master server confusion

[jptxs]

As the help says many times, cfengine makes you think in a different
way.  I don't think I have the hang of it yet.  I've been reading
http://www.cfengine.org/docs/cfengine-Tutorial.html and even went to
the bookstore to read a bit of the book Automating Unix and Linux
Administration (isbn:1590592123) seeking answers.

I have things up and working (to a point).  What I just don't get is
what I need to put on the non-master hosts.  In my update.conf I have:

    policyhost      = ( bach.house.sander )
    master_cfinput  = ( /etc/cfengine/masters )

And bit further down:

copy:
 
    $(master_cfinput)   dest=$(workdir)/inputs
                        r=inf
                        mode=700
                        type=binary
                        exclude=*.lst
                        exclude=*~
                        exclude=#*
                        server=$(policyhost)
                        trustkey=true

I thought (but have come to doubt) this would grab the config files
from the policyhost and copy them to the local host.  That has not
happened.  And I keep getting errors when running cfagent -v on the
local host that look like:

cfengine:: Server returned error:  Host authentication failed. Did you
forget the domain name or IP/DNS address regist
ration (for ipv4 or ipv6)?
cfengine:: Can't stat /etc/cfengine/masters in copy

I do not get these errors when I run cfagent -v on the policyhost,
which has an identical update.conf file and an identical file
structure (relative to what's referenced in cfengine's configuration,
anyway).

I think that I'm just wrong about what I think this should do.

So my questions are:

1. Am I wrong to think that the copy should be grabbing the file from
the policyhost with the above setup?

2. If I am wrong, how can that be done?  

I know this can be done from my reading.  I just cannot figure out
how.