<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> On 08/02/2011 08:04 AM, Adam Young wrote: <blockquote cite="mid:4E3803F8.9090108@redhat.com" type="cite"> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <title></title> On 08/02/2011 09:42 AM, Ondrej Valousek wrote: <blockquote cite="mid:4E37FEE3.9010601@s3group.cz" type="cite"> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> Hi Rob, It was just "polaris" - so I tried: [root@polaris etc]# hostname polaris.example.com and it started working - Magic! That means that we rely on the fact that hostname is set to FQDN, right? Isn't it too strong requirement? Maybe we should guess FQDN using reverse lookups I do not know. The bottom line is that at least the IPA installation script should warn about the incorrect hostname. </blockquote> This actually brought a chuckle....we've been through a few iterations of how to deal with this. The approach did do Reverse at one point, but that brought in a few other issues. Needless to say, we've felt your pain on numerous occasions. Kerberos depends on the hostname being right, and none of the auth works without Kerberos. This is an issue that seems to mess people up in testing and evaluation mode, but people want and need it to resolve correctly in live environments. </blockquote> Most TLS/SSL implementations want to use the fqdn as well e.g. server certs will have cn=fqdn,something... as the Subject: in the cert. <blockquote cite="mid:4E3803F8.9090108@redhat.com" type="cite"> <blockquote cite="mid:4E37FEE3.9010601@s3group.cz" type="cite"> And the error message was bit confusing as well, because from that one none can even guess what went wrong, I even tried to add 'ipactl -d start' to print more debugging, but it did not help either. Just trying to bring some ideas, otherwise I am happy that it is working again for me :-) Thanks! Ondrej On 02.08.2011 15:18, Rob Crittenden wrote: <blockquote cite="mid:4E37F909.1020107@redhat.com" type="cite">Is your hostname set to polaris.example.com or polaris (check /etc/sysconfig/network). What we search for is cn=$FQDN,cn=masters,cn=etc That explains the matched part. It matched everything except the hostname. rob </blockquote> <hr> The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:communications@s3group.com">communications@s3group.com</a>. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 <hr> <pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset> _______________________________________________ Freeipa-users mailing list <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <pre wrap=""> <fieldset class="mimeAttachmentHeader"></fieldset> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> </body> </html>