help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problems with trust


From: Bill Gunter
Subject: Re: problems with trust
Date: Tue, 20 Sep 2005 10:01:19 -0500

The domain values are the same. Here are my configs.

cfservd.conf:
#
groups:
    # the name of our server is 'server'
    cfengine_server = ( asp )
    colo_server     = ( boa )

control:

    domain = ( (ExecResult(/bin/domainname) )

    cfengine_server::
        # tcp_wrappers-like access control
        AllowConnectionsFrom = (
            208.10.199.0/24
            66.162.222.0/24
            216.54.235.0/24
            192.168.199.0/24
        )

        TrustKeysFrom = (
            208.10.199.0/24
            66.162.222.0/24
            216.54.235.0/24
            192.168.199.0/24
        )

admit:
    /var/cfengine/ppkeys/localhost.pub *.arcsystems.com

    cfengine_server::
        # Various directories #
    colo_server::
        # Various directories #
#



update.conf
#
groups:
    webserver = ( HostRange(web,1-255) )
    cwebserver = ( HostRange(cweb,1-255) )

control:
    sysadm = ( address@hidden )
    actionsequence = ( copy directories links processes tidy )

    domain = ( ExecResult(/bin/domainname) )

    !cfengine_server::
        SplayTime = ( 5 )

    workdir = ( /var/cfengine )
    configroot = ( /cfengine )

    AddInstallable = ( new_cfenvd new_cfservd )

    solaris::
        cf_remote_bin_dir = ( /usr/local/sbin )
        cf_local_bin_dir =  ( /usr/local/sbin )
        bin_server = ( asp.arcsystems.com )

    linux::
        cf_remote_bin_dir = ( /usr/local/sbin )
        cf_local_bin_dir =  ( /usr/local/sbin )

    208_10_199|216_54_235::
        server = ( asp.arcsystems.com )
    webserver::
        server = ( z_asp.arcsystems.com )
    66_162_222::
        server = ( boa.arcsystems.com )
    cwebserver::
        server = ( z_boa.arcsystems.com )

copy:
    ${configroot}/config/cfengine
       dest=${workdir}
       mode=700
       owner=root
       recurse=inf
       ignore=CVS
       server=$(server)
       trustkey=true
       type=binary


#

And here is a portion of the output from a "cfagent -vq -d1".

*********************************************************************
 Update Sched: copy pass 1 @ Tue Sep 20 09:58:58 2005
*********************************************************************

(BuildClassEnvironment)
Actionsequence item copy
New server connection...
ExpandVarstring(boa.arcsystems.com)
ExpandVarstring(boa.arcsystems.com)
ExpandVarstring(/cfengine/config/cfengine)
ExpandVarstring(/var/cfengine)
Checking copy from boa.arcsystems.com:/cfengine/config/cfengine
to /var/cfengine
ExpandVarstring(boa.arcsystems.com)
Opening server connnection to boa.arcsystems.com
IPV4 address
sockaddr_ntop(66.162.222.44)
Connect to boa.arcsystems.com = 66.162.222.44 on port cfengine
IPV4 address
sockaddr_ntop(66.162.222.44)
IPV4 address
sockaddr_ntop(66.162.222.44)
Found address (66.162.222.44) for host boa.arcsystems.com
Updating last-seen time for boa.arcsystems.com
Remote IP set to 66.162.222.44
IPV4 address
sockaddr_ntop(66.162.222.71)
Identifying this agent as 66.162.222.71 i.e. anaconda.arcsystems.com,
with signature 0
IsIPV6Address(anaconda)
Appending domain arcsystems.com to anaconda
SENT:::CAUTH 66.162.222.71 anaconda.arcsystems.com root 0
Transaction Send[t 50][Packed text]
Attempting to send 58 bytes
SendSocketStream, sent 58
OptionIs(update,HostnameKeys,1)
GetMacroValue(update,HostnameKeys)
KeyAuthentication(with IP keyname root-66.162.222.44)
Havekey(root-66.162.222.44)
Did not have key root-66.162.222.44
Transaction Send[t 61][Packed text]
Attempting to send 69 bytes
SendSocketStream, sent 69
Transaction Send[t 261][Packed text]
Attempting to send 269 bytes
SendSocketStream, sent 269
Transaction Send[t 5][Packed text]
Attempting to send 13 bytes
SendSocketStream, sent 13
RecvSocketStream(8)
    (Concatenated 8 from stream)
Transaction Receive [t 39][]
RecvSocketStream(39)
    (Concatenated 39 from stream)
cfengine:: BAD: key could not be accepted on trust
cfengine:: Authentication dialogue with boa.arcsystems.com failed
Closing current connection
cfengine:: Unable to establish connection with boa.arcsystems.com
(failover)
Closing current connection
Saving the setuid log in /var/cfengine/cfagent.anaconda.log
Job start time set to Tue Sep 20 09:58:59 2005

