[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: problems with trust
From: |
Bill Gunter |
Subject: |
Re: problems with trust |
Date: |
Tue, 20 Sep 2005 10:01:19 -0500 |
The domain values are the same. Here are my configs.
cfservd.conf:
#
groups:
# the name of our server is 'server'
cfengine_server = ( asp )
colo_server = ( boa )
control:
domain = ( (ExecResult(/bin/domainname) )
cfengine_server::
# tcp_wrappers-like access control
AllowConnectionsFrom = (
208.10.199.0/24
66.162.222.0/24
216.54.235.0/24
192.168.199.0/24
)
TrustKeysFrom = (
208.10.199.0/24
66.162.222.0/24
216.54.235.0/24
192.168.199.0/24
)
admit:
/var/cfengine/ppkeys/localhost.pub *.arcsystems.com
cfengine_server::
# Various directories #
colo_server::
# Various directories #
#
update.conf
#
groups:
webserver = ( HostRange(web,1-255) )
cwebserver = ( HostRange(cweb,1-255) )
control:
sysadm = ( email@email )
actionsequence = ( copy directories links processes tidy )
domain = ( ExecResult(/bin/domainname) )
!cfengine_server::
SplayTime = ( 5 )
workdir = ( /var/cfengine )
configroot = ( /cfengine )
AddInstallable = ( new_cfenvd new_cfservd )
solaris::
cf_remote_bin_dir = ( /usr/local/sbin )
cf_local_bin_dir = ( /usr/local/sbin )
bin_server = ( asp.arcsystems.com )
linux::
cf_remote_bin_dir = ( /usr/local/sbin )
cf_local_bin_dir = ( /usr/local/sbin )
208_10_199|216_54_235::
server = ( asp.arcsystems.com )
webserver::
server = ( z_asp.arcsystems.com )
66_162_222::
server = ( boa.arcsystems.com )
cwebserver::
server = ( z_boa.arcsystems.com )
copy:
${configroot}/config/cfengine
dest=${workdir}
mode=700
owner=root
recurse=inf
ignore=CVS
server=$(server)
trustkey=true
type=binary
#
And here is a portion of the output from a "cfagent -vq -d1".
*********************************************************************
Update Sched: copy pass 1 @ Tue Sep 20 09:58:58 2005
*********************************************************************
(BuildClassEnvironment)
Actionsequence item copy
New server connection...
ExpandVarstring(boa.arcsystems.com)
ExpandVarstring(boa.arcsystems.com)
ExpandVarstring(/cfengine/config/cfengine)
ExpandVarstring(/var/cfengine)
Checking copy from boa.arcsystems.com:/cfengine/config/cfengine
to /var/cfengine
ExpandVarstring(boa.arcsystems.com)
Opening server connnection to boa.arcsystems.com
IPV4 address
sockaddr_ntop(66.162.222.44)
Connect to boa.arcsystems.com = 66.162.222.44 on port cfengine
IPV4 address
sockaddr_ntop(66.162.222.44)
IPV4 address
sockaddr_ntop(66.162.222.44)
Found address (66.162.222.44) for host boa.arcsystems.com
Updating last-seen time for boa.arcsystems.com
Remote IP set to 66.162.222.44
IPV4 address
sockaddr_ntop(66.162.222.71)
Identifying this agent as 66.162.222.71 i.e. anaconda.arcsystems.com,
with signature 0
IsIPV6Address(anaconda)
Appending domain arcsystems.com to anaconda
SENT:::CAUTH 66.162.222.71 anaconda.arcsystems.com root 0
Transaction Send[t 50][Packed text]
Attempting to send 58 bytes
SendSocketStream, sent 58
OptionIs(update,HostnameKeys,1)
GetMacroValue(update,HostnameKeys)
KeyAuthentication(with IP keyname root-66.162.222.44)
Havekey(root-66.162.222.44)
Did not have key root-66.162.222.44
Transaction Send[t 61][Packed text]
Attempting to send 69 bytes
SendSocketStream, sent 69
Transaction Send[t 261][Packed text]
Attempting to send 269 bytes
SendSocketStream, sent 269
Transaction Send[t 5][Packed text]
Attempting to send 13 bytes
SendSocketStream, sent 13
RecvSocketStream(8)
(Concatenated 8 from stream)
Transaction Receive [t 39][]
RecvSocketStream(39)
(Concatenated 39 from stream)
cfengine:: BAD: key could not be accepted on trust
cfengine:: Authentication dialogue with boa.arcsystems.com failed
Closing current connection
cfengine:: Unable to establish connection with boa.arcsystems.com
(failover)
Closing current connection
Saving the setuid log in /var/cfengine/cfagent.anaconda.log
Job start time set to Tue Sep 20 09:58:59 2005
On Mon, 2005-09-19 at 17:52 -0600, Ed Brown wrote:
> The same cfservd.conf, including 'domain' value? Does that match the
> domain in your update.conf? (Not sure that would result in a key/trust
> error message, but it wouldn't be the only misleading error in
> cfengine.)
