help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cf authentication


From: MW Mike Weiner (5028)
Subject: cf authentication
Date: Thu, 9 Jan 2003 10:51:32 -0500

I am pretty much a newbie to cfengine, but I have been reading the tutorial
and reference manual to get things setup on a simple bases before I blow it
up into production. Here is my setup, 

Running RedHat Linux release 7.3
Kernel-2.4.18-10smp
Cfengine-2.0.4-1
Db3-3.3.11-6
Openssl-0.9.6b-28

I rebuilt the source so I could have a nice little RPM package to distribute
amongst ~450 servers which will be running this.

Here are my basic conf files I am using for this test between 2 boxes in our
farm:

/var/cfengine/inputs/cfagent.conf:
#######
#
# BEGIN cfagent.conf
#
# This script
#
######

control:

    domain = ( americangreetings.com )
    smtpserver = ( pop.americangreetings.com )
    sysadm = ( address@hidden )
    netmask = ( 255.255.255.0 )
    timezone = ( EST )

    mountpattern = ( /vol/r0/ )

    # When should cfexecd in daemon mode wake up the agent?
    # schedule = ( Min00_05 Min30_05 )

    actionsequence =
        (
        tidy                # clean up
        checktimezone       # check time zone
        netconfig           # includes check netmask
        resolve             # includes domain
        mountinfo           # look for mounted disks under mountpattern
        )

#     tidy:

#     /tmp    pattern=* age=7 recurses=inf

    # processes:

    # "cfenvd" restart "/var/cfengine/bin/cfenvd"
    # "cfservd" restart "/var/cfengine/bin/cfservd"

#######
#
# END cfagent.conf
#
#######

/usr/sbin/cfengine/inputs/update.conf:
#######
#
# BEGIN update.conf
#
# This script distributes the configuration, a simple file so that, # if
there are syntax errors in the main config, we can still # distribute a
correct configuration to the machines afterwards, even # though the main
config won't parse. It is read and run just before the # main configuration
is parsed. # #######

control:

 actionsequence  = ( copy tidy )  # Keep this simple and constant

 domain          = ( americangreetings.com )  # Needed for remote copy

 #
 # Which host/dir is the master for configuration roll-outs?
 #

 policyhost      = ( gate-ag250.americangreetings.com )
 master_cfinput  = ( /masterfiles/inputs )

 #
 # Some convenient variables
 #

 workdir         = ( /var/cfengine )
 cf_install_dir  = ( /usr/sbin )

 # Avoid server contention

 SplayTime = ( 5 )

############################################################################

 #
 # Make sure there is a local copy of the configuration and
 # the most important binaries in case we have no connectivity  # e.g. for
mobile stations or during DOS attacks  #

copy:

     $(master_cfinput)            dest=$(workdir)/inputs
                                  r=inf
                                  mode=700
                                  type=binary
                                  exclude=*.lst
                                  exclude=*~
                                  exclude=#*
                                  server=$(policyhost)

     $(cf_install_dir)/cfagent    dest=$(workdir)/bin/cfagent
                                  mode=755
                                  backup=false
                                  type=checksum

     $(cf_install_dir)/cfservd    dest=$(workdir)/bin/cfservd
                                  mode=755
                                  backup=false
                                  type=checksum

     $(cf_install_dir)/cfexecd    dest=$(workdir)/bin/cfexecd
                                  mode=755
                                  backup=false
                                  type=checksum

#####################################################################

tidy:

     #
     # Cfexecd stores output in this directory.
     # Make sure we don't build up files and choke on our own words!
     #

     $(workdir)/outputs pattern=* age=7

#######
#
# END update.conf
#
#######

/usr/sbin/cfengine/inputs/cfservd.conf:
#########################################################
#
# This is a cfservd config file - it is used for the server
# part of cfengine, for remote file transfers and control
# over cfengine using the cfrun program.
#
#########################################################

control:

  domain = ( americangreetings.com )

     cfrunCommand = ( "/var/cfengine/bin/cfagent" )

 any::

  IfElapsed = ( 1 )
  ExpireAfter = ( 15 )
  MaxConnections = ( 50 )
  MultipleConnections = ( true )

#########################################################

grant:

   # Grant access to all hosts at americangreetings.com.
   # Files should be world readable

   /disk2/masterfiles/cfengine/inputs   *.americangreetings.com

########
#
# END cfservd.conf
#
########

the cfservd startsup just fine, generates the key, and all is well on the
"master" or cf server. The "victim" in this case, I was trying to run
'fexecd -F' and just do some simple stuff, and receive errors as in the
following:

on the cf server in /var/log/messages:
Jan  9 10:39:20 ag250 cfservd[26375]: Host authorization/authentication
failed or access denied 
Jan  9 10:39:20 ag250 cfservd[26375]: From
(host=gate-ag251.americangreetings.com,user=root,ip=192.168.30.59)

In the email from the "victim" box:
ag251: BAD: key could not be accepted on trust
ag251: Authentication dialogue with gate-ag250.americangreetings.com failed
ag251: image exists but destination type is silly (file/dir/link doesn't
match)
ag251: source=/usr/sbin/cfagent, dest=/var/cfengine/bin/cfagent
cfengine:ag251: Program does not define a broadcast mode for this host

I checked the perms and they seem ok, meaning the confs are world-readable,
and the machine is "allowed" in according to the cfservd.conf

Does anyone see anything wrong with the very minimalistic and simplistic
setup I have?!? Can anyone give me some pointers on getting this to work in
this small test env?!? I was receiving tidy errors before I remarked out
that process, something to do with the syntax being wrong.

Many thanks in advance
Michael Weiner
Senior Systems Administrator/WebOps
AmericanGreetings.com




reply via email to

[Prev in Thread] Current Thread [Next in Thread]