[Freeipa-devel] IP address check during IPA install
Dmitri Pal
dpal at redhat.com
Wed Apr 18 15:02:43 UTC 2012
On 04/18/2012 09:55 AM, Petr Spacek wrote:
> Hello,
>
> please, can somebody explain to me, why our installer strictly checks
> IP addresses? I wonder about it from yesterday's IPA meeting and still
> can't get it.
>
> My naive insight is: "It's a network layer problem and application
> shouldn't care."
>
> Of course, there are many protocols with endpoint address inside
> application messages (like SIP or RTSP) for various reasons. Where are
> these addresses in our case?
>
> HTTP, LDAP, DNS and NTP should be Ok, I think. Or they aren't?
>
> It's Kerberos problem? I know about client IP address inside Kerberos
> ticket, but AFAIK it's usually filled with some constant with
> "ANY_ADDRESS meaning".
>
> I often travel with tickets in credentials cache and these tickets
> still work, when I change location and IP address.
>
> So - what I missed? Why pure NAT should create a problem?
>
The problem is not the specific address. The problem is badly configured
system. If the host <-> IP can't be resolved cleanly you get a problem
with Kerberos and install will fail. This is why we make sure the name
resolves properly and reverse lookups work at the install time. It does
not matter what IP you have as long as it properly resolves.
>
> Thanks for clarification!
>
> Petr^2 Spacek
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list