On Mon, 2005-09-19 at 17:52 -0600, Ed Brown wrote:
> The same cfservd.conf, including 'domain' value?  Does that match the
> domain in your update.conf?  (Not sure that would result in a key/trust
> error message, but it wouldn't be the only misleading error in
> cfengine.)
> 
> Key exchange happens within cfengine, and doesn't require 'admit' or
> 'grant' statements to the keys (or 'copy:' statements). I don't think
> you need the 'admit:' line below, though you do need one or more for the
> files that you are trying to copy.   
> 
> Suggest you post more of your cfservd.conf and update.conf files, as
> well as more of the error output, which could hold other clues.  (Delete
> or disguise info you don't want to share, but if you really want help,
> provide more information up front!)
> 
> 
> 
> 
> On Mon, 2005-09-19 at 16:12, Bill Gunter wrote:
> > Sorry, the repost I sent didn't include the entire original post. Here's
> > the deal.
> > 
> > I'm using the same cfservd.conf on two servers on two different nets,
> > 208.10.199 and 66.162.222. Clients on the 208 net can connect and
> > establish trust automatically with the cfservd on the 208 net, but the
> > clients on the 66 net throw "BAD: key could not be accepted on trust,"
> > and the cfservd throws the same error, when they try to connect to the
> > cfservd on the 66 net.
> > 
> > Here are the relevant parts of the cfservd.conf. You can ignore the
> > other two nets listed.
> > 
> > control:
> >     cfengine_server::
> >         # tcp_wrappers-like access control
> >         AllowConnectionsFrom = (
> >             208.10.199.0/24
> >             66.162.222.0/24
> >             216.54.235.0/24
> >             192.168.199.0/24
> >         )
> > 
> >         TrustKeysFrom = (
> >             208.10.199.0/24
> >             66.162.222.0/24
> >             216.54.235.0/24
> >             192.168.199.0/24
> >         )
> > 
> > admit:
> >     /var/cfengine/ppkeys/localhost.pub *.arcsystems.com
> > 
> > 
> > On Mon, 2005-09-19 at 16:30 -0500, Ed Brown wrote:
> > > > On Mon, 2005-09-12 at 12:51 -0500, Bill Gunter wrote: 
> > > > > The clients and server are on the same network, 66.162.222.0/24.
> > > Here's 
> > > > > the TrustKeys. The stuff on the 208.10.199.0/24 net works fine. 
> > > > >  
> > > > > TrustKeysFrom = ( 
> > > > >             208.10.199.0/24 
> > > > >             66.162.222.0/24 
> > > > >             216.54.235.0/24 
> > > > >             192.168.199.0/24 
> > > > > )
> > > 
> > > This raises lots of questions, like about the topology and network 
> > > configuration of your clients and server[s?] (multiple interfaces, 
> > > routing, hostnames and 'domain' value...?)   What 'stuff' is
> > > working?  
> > > More information might help get you an answer quicker.  Are you
> > > saying 
> > > clients on  208.10.199.0/24 are talking ok to the server on 
> > > 66.162.222.0/24, but not clients on the same subnet as the server, or
> > > do 
> > > you have cfengine servers on each subnet?
> > > 
> > > 
> > > 
> 




reply via email to

[Prev in Thread] Current Thread [Next in Thread]