Re: problems with trust

[Ed Brown]

Your debug output indicates you are attempting to connect to (copy from)
boa.  Yet boa is defined as 'colo_server', not 'cfengine_server', so the
TrustKeysFrom line in cfservd.conf is not applicable.



On Tue, 2005-09-20 at 09:01, Bill Gunter wrote:
> The domain values are the same. Here are my configs.
> 
> cfservd.conf:
> #
> groups:
>     # the name of our server is 'server'
>     cfengine_server = ( asp )
>     colo_server     = ( boa )
> 
> control:
> 
>     domain = ( (ExecResult(/bin/domainname) )
> 
>     cfengine_server::
>         # tcp_wrappers-like access control
>         AllowConnectionsFrom = (
>             208.10.199.0/24
>             66.162.222.0/24
>             216.54.235.0/24
>             192.168.199.0/24
>         )
> 
>         TrustKeysFrom = (
>             208.10.199.0/24
>             66.162.222.0/24
>             216.54.235.0/24
>             192.168.199.0/24
>         )
> 
> admit:
>     /var/cfengine/ppkeys/localhost.pub *.arcsystems.com
> 
>     cfengine_server::
>         # Various directories #
>     colo_server::
>         # Various directories #
> #
> 
> 
> 
> update.conf
> #
> groups:
>     webserver = ( HostRange(web,1-255) )
>     cwebserver = ( HostRange(cweb,1-255) )
> 
> control:
>     sysadm = ( email@email )
>     actionsequence = ( copy directories links processes tidy )
> 
>     domain = ( ExecResult(/bin/domainname) )
> 
>     !cfengine_server::
>         SplayTime = ( 5 )
> 
>     workdir = ( /var/cfengine )
>     configroot = ( /cfengine )
> 
>     AddInstallable = ( new_cfenvd new_cfservd )
> 
>     solaris::
>         cf_remote_bin_dir = ( /usr/local/sbin )
>         cf_local_bin_dir =  ( /usr/local/sbin )
>         bin_server = ( asp.arcsystems.com )
> 
>     linux::
>         cf_remote_bin_dir = ( /usr/local/sbin )
>         cf_local_bin_dir =  ( /usr/local/sbin )
> 
>     208_10_199|216_54_235::
>         server = ( asp.arcsystems.com )
>     webserver::
>         server = ( z_asp.arcsystems.com )
>     66_162_222::
>         server = ( boa.arcsystems.com )
>     cwebserver::
>         server = ( z_boa.arcsystems.com )
> 
> copy:
>     ${configroot}/config/cfengine
>        dest=${workdir}
>        mode=700
>        owner=root
>        recurse=inf
>        ignore=CVS
>        server=$(server)
>        trustkey=true
>        type=binary
> 
> 
> #
> 
> And here is a portion of the output from a "cfagent -vq -d1".
> 
> *********************************************************************
>  Update Sched: copy pass 1 @ Tue Sep 20 09:58:58 2005
> *********************************************************************
> 
> (BuildClassEnvironment)
> Actionsequence item copy
> New server connection...
> ExpandVarstring(boa.arcsystems.com)
> ExpandVarstring(boa.arcsystems.com)
> ExpandVarstring(/cfengine/config/cfengine)
> ExpandVarstring(/var/cfengine)
> Checking copy from boa.arcsystems.com:/cfengine/config/cfengine
> to /var/cfengine
> ExpandVarstring(boa.arcsystems.com)
> Opening server connnection to boa.arcsystems.com
> IPV4 address
> sockaddr_ntop(66.162.222.44)
> Connect to boa.arcsystems.com = 66.162.222.44 on port cfengine
> IPV4 address
> sockaddr_ntop(66.162.222.44)
> IPV4 address
> sockaddr_ntop(66.162.222.44)
> Found address (66.162.222.44) for host boa.arcsystems.com
> Updating last-seen time for boa.arcsystems.com
> Remote IP set to 66.162.222.44
> IPV4 address
> sockaddr_ntop(66.162.222.71)
> Identifying this agent as 66.162.222.71 i.e. anaconda.arcsystems.com,
> with signature 0
> IsIPV6Address(anaconda)
> Appending domain arcsystems.com to anaconda
