[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cf authentication
From: |
MW Mike Weiner (5028) |
Subject: |
cf authentication |
Date: |
Thu, 9 Jan 2003 10:51:32 -0500 |
I am pretty much a newbie to cfengine, but I have been reading the tutorial
and reference manual to get things setup on a simple bases before I blow it
up into production. Here is my setup,
Running RedHat Linux release 7.3
Kernel-2.4.18-10smp
Cfengine-2.0.4-1
Db3-3.3.11-6
Openssl-0.9.6b-28
I rebuilt the source so I could have a nice little RPM package to distribute
amongst ~450 servers which will be running this.
Here are my basic conf files I am using for this test between 2 boxes in our
farm:
/var/cfengine/inputs/cfagent.conf:
#######
#
# BEGIN cfagent.conf
#
# This script
#
######
control:
domain = ( americangreetings.com )
smtpserver = ( pop.americangreetings.com )
sysadm = ( mweiner@americangreetings.com )
netmask = ( 255.255.255.0 )
timezone = ( EST )
mountpattern = ( /vol/r0/ )
# When should cfexecd in daemon mode wake up the agent?
# schedule = ( Min00_05 Min30_05 )
actionsequence =
(
tidy # clean up
checktimezone # check time zone
netconfig # includes check netmask
resolve # includes domain
mountinfo # look for mounted disks under mountpattern
)
# tidy:
# /tmp pattern=* age=7 recurses=inf
# processes:
# "cfenvd" restart "/var/cfengine/bin/cfenvd"
# "cfservd" restart "/var/cfengine/bin/cfservd"
#######
#
# END cfagent.conf
#
#######
/usr/sbin/cfengine/inputs/update.conf:
#######
#
# BEGIN update.conf
#
# This script distributes the configuration, a simple file so that, # if
there are syntax errors in the main config, we can still # distribute a
correct configuration to the machines afterwards, even # though the main
config won't parse. It is read and run just before the # main configuration
is parsed. # #######
control:
actionsequence = ( copy tidy ) # Keep this simple and constant
domain = ( americangreetings.com ) # Needed for remote copy
#
# Which host/dir is the master for configuration roll-outs?
#
policyhost = ( gate-ag250.americangreetings.com )
master_cfinput = ( /masterfiles/inputs )
#
# Some convenient variables
#
workdir = ( /var/cfengine )
cf_install_dir = ( /usr/sbin )
# Avoid server contention
SplayTime = ( 5 )
############################################################################
#
# Make sure there is a local copy of the configuration and
# the most important binaries in case we have no connectivity # e.g. for
mobile stations or during DOS attacks #
copy:
$(master_cfinput) dest=$(workdir)/inputs
r=inf
mode=700
type=binary
exclude=*.lst
exclude=*~
exclude=#*
server=$(policyhost)
$(cf_install_dir)/cfagent dest=$(workdir)/bin/cfagent
mode=755
backup=false
type=checksum
$(cf_install_dir)/cfservd dest=$(workdir)/bin/cfservd
mode=755
backup=false
type=checksum
$(cf_install_dir)/cfexecd dest=$(workdir)/bin/cfexecd
mode=755
backup=false
type=checksum
#####################################################################
tidy:
#
# Cfexecd stores output in this directory.
# Make sure we don't build up files and choke on our own words!
#
$(workdir)/outputs pattern=* age=7
#######
#
# END update.conf
#
#######
/usr/sbin/cfengine/inputs/cfservd.conf:
#########################################################
#
# This is a cfservd config file - it is used for the server
# part of cfengine, for remote file transfers and control
# over cfengine using the cfrun program.
#
#########################################################
control:
domain = ( americangreetings.com )
cfrunCommand = ( "/var/cfengine/bin/cfagent" )
any::
IfElapsed = ( 1 )
ExpireAfter = ( 15 )
MaxConnections = ( 50 )
MultipleConnections = ( true )
#########################################################
grant:
# Grant access to all hosts at americangreetings.com.
# Files should be world readable
/disk2/masterfiles/cfengine/inputs *.americangreetings.com
########
#
# END cfservd.conf
#
########
the cfservd startsup just fine, generates the key, and all is well on the
"master" or cf server. The "victim" in this case, I was trying to run
'fexecd -F' and just do some simple stuff, and receive errors as in the
following:
on the cf server in /var/log/messages:
Jan 9 10:39:20 ag250 cfservd[26375]: Host authorization/authentication
failed or access denied
Jan 9 10:39:20 ag250 cfservd[26375]: From
(host=gate-ag251.americangreetings.com,user=root,ip=192.168.30.59)
In the email from the "victim" box:
ag251: BAD: key could not be accepted on trust
ag251: Authentication dialogue with gate-ag250.americangreetings.com failed
ag251: image exists but destination type is silly (file/dir/link doesn't
match)
ag251: source=/usr/sbin/cfagent, dest=/var/cfengine/bin/cfagent
cfengine:ag251: Program does not define a broadcast mode for this host
I checked the perms and they seem ok, meaning the confs are world-readable,
and the machine is "allowed" in according to the cfservd.conf
Does anyone see anything wrong with the very minimalistic and simplistic
setup I have?!? Can anyone give me some pointers on getting this to work in
this small test env?!? I was receiving tidy errors before I remarked out
that process, something to do with the syntax being wrong.
Many thanks in advance
Michael Weiner
Senior Systems Administrator/WebOps
AmericanGreetings.com
- cf authentication,
MW Mike Weiner (5028) <=