SSL authentication for floating clients without reverse DNS mapping (or with arbitrary one)

[https://www.google.com/accounts/o8/id?id=AItOawmRt7tLBwyWzmVJmFuO9bCdKeMQnaFDP-I]

This was already discussed on the mailing list but got lost, so this ticket is to refresh old topic: ​http://thread.gmane.org/gmane.comp.sysutils.bcfg2.devel/3781

Basically, bcfg2 expects clients to have consistent reverse DNS record even for mobile clients. I just verified this on 1.1.0pre4.

In addition to mentioned thread there is another strange behaviour:

<Clients version="3.0">
  <Client profile="basic" pingable="N" location="floating" uuid="example.com" name="example.com" auth="cert"/>
</Clients>

Without reverse DNS record running bcfg2 -vqn results in "Client metadata resolution error for 11.22.33.44; check server log"

When reverse mapping exists (and points to something like 44-33-22-11.dynamic.adsl.blah.blah) running bcfg2 client succeeds but automatically adds another line to clients.xml (do not remember how it looked exactly, but you should get the idea):

<Clients version="3.0">
  <Client profile="basic" pingable="N" location="floating" uuid="example.com" name="example.com" auth="cert"/>
  <Client profile="basic" name="44-33-22-11.dynamic.adsl.blah.blah" />
</Clients>

[m4z <…>]

For completeness on the first half (but not too helpful in case of mobile clients; sorry to do that here): You don't need a reverse DNS record, an entry in the servers' /etc/hosts suffices - as long as it's the same as the CN in the clients' certificate of course.

Why do I post this? Because the error messages along the way do not really help to find the cause of the problem:

bcfg2-server[bef7adca2083020a103eee4baf6fadc4c4537344] (SVN r2546): address resolution error for 192.168.1.52
bcfg2-server[bef7adca2083020a103eee4baf6fadc4c4537344] (SVN r2546): Unexpected Authentication Failure
[...]
bcfg2-server[5ba90c46c7372bc7979ae875c712d4d211c2820e] (SVN r2593): address resolution error for 192.168.1.52
bcfg2-server[5ba90c46c7372bc7979ae875c712d4d211c2820e] (SVN r2593): Client metadata resolution error for 192.168.1.52; check server log
[...]
bcfg2-server[bedb27cb29c9887b4340fdaff5a3975757a5da11] (SVN r2769): Got request for bcfg from incorrect address 192.168.1.52
bcfg2-server[bedb27cb29c9887b4340fdaff5a3975757a5da11] (SVN r2769): Resolved to bcfg.kellerloch
bcfg2-server[bedb27cb29c9887b4340fdaff5a3975757a5da11] (SVN r2769): Authentication Failure

• First two lines: It would be nice if the error message indicated what kind of resolution was attempted so I have directions. This way I wrongly assumed it was some SSL problem. Later I thought that I just could not use bcfg without setting up a DNS server for my lab.
• Next two lines: This is the server log (with -dv, even)! And why do I get a "metadata resolution error", does this mean the connecting got through somehow?
• Third line: This sounds like I have a machine "bcfg" in clients.xml, which I don't. I'm easily confused. Not sure if those messages can be collapsed into one, but something like "Name resolution mismatch: The client connecting from IP 192.168.1.52 has a forward name of 'bcfg', but reverse name 'bcfg.kellerloch'." would be much less confusing to me.

[desai]

Is the use of the address attribute insufficient? You can use this to set an ip address (or several) that you want to map back to a client.

[https://www.google.com/accounts/o8/id?id=AItOawmRt7tLBwyWzmVJmFuO9bCdKeMQnaFDP-I]

Unfortunately no, because client machines are mobile and I can not predict from which addresses they will connect to management server.

[https://www.google.com/accounts/o8/id?id=AItOawkfHvWdYf7g8kSZA32s7dhK0Xig9JKo_CA]

Issue #1030 (fixed in 5fe3867a3b75aff04eeb7ba8c910ee6939c1680f) addressed a very similar topic. (It did not fix messages in the log, though).

Did it change anything in regard to this bug?