help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Help with file copies


From: Ferguson, Steve
Subject: RE: Help with file copies
Date: Tue, 8 Jul 2003 12:20:15 -0400

Okay, apparently I'm completely lost.  The reason some of the runs seem to
authenticate seems to be that the lock file is still around on the client,
so it's just not trying again (though cfagent reports successful
authentication).  If I run cfagent, blow away the lock file, then run
cfagent again I get the "Host authentication" message every time.  So I
figured I'd ignore file copies and just look at cfrun from the server.  That
doesn't work either.  Same problem.

I realize that cfengine uses that as a generic message for all cases as a
security mechanism.  I've read the page describing "access denied"
conditions:

http://www.cfengine.org/confdir/accessdenied.html

I've followed all 4 steps.  When I run cfservd and cfagent with -d2, I don't
get anything that even begins to indicate what might be wrong.  In fact, I
get misleading messages like:

cfservd: Strongly authentication of client
clienthost.my.domain.com/::ffff:xx.yy.zz.123
Havekey(root-xx.yy.zz.123)
Loaded /var/cfengine/ppkeys/root-xx.yy.zz.123.pub
A public key was already known from
clienthost.my.domain.com/::ffff:xx.yy.zz.123 -
no trust required
Adding IP ::ffff:xx.yy.zz.123 to SkipVerify - no need to check this if we
have
 a key
Prepending xx.yy.zz.123
The public key identity was confirmed as address@hidden


These messages all seem to indicate to me that authentication is successful.
I also note messages like this coming from cfservd:

Received: [SYNCH 1057676960 STAT /var/cfengine/master/inputs/cfagent.conf]
on socket 6
AccessControl(/var/cfengine/master/inputs/cfagent.conf)
AccessControl(/var/cfengine/master/inputs/cfagent.conf,clienthost.my.domain.
com) encrypt request=1
cfservd access list is empty, no files are visible
cfservd: Host authorization/authentication failed or access denied

Yet, I have /var/cfengine/master/inputs listed with access granted in
cfservd.conf.

control:

  configs = ( /var/cfengine/master/inputs )

admit:

  $(configs) = *.abh.vw.com

cfservd logs this to syslog, only on the "authentication failed" instances
of cfagent execution:

Jul  8 10:58:52 bigbox cfservd[7723]: [ID 702911 daemon.notice] Host
authorization/authentication failed or access denied
Jul  8 10:58:52 bigbox cfservd[7723]: [ID 702911 daemon.notice] From
(host=clienthost.my.domain.com,user=root,ip=::ffff:xx.yy.zz.123)
Jul  8 10:58:52 bigbox cfservd[7723]: [ID 823470 daemon.error]  ID from
connecting host: (SYNCH 1057676332 STAT
/var/cfengine/master/inputs/cfagent.conf)

I'm totally at a loss.  Can someone PLEASE point me down a path that'll help
me get this resolved?  If I can't fix this, the open source naysayers are
going to have their way and this cfengine project will get shot down, which
I'd rather avoid.

I've been poring over the source code and I haven't been able to trace back
what condition is causing my problems.

Thanks,
Steve


-----Original Message-----
From: Ferguson, Steve 
Sent: Tuesday, July 08, 2003 11:36 AM
To: Ferguson, Steve; 'address@hidden'
Subject: RE: Help with file copies


A diagnostic point:

When I'm running cfagent, it seems to alternately work and fail.  On the
failure runs, I see the message:

cfengine:: Server returned error:  Host authentication failed. Did you
forget the domain name?

Yet, I have domain defined in both cfagent.conf and cfservd.conf, and I'm
using a FQDN as the policy host (which resides within the domain).  All DNS
lookups work correctly each time, and return the same address each time (no
round-robin records).

Steve

-----Original Message-----
From: Ferguson, Steve [mailto:address@hidden
Sent: Tuesday, July 08, 2003 9:12 AM
To: 'address@hidden'
Subject: Help with file copies


I'm trying to use the update.conf file on a node to force it to pull any
remaining conf files from a policy host.  I'm running cfengine-2.0.7p3.  My
primary problem is that no copy is actually happening.  I've boiled it down
to the simplest case I can.  I had no problem following the instructions to
manage the key exchange (and trust seems to be working) and have removed the
trustkey configuration options from the examples below.

The client system has this update.conf:

control:

  actionsequence = ( copy )
  domain = ( my.domain.com )
  policyhost = ( bigbox.my.domain.com )
  master_cfinput = ( /var/cfengine/master/inputs )
  workdir = ( /var/cfengine )

copy:

  $(master_cfinput)/cfagent.conf    dest=$(workdir)/inputs/cfagent.conf
                        server=$(policyhost)

I've also tried adding action=fix and force=true, to no avail.

The policy host (bigbox.my.domain.com, for our purposes here) has this
cfservd.conf:

control:

  domain = ( my.domain.com )
  configs = ( /var/cfengine/master/inputs )
  AllowConnectionsFrom = ( xx.yy.zz )
  AllowMultipleConnectionsFrom = ( xx.yy.zz )
  AllowUsers = ( root )

xx.yy.zz is my actual IP range, removed for security reasons.

Running 'cfagent -v' on the client system produces the following output
(only the relevant parts are included; if you need more information, please
ask):

cfengine:: getservbynameChecking copy from
bigbox.my.domain.com:/var/cfengine/mas
ter/inputs/cfagent.conf to /var/cfengine/inputs/cfagent.conf
Connect to bigbox.my.domain.com = xx.yy.zz.228 on port cfengine
Loaded /var/cfengine/ppkeys/root-xx.yy.zz.228.pub
cfengine:: Strong authentication of server=bigbox.my.domain.com connection
confir
med
cfengine:: Nothing scheduled for
copy._var_cfengine_master_inputs_cfagent_conf__
var_cfengine_inputs_cfagent_conf (0/1 minutes elapsed)

I don't understand why nothing is scheduled.  There is no
/var/cfengine/inputs/cfagent.conf file on my client.  Why isn't it copying
/var/cfengine/master/inputs/cfagent.conf from the server?  I've tried
numerous permutations with the various force* options and action, in
addition to attempting recursive copies of all of
/var/cfengine/master/inputs to /var/cfengine/inputs.  In no case am I able
to get a single file to copy.

I've tried running both cfservd and cfagent with -d1, -d2, and -d3 flags.
None of them appears to produce any new information.

Any help would be most appreciated.  If I can get through this, I'll be
deploying to well over 100 servers and cfengine will become a key piece of
the infrastructure here.

Steve

--
Steve Ferguson
gedas USA, Inc.
address@hidden
http://www.gedasusa.com


_______________________________________________
Help-cfengine mailing list
address@hidden
http://mail.gnu.org/mailman/listinfo/help-cfengine




reply via email to

[Prev in Thread] Current Thread [Next in Thread]