On 04/18/2012 05:02 PM, Dmitri Pal wrote:
On 04/18/2012 09:55 AM, Petr Spacek wrote:

please, can somebody explain to me, why our installer strictly checks
IP addresses? I wonder about it from yesterday's IPA meeting and still
can't get it.

My naive insight is: "It's a network layer problem and application
shouldn't care."

Of course, there are many protocols with endpoint address inside
application messages (like SIP or RTSP) for various reasons. Where are
these addresses in our case?

HTTP, LDAP, DNS and NTP should be Ok, I think. Or they aren't?

It's Kerberos problem? I know about client IP address inside Kerberos
ticket, but AFAIK it's usually filled with some constant with
"ANY_ADDRESS meaning".

I often travel with tickets in credentials cache and these tickets
still work, when I change location and IP address.

So - what I missed? Why pure NAT should create a problem?

The problem is not the specific address. The problem is badly configured
system. If the host<->  IP can't be resolved cleanly you get a problem
with Kerberos and install will fail. This is why we make sure the name
resolves properly and reverse lookups work at the install time. It does
not matter what IP you have as long as it properly resolves.

Ok, I understand that. Error message "No network interface matches the provided IP address and netmask" confused me. I thought it was explicit IP address check, not a DNS check.

There should be absolutely clear error message about that, not something cryptic like current message. (It is extraordinarily confusing in situation when you didn't provide any address explicitly :-)

I created ticket for this:

Thanks for clarification!

Petr^2 Spacek

Freeipa-devel mailing list

Reply via email to