Re: cfservd configuration question

[Mark . Burgess]

FreeBSD handles ipv6 differently to all other OSes, but it should work,
even in spite of the illogical way it is implemented. I believe
some freebsd users have verified this. It certainly works ok on linux
and solaris.

I do not understand the reference to /usr in these messages. Perhaps
there is an issue with symbolic links here. You need to grant access
to the true path, not via a symlink.

M

On 22 Dec, Stan Norton wrote:
> I've been attempting to get cfengine 2.1.0p1 running on freebsd 5.1-RELEASE.
> Ipv6 was not working, so I rebuilt kernels on two machines, to test in ipv4
> mode.
> 
> cfagent work fine. I am experiencing problems attempting to connect via
> cfrun from another host (on which cfagent works) to cfservd.
> 
> 
> I'm concerned about two lines from -d2 output:
> 
> AccessControl(/var/cfengine/bin/cfagent)
> AccessControl(/usr/var/cfengine/bin/cfagent,rtty2.domain.com)
> 
> /var is symlinked from /usr/var. Is the symlink creating a problem with
> cfengine?
> 
> This is the entry in cfservd.conf:
> 
> cfrunCommand = ( "/var/cfengine/bin/cfagent" )
> 
> grant:
> 
> /var/cfengine/bin/cfagent       rtty2.domain.com
> 
> I have also tried these as:
> 
> 
> cfrunCommand = ( "/usr/var/cfengine/bin/cfagent" ) with an appropriate grant
> change. No effect.
> 
> Thanks for any help. I'm looking forward to getting this going.
> 
> 
> --------------------------------------------------------------------------------------------------
> 
> 
> Edited -d2 output: 
> 
> ...
> ACCESS GRANTED ----------------------:
> 
> Path: /var/cfengine/bin/cfagent (encrypt=0)
>    Admit: rtty2.domain.com root=
> Path: /var/cfengine/inputs (encrypt=0)
>    Admit: rtty2.domain.com root=
> ACCESS DENIAL ------------------------ :
> 
> Host IPs allowed connection access :
> 
> IP: 192.168.1.215
> Host IPs denied connection access :
> 
> Host IPs allowed multiple connection access :
> 
> Host IPs from whom we shall accept public keys on trust :
> 
> IP: 192.168.1.215
> 
> ...
> 
> Connecting host identifies itself as 192.168.1.215 rtty2.domain.com
> root 0
> (ipstring=[192.168.1.215],fqname=[rtty2.domain.com],username=[root],socket=[192.168.1.215])
> cfservd: Allowing 192.168.1.215 to connect without (re)checking ID
> Non-verified Host ID is rtty2.domain.com (Using skipverify)
> Non-verified User ID seems to be root (Using skipverify)
> 
> ...
> 
> Havekey(root-192.168.1.215)
> Loaded /var/cfengine/ppkeys/root-192.168.1.215.pub
> 
> ...
> 
> A public key was already known from rtty2.domain.com/192.168.1.215 -
> no trust required
> Adding IP 192.168.1.215 to SkipVerify - no need to check this if we have a key
> Prepending 192.168.1.215
> The public key identity was confirmed as root@rtty2.domain.com
> 
> ...
> 
> cfservd: Strongly authentication of client
> rtty2.domain.com/192.168.1.215
> 
> ...
> 
> 
> 
> User root granted connection privileges
>>>>AccessControl(/var/cfengine/bin/cfagent)
>>>>AccessControl(/usr/var/cfengine/bin/cfagent,rtty2.domain.com)
> encrypt request=0
> cfservd: Host rtty2.domain.com denied access to
> /usr/var/cfengine/bin/cfagent
> cfservd: Host authorization/authentication failed or access denied
> 
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~