[Freeipa-devel] [PATCH, 2.1] 0021 Fedora 16 and systemd support
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 18 13:42:07 UTC 2011
On Tue, 18 Oct 2011, Martin Kosek wrote:
> 1) When ipa is not configured, it is ok that ipa.service status returns
> error. However, I still got ipa.service status error after the ipa was
> configured:
>
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> Loaded: loaded (/lib/systemd/system/ipa.service; disabled)
> Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 1min 50s ago
> Main PID: 18499 (code=exited, status=6)
> CGroup: name=systemd:/system/ipa.service
> # /usr/sbin/ipactl status
> IPA is not configured (see man pages of ipa-server-install for help)
>
> # ipa-server-install
> ...
> Applying LDAP updates
> Restarting IPA to initialize updates before performing deletes:
> [1/2]: stopping directory server
> [2/2]: starting directory server
> done configuring dirsrv.
> Restarting the directory server
> Restarting the KDC
> Restarting the web server
> Sample zone file for bind has been created in /tmp/sample.zone.teFbNR.db
> ==============================================================================
> Setup complete
>
> Next steps:
> 1. You must make sure these network ports are open:
> TCP Ports:
> * 80, 443: HTTP/HTTPS
> * 389, 636: LDAP/LDAPS
> * 88, 464: kerberos
> UDP Ports:
> * 88, 464: kerberos
> * 123: ntp
>
> 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
> This ticket will allow you to use the IPA tools (e.g., ipa user-add)
> and the web user interface.
>
> Be sure to back up the CA certificate stored in /root/cacert.p12
> This file is required to create replicas. The password for this
> file is the Directory Manager password
>
> # systemctl status ipa.service
> ipa.service - Identity, Policy, Audit
> Loaded: loaded (/lib/systemd/system/ipa.service; enabled)
> Active: failed since Tue, 18 Oct 2011 09:04:41 -0400; 6min ago
> Main PID: 18499 (code=exited, status=6)
> CGroup: name=systemd:/system/ipa.service
We were discussing with Simo yesterday that perhaps we need to do
restart of ipa.service (on systemd platform only) explicitly after
ipa-server-install.
Right now the last action we do is ipa.enable(), i.e. just enable
ipa.service. As all services were started before during
ipa-server-install, we deemed not needed to do any restart in System V
case.
systemd, however, detects status based on its own tracking of events
and there is no way to report status of the service other than
systemd's internal state.
So we might do implicit restart of ipa.service at the end of install.
That would be another 5-10 seconds delay depending on the hardware.
> 2) ipactl shows stopped dirsrv and CA service even though they should be
> up (cert-show command worked):
This might be related as well -- I've seen multiple times when
ipa_kpasswd didn't start after ipa-server-install but works after
restart.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list