[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Strange problem with two machines (root is not allowed on this host)
From: |
Ralph Angenendt |
Subject: |
Strange problem with two machines (root is not allowed on this host) |
Date: |
Thu, 3 Mar 2005 15:45:10 +0100 |
User-agent: |
Mutt/1.5.8i |
Hello,
I'm running into a strange problem with two of our machines. cfrun from
the "server" returns the error
Host authentication failed. Did you forget the domain name or IP/DNS
address registration (for ipv4 or ipv6)?
Now on the client side (cfservd -d 2):
| Checking file updates on /local/var/cfengine/inputs/cfservd.conf
(42272089/422720ed)
| IPV4 address
| sockaddr_ntop(10.65.33.184)
| Obtained IP address of 10.65.33.184 on socket 5 from accept
|
| FuzzyItemIn(LIST,10.65.33.184)
| Purging Old Connections...
| Done purging
|
| FuzzyItemIn(LIST,10.65.33.184)
| Prepending [10.65.33.184]
| *** New socket [5]
| New connection...(from 10.65.33.184/5)
| Spawning new thread...
| RecvSocketStream(8)
| (Concatenated 8 from stream)
| Transaction Receive [t 37][]
| RecvSocketStream(37)
| (Concatenated 37 from stream)
| Received: [CAUTH 10.65.33.184 forge.br.de root 0] on socket 5
| Connecting host identifies itself as 10.65.33.184 forge.br.de root 0
|
(ipstring=[10.65.33.184],fqname=[forge.br.de],username=[root],socket=[10.65.33.184])
| cfservd: Allowing 10.65.33.184 to connect without (re)checking ID
| Non-verified Host ID is forge.br.de (Using skipverify)
| Non-verified User ID seems to be root (Using skipverify)
| IPV4 address
| sockaddr_ntop(10.65.33.184)
| Found address (10.65.33.184) for host forge.br.de
| Updating last-seen time for forge.br.de
| RecvSocketStream(8)
| (Concatenated 8 from stream)
| Transaction Receive [t 280][]
| RecvSocketStream(280)
| (Concatenated 280 from stream)
| Received: [SAUTH y 256 37] on socket 5
| [...]
| Exponent: 35 (0x23)
| OptionIs(server,HostnameKeys,1)
| GetMacroValue(server,HostnameKeys)
| Havekey(root-10.65.33.184)
| Loaded /local/var/cfengine/ppkeys/root-10.65.33.184.pub
| A public key was already known from forge.br.de/10.65.33.184 - no trust
requiredAdding IP 10.65.33.184 to SkipVerify - no need to check this if we have
a key
| Prepending [10.65.33.184]
| The public key identity was confirmed as root@forge.br.de
| Transaction Send[t 16][Packed text]
| Attempting to send 24 bytes
| SendSocketStream, sent 24
| Transaction Send[t 16][Packed text]
| Attempting to send 24 bytes
| SendSocketStream, sent 24
| ChecksumString(m)
| Transaction Send[t 256][Packed text]
| Attempting to send 264 bytes
| SendSocketStream, sent 264
| RecvSocketStream(8)
| (Concatenated 8 from stream)
| Transaction Receive [t 16][]
| RecvSocketStream(16)
| (Concatenated 16 from stream)
| cfservd: Strong authentication of client forge.br.de/10.65.33.184 achieved
| RecvSocketStream(8)
| (Concatenated 8 from stream)
| Transaction Receive [t 16][]
| RecvSocketStream(16)
| (Concatenated 16 from stream)
| Got a session key...
| RecvSocketStream(8)
| (Concatenated 8 from stream)
| Transaction Receive [t 6][]
| RecvSocketStream(6)
| (Concatenated 6 from stream)
| Received: [EXEC ] on socket 5
| User root is not allowed on this server
| cfservd: Host authorization/authentication failed or access denied
Okay, so root is not allowed on this server. But (cfservd.conf):
| groups:
| config_host = ( forge )
| control:
| INTERNAL_HOSTS::
| domain = ( br.de )
| ipv4_195::
| domain = ( br-online.de )
| cfrunCommand = ( "/usr/sbin/cfagent" )
| IfElapsed = ( 1 )
| ExpireAfter = ( 15 )
| MaxConnections = ( 50 )
| MultipleConnections = ( true )
| AllowUsers = ( root )
| AllowConnectionsFrom = ( 10.65 195.37.215 )
| AllowMultipleConnectionsFrom = ( 10.65 195.37.215 )
| admit:
| config_host::
| /local/var/cfengine/inputs 10.65 195.37.215
| /local/var/cfengine/files 10.65 195.37.215
| !config_host::
| /usr/sbin/cfagent 10.65.33.184 195.37.215.234
And this cfservd.conf works on all other clients in 10.65.49/24, except
two machines. INTERNAL_HOSTS is declared and contains this subnet.
cfagent started on the client works fine, though.
???
Regards,
Ralph
--
Ralph Angenendt......ra@br-online.de | .."Text processing has made it possible
Bayerischer Rundfunk...HA-Multimedia | ....to right-justify any idea, even one
Rundfunkplatz 1........80300 München | .which cannot be justified on any other
Tl:089.5900.16023..Fx:089.5900.16240 | ..........grounds." -- J. Finnegan, USC
pgpDSdtlVzWIA.pgp
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Strange problem with two machines (root is not allowed on this host),
Ralph Angenendt <=