[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
list access (was Re: [No match of class]?)
|
From: |
Lev Lvovsky |
|
Subject: |
list access (was Re: [No match of class]?) |
|
Date: |
Wed, 25 Feb 2004 16:00:55 -0800 |
trying to go the route of a list, I'm using the following test config
for cfservd:
-------
control:
domain = ( domain.com )
LogAllConnections = ( true )
AllowUsers = ( root )
TrustKeysFrom = ( 192.168.1.0/24 )
smart_list = ( tsthvy1-smarthost.domain.com )
db_list = ( tsthvy1-db1.domain.com:tsthvy1-db2.domain.com )
admit:
ops_distro::
/tmp/test $(smart_list)
/tmp/test $(db_list)
-------
this setup works for the smarthost, however for the db_list, I get the
following error from cfservd:
-------
AccessControl(/tmp/test)
AccessControl(/tmp/test,tsthvy1-db1.domain.com) encrypt request=1
Found a matching rule in access list (/tmp/test,/tmp/test)
Checking whether to map root privileges..
FuzzyItemIn(LIST,192.168.1.101)
No root privileges granted
WildMatch(tsthvy1-db1.domain.com:tsthvy1-db2.domain.com,tsthvy1-
db1.domain.com)
WildMatch(tsthvy1-smarthost.domain.com,tsthvy1-db1.domain.com)
WildMatch(tsthvy1-db1.domain.com:tsthvy1-db2.domain.com,192.168.1.101)
WildMatch(tsthvy1-smarthost.domain.com,192.168.1.101)
FuzzyItemIn(LIST,192.168.1.101)
Try
FuzzySetMatch(tsthvy1-db1.domain.com:tsthvy1-
db2.domain.com,192.168.1.101)
cfservd: Mixture of IPv6 and IPv4 addresses:
tsthvy1-db1.domain.com:tsthvy1-db2.domain.com
Try FuzzySetMatch(tsthvy1-smarthost.domain.com,192.168.1.101)
Couldn't read range
cfservd: Host tsthvy1-db1.domain.com denied access to /tmp/test
cfservd: Host authorization/authentication failed or access denied
-------
this seems to happen only when I add more than one list element to the
"db_list" variable. If I just use tsthvy-db1.domain.com, the file
transfer is fine.
I figure this might be caused by the fqdn hostname usage, but removing
all but the hostname returns errors:
-------
FuzzyItemIn(LIST,192.168.1.104)
Try
FuzzySetMatch(tsthvy1-db1.domain.com:tsthvy1-
db2.domain.com,192.168.1.104)
cfservd: Mixture of IPv6 and IPv4 addresses:
tsthvy1-db1.domain.com:tsthvy1-db2.domain.com
Try FuzzySetMatch(tsthvy1-smarthost,192.168.1.104)
cfservd: Not a valid address range - or not a fully qualified name:
tsthvy1-smarthost
cfservd: Host tsthvy1-smarthost.domain.com denied access to /tmp/test
-------
any advice appreciated!
-lev
On Feb 25, 2004, at 2:52 PM, Luke A. Kanies wrote:
On Wed, 25 Feb 2004, Lev Lvovsky wrote:
groups:
smarthost = ( tsthvy1-smarthost )
admit:
smarthost::
/file *.domain.com
My guess is that this is the reverse of what you want. I think you are
trying to set up a single server to allow access to many machines (a
group).
Groups do not work that way in the cfservd.conf file (I'm pretty sure
about this, anyway). In the above case, if the cfserver's name is
tsthvy1-smarthost, it will admit access to that file tree; otherwise it
will not. I'm assuming that's the client's name, though, right?
If you are trying to collect a group of clients and allow them all
access
at once, you need something else. I haven't used this, but Mark
mentioned
in his previous email that you can make a list:
control:
list = ( host1:host2:host3 )
admit:
/file ${list}
I'm not real fond of that, and I haven't tried it, but if it works,
then
great.
I usually use a '*.domain.com' mechanism, even though it also seems
marginally unclean. I agree that it would be nice if cfservd could
somehow know which classes matched the incoming client, but that's not
really possible -- it would have no way of knowing, for instance,
whether
a client was an aix server or a sunos server.
So, you have to essentially redo all of your classifications in both
cfservd.conf and cfagent.conf.
Luke
--
Is life worth living? That is a question for an embryo, not a man.
--Samuel Butler