[Freeipa-devel] IP address check during IPA install
Petr Spacek
pspacek at redhat.com
Thu Apr 19 13:10:39 UTC 2012
On 04/18/2012 05:02 PM, Dmitri Pal wrote:
> On 04/18/2012 09:55 AM, Petr Spacek wrote:
>> Hello,
>>
>> please, can somebody explain to me, why our installer strictly checks
>> IP addresses? I wonder about it from yesterday's IPA meeting and still
>> can't get it.
>>
>> My naive insight is: "It's a network layer problem and application
>> shouldn't care."
>>
>> Of course, there are many protocols with endpoint address inside
>> application messages (like SIP or RTSP) for various reasons. Where are
>> these addresses in our case?
>>
>> HTTP, LDAP, DNS and NTP should be Ok, I think. Or they aren't?
>>
>> It's Kerberos problem? I know about client IP address inside Kerberos
>> ticket, but AFAIK it's usually filled with some constant with
>> "ANY_ADDRESS meaning".
>>
>> I often travel with tickets in credentials cache and these tickets
>> still work, when I change location and IP address.
>>
>> So - what I missed? Why pure NAT should create a problem?
>>
>
> The problem is not the specific address. The problem is badly configured
> system. If the host<-> IP can't be resolved cleanly you get a problem
> with Kerberos and install will fail. This is why we make sure the name
> resolves properly and reverse lookups work at the install time. It does
> not matter what IP you have as long as it properly resolves.
Ok, I understand that. Error message "No network interface matches the
provided IP address and netmask" confused me. I thought it was explicit IP
address check, not a DNS check.
There should be absolutely clear error message about that, not something
cryptic like current message. (It is extraordinarily confusing in situation
when you didn't provide any address explicitly :-)
I created ticket for this:
https://fedorahosted.org/freeipa/ticket/2654
>> Thanks for clarification!
Petr^2 Spacek
More information about the Freeipa-devel
mailing list