>
> Key exchange happens within cfengine, and doesn't require 'admit' or
> 'grant' statements to the keys (or 'copy:' statements). I don't think
> you need the 'admit:' line below, though you do need one or more for the
> files that you are trying to copy.
>
> Suggest you post more of your cfservd.conf and update.conf files, as
> well as more of the error output, which could hold other clues. (Delete
> or disguise info you don't want to share, but if you really want help,
> provide more information up front!)
>
>
>
>
> On Mon, 2005-09-19 at 16:12, Bill Gunter wrote:
> > Sorry, the repost I sent didn't include the entire original post. Here's
> > the deal.
> >
> > I'm using the same cfservd.conf on two servers on two different nets,
> > 208.10.199 and 66.162.222. Clients on the 208 net can connect and
> > establish trust automatically with the cfservd on the 208 net, but the
> > clients on the 66 net throw "BAD: key could not be accepted on trust,"
> > and the cfservd throws the same error, when they try to connect to the
> > cfservd on the 66 net.
> >
> > Here are the relevant parts of the cfservd.conf. You can ignore the
> > other two nets listed.
> >
> > control:
> > cfengine_server::
> > # tcp_wrappers-like access control
> > AllowConnectionsFrom = (
> > 208.10.199.0/24
> > 66.162.222.0/24
> > 216.54.235.0/24
> > 192.168.199.0/24
> > )
> >
> > TrustKeysFrom = (
> > 208.10.199.0/24
> > 66.162.222.0/24
> > 216.54.235.0/24
> > 192.168.199.0/24
> > )
> >
> > admit:
> > /var/cfengine/ppkeys/localhost.pub *.arcsystems.com
> >
> >
> > On Mon, 2005-09-19 at 16:30 -0500, Ed Brown wrote:
> > > > On Mon, 2005-09-12 at 12:51 -0500, Bill Gunter wrote:
> > > > > The clients and server are on the same network, 66.162.222.0/24.
> > > Here's
> > > > > the TrustKeys. The stuff on the 208.10.199.0/24 net works fine.
> > > > >
> > > > > TrustKeysFrom = (
> > > > > 208.10.199.0/24
> > > > > 66.162.222.0/24
> > > > > 216.54.235.0/24
> > > > > 192.168.199.0/24
> > > > > )
> > >
> > > This raises lots of questions, like about the topology and network
> > > configuration of your clients and server[s?] (multiple interfaces,
> > > routing, hostnames and 'domain' value...?) What 'stuff' is
> > > working?
> > > More information might help get you an answer quicker. Are you
> > > saying
> > > clients on 208.10.199.0/24 are talking ok to the server on
> > > 66.162.222.0/24, but not clients on the same subnet as the server, or
> > > do
> > > you have cfengine servers on each subnet?
> > >
> > >
> > >
>
- problems with trust, Bill Gunter, 2005/09/09
- Re: problems with trust, Tim Nelson, 2005/09/12
- Re: problems with trust, Bill Gunter, 2005/09/12
- Re: problems with trust, Bill Gunter, 2005/09/19
- Re: problems with trust, david . nelson, 2005/09/19
- Re: problems with trust, Ed Brown, 2005/09/19
- Re: problems with trust, Bill Gunter, 2005/09/19
- Re: problems with trust, Ed Brown, 2005/09/19
- Re: problems with trust,
Bill Gunter <=
- Re: problems with trust, Ed Brown, 2005/09/20
- Re: problems with trust, Bill Gunter, 2005/09/20