help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problems with trust


From: Ed Brown
Subject: Re: problems with trust
Date: Mon, 19 Sep 2005 17:52:42 -0600

The same cfservd.conf, including 'domain' value?  Does that match the
domain in your update.conf?  (Not sure that would result in a key/trust
error message, but it wouldn't be the only misleading error in
cfengine.)

Key exchange happens within cfengine, and doesn't require 'admit' or
'grant' statements to the keys (or 'copy:' statements). I don't think
you need the 'admit:' line below, though you do need one or more for the
files that you are trying to copy.   

Suggest you post more of your cfservd.conf and update.conf files, as
well as more of the error output, which could hold other clues.  (Delete
or disguise info you don't want to share, but if you really want help,
provide more information up front!)




On Mon, 2005-09-19 at 16:12, Bill Gunter wrote:
> Sorry, the repost I sent didn't include the entire original post. Here's
> the deal.
> 
> I'm using the same cfservd.conf on two servers on two different nets,
> 208.10.199 and 66.162.222. Clients on the 208 net can connect and
> establish trust automatically with the cfservd on the 208 net, but the
> clients on the 66 net throw "BAD: key could not be accepted on trust,"
> and the cfservd throws the same error, when they try to connect to the
> cfservd on the 66 net.
> 
> Here are the relevant parts of the cfservd.conf. You can ignore the
> other two nets listed.
> 
> control:
>     cfengine_server::
>         # tcp_wrappers-like access control
>         AllowConnectionsFrom = (
>             208.10.199.0/24
>             66.162.222.0/24
>             216.54.235.0/24
>             192.168.199.0/24
>         )
> 
>         TrustKeysFrom = (
>             208.10.199.0/24
>             66.162.222.0/24
>             216.54.235.0/24
>             192.168.199.0/24
>         )
> 
> admit:
>     /var/cfengine/ppkeys/localhost.pub *.arcsystems.com
> 
> 
> On Mon, 2005-09-19 at 16:30 -0500, Ed Brown wrote:
> > > On Mon, 2005-09-12 at 12:51 -0500, Bill Gunter wrote: 
> > > > The clients and server are on the same network, 66.162.222.0/24.
> > Here's 
> > > > the TrustKeys. The stuff on the 208.10.199.0/24 net works fine. 
> > > >  
> > > > TrustKeysFrom = ( 
> > > >             208.10.199.0/24 
> > > >             66.162.222.0/24 
> > > >             216.54.235.0/24 
> > > >             192.168.199.0/24 
> > > > )
> > 
> > This raises lots of questions, like about the topology and network 
> > configuration of your clients and server[s?] (multiple interfaces, 
> > routing, hostnames and 'domain' value...?)   What 'stuff' is
> > working?  
> > More information might help get you an answer quicker.  Are you
> > saying 
> > clients on  208.10.199.0/24 are talking ok to the server on 
> > 66.162.222.0/24, but not clients on the same subnet as the server, or
> > do 
> > you have cfengine servers on each subnet?
> > 
> > 
> > 





reply via email to

[Prev in Thread] Current Thread [Next in Thread]