help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: master server confusion


From: Nate Campi
Subject: Re: master server confusion
Date: Sat, 24 Jan 2004 21:42:47 -0800
User-agent: Mutt/1.3.28i

On Sat, Jan 24, 2004 at 04:30:47PM -0800, W. Ryan Merrick wrote:
> >
> >cfengine:: Server returned error:  Host authentication failed. Did you
> >forget the domain name or IP/DNS address regist
> >ration (for ipv4 or ipv6)?
> >cfengine:: Can't stat /etc/cfengine/masters in copy
> 
> I had this problem. Verify that your cfservd has a section like:
> 
> admit:   # or grant:
>         /var/cfengine/bin/cfagent       *.heronetwork.com
>         /var/cfengine/inputs            *.heronetwork.com
>         /var/cfengine                    *.heronetwork.com
> 
> The wildcard.domain.TLD should be the same as your defined domain and your 
> server names.

You'll also want to get the key exhange working. Add "trustkey=true" to
the update.conf copy statement:

copy:

        $(master_cfinput)               dest=$(workdir)/inputs
                                        r=inf
                                        mode=700
                                        type=binary
                                        exclude=*.lst
                                        exclude=*~
                                        exclude=#*
                                        exclude=RCS
                                        exclude=*,v
                                        purge=true
                                        server=$(policyhost)
                                        trustkey=true

...and a "TrustKeysFrom" statement in your cfservd.conf control section:


 TrustKeysFrom = ( 192.168.1.0/24 192.168.2.0/24 )
 
It's generally best (and recommended by the cfengine author) to trust
for the initial exchange and then let cfengine make sure the keys match
from that point on. This setup does that.
-- 
Nate

"religious fanatics are not part of my desired user base."
- address@hidden





reply via email to

[Prev in Thread] Current Thread [Next in Thread]