help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Strange problem with two machines (root is not allowed on this host)

From: Ralph Angenendt
Subject: Strange problem with two machines (root is not allowed on this host)
Date: Thu, 3 Mar 2005 15:45:10 +0100
User-agent: Mutt/1.5.8i 
Hello,

I'm running into a strange problem with two of our machines. cfrun from
the "server" returns the error

Host authentication failed. Did you forget the domain name or IP/DNS
address registration (for ipv4 or ipv6)?

Now on the client side (cfservd -d 2):

| Checking file updates on /local/var/cfengine/inputs/cfservd.conf 
(42272089/422720ed)
| IPV4 address
| sockaddr_ntop(10.65.33.184)
| Obtained IP address of 10.65.33.184 on socket 5 from accept
| 
| FuzzyItemIn(LIST,10.65.33.184)
| Purging Old Connections...
| Done purging
| 
| FuzzyItemIn(LIST,10.65.33.184)
| Prepending [10.65.33.184]
| *** New socket [5]
| New connection...(from 10.65.33.184/5)
| Spawning new thread...
| RecvSocketStream(8)
|     (Concatenated 8 from stream)
| Transaction Receive [t 37][]
| RecvSocketStream(37)
|     (Concatenated 37 from stream)
| Received: [CAUTH 10.65.33.184 forge.br.de root 0] on socket 5
| Connecting host identifies itself as 10.65.33.184 forge.br.de root 0
| 
(ipstring=[10.65.33.184],fqname=[forge.br.de],username=[root],socket=[10.65.33.184])
| cfservd: Allowing 10.65.33.184 to connect without (re)checking ID
| Non-verified Host ID is forge.br.de (Using skipverify)
| Non-verified User ID seems to be root (Using skipverify)
| IPV4 address
| sockaddr_ntop(10.65.33.184)
| Found address (10.65.33.184) for host forge.br.de
| Updating last-seen time for forge.br.de
| RecvSocketStream(8)
|     (Concatenated 8 from stream)
| Transaction Receive [t 280][]
| RecvSocketStream(280)
|     (Concatenated 280 from stream)
| Received: [SAUTH y 256 37] on socket 5
| [...]
| Exponent: 35 (0x23)
| OptionIs(server,HostnameKeys,1)
| GetMacroValue(server,HostnameKeys)
| Havekey(root-10.65.33.184)
| Loaded /local/var/cfengine/ppkeys/root-10.65.33.184.pub
| A public key was already known from forge.br.de/10.65.33.184 - no trust 
requiredAdding IP 10.65.33.184 to SkipVerify - no need to check this if we have 
a key
| Prepending [10.65.33.184]
| The public key identity was confirmed as root@forge.br.de
| Transaction Send[t 16][Packed text]
| Attempting to send 24 bytes
| SendSocketStream, sent 24
| Transaction Send[t 16][Packed text]
| Attempting to send 24 bytes
| SendSocketStream, sent 24
| ChecksumString(m)
| Transaction Send[t 256][Packed text]
| Attempting to send 264 bytes
| SendSocketStream, sent 264
| RecvSocketStream(8)
|     (Concatenated 8 from stream)
| Transaction Receive [t 16][]
| RecvSocketStream(16)
|     (Concatenated 16 from stream)
| cfservd: Strong authentication of client forge.br.de/10.65.33.184 achieved
| RecvSocketStream(8)
|     (Concatenated 8 from stream)
| Transaction Receive [t 16][]
| RecvSocketStream(16)
|     (Concatenated 16 from stream)
| Got a session key...
| RecvSocketStream(8)
|     (Concatenated 8 from stream)
| Transaction Receive [t 6][]
| RecvSocketStream(6)
|     (Concatenated 6 from stream)
| Received: [EXEC  ] on socket 5
| User root is not allowed on this server
| cfservd: Host authorization/authentication failed or access denied

Okay, so root is not allowed on this server. But (cfservd.conf):

| groups:
|   config_host = ( forge )
| control:
|   INTERNAL_HOSTS::
|     domain = ( br.de )
|   ipv4_195::
|     domain = ( br-online.de )
|   cfrunCommand = ( "/usr/sbin/cfagent" )
|   IfElapsed = ( 1 )
|   ExpireAfter = ( 15 )
|   MaxConnections = ( 50 )
|   MultipleConnections = ( true )
|   AllowUsers = ( root )
|   AllowConnectionsFrom = ( 10.65 195.37.215 )
|   AllowMultipleConnectionsFrom = ( 10.65 195.37.215 )
| admit:
|   config_host::
|     /local/var/cfengine/inputs 10.65 195.37.215
|     /local/var/cfengine/files 10.65 195.37.215
|   !config_host::
|     /usr/sbin/cfagent 10.65.33.184 195.37.215.234

And this cfservd.conf works on all other clients in 10.65.49/24, except 
two machines. INTERNAL_HOSTS is declared and contains this subnet.

cfagent started on the client works fine, though.

???

Regards,

Ralph
-- 
Ralph Angenendt......ra@br-online.de | .."Text processing has made it possible
Bayerischer Rundfunk...HA-Multimedia | ....to right-justify any idea, even one
Rundfunkplatz 1........80300 München | .which cannot be justified on any other
Tl:089.5900.16023..Fx:089.5900.16240 | ..........grounds." -- J. Finnegan, USC

Attachment: pgpDSdtlVzWIA.pgp
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]