd
and bring time back to current.
rob