> SENT:::CAUTH 66.162.222.71 anaconda.arcsystems.com root 0
> Transaction Send[t 50][Packed text]
> Attempting to send 58 bytes
> SendSocketStream, sent 58
> OptionIs(update,HostnameKeys,1)
> GetMacroValue(update,HostnameKeys)
> KeyAuthentication(with IP keyname root-66.162.222.44)
> Havekey(root-66.162.222.44)
> Did not have key root-66.162.222.44
> Transaction Send[t 61][Packed text]
> Attempting to send 69 bytes
> SendSocketStream, sent 69
> Transaction Send[t 261][Packed text]
> Attempting to send 269 bytes
> SendSocketStream, sent 269
> Transaction Send[t 5][Packed text]
> Attempting to send 13 bytes
> SendSocketStream, sent 13
> RecvSocketStream(8)
>     (Concatenated 8 from stream)
> Transaction Receive [t 39][]
> RecvSocketStream(39)
>     (Concatenated 39 from stream)
> cfengine:: BAD: key could not be accepted on trust
> cfengine:: Authentication dialogue with boa.arcsystems.com failed
> Closing current connection
> cfengine:: Unable to establish connection with boa.arcsystems.com
> (failover)
> Closing current connection
> Saving the setuid log in /var/cfengine/cfagent.anaconda.log
> Job start time set to Tue Sep 20 09:58:59 2005
> 
> On Mon, 2005-09-19 at 17:52 -0600, Ed Brown wrote:
> > The same cfservd.conf, including 'domain' value?  Does that match the
> > domain in your update.conf?  (Not sure that would result in a key/trust
> > error message, but it wouldn't be the only misleading error in
> > cfengine.)
> > 
> > Key exchange happens within cfengine, and doesn't require 'admit' or
> > 'grant' statements to the keys (or 'copy:' statements). I don't think
> > you need the 'admit:' line below, though you do need one or more for the
> > files that you are trying to copy.   
> > 
> > Suggest you post more of your cfservd.conf and update.conf files, as
> > well as more of the error output, which could hold other clues.  (Delete
> > or disguise info you don't want to share, but if you really want help,
> > provide more information up front!)
> > 
> > 
> > 
> > 
> > On Mon, 2005-09-19 at 16:12, Bill Gunter wrote:
> > > Sorry, the repost I sent didn't include the entire original post. Here's
> > > the deal.
> > > 
> > > I'm using the same cfservd.conf on two servers on two different nets,
> > > 208.10.199 and 66.162.222. Clients on the 208 net can connect and
> > > establish trust automatically with the cfservd on the 208 net, but the
> > > clients on the 66 net throw "BAD: key could not be accepted on trust,"
> > > and the cfservd throws the same error, when they try to connect to the
> > > cfservd on the 66 net.
> > > 
> > > Here are the relevant parts of the cfservd.conf. You can ignore the
> > > other two nets listed.
> > > 
> > > control:
> > >     cfengine_server::
> > >         # tcp_wrappers-like access control
> > >         AllowConnectionsFrom = (
> > >             208.10.199.0/24
> > >             66.162.222.0/24
> > >             216.54.235.0/24
> > >             192.168.199.0/24
> > >         )
> > > 
> > >         TrustKeysFrom = (
> > >             208.10.199.0/24
> > >             66.162.222.0/24
> > >             216.54.235.0/24
> > >             192.168.199.0/24
> > >         )
> > > 
> > > admit:
> > >     /var/cfengine/ppkeys/localhost.pub *.arcsystems.com
> > > 
> > > 
> > > On Mon, 2005-09-19 at 16:30 -0500, Ed Brown wrote:
> > > > > On Mon, 2005-09-12 at 12:51 -0500, Bill Gunter wrote: 
> > > > > > The clients and server are on the same network, 66.162.222.0/24.
> > > > Here's 
> > > > > > the TrustKeys. The stuff on the 208.10.199.0/24 net works fine. 
> > > > > >  
> > > > > > TrustKeysFrom = ( 
> > > > > >             208.10.199.0/24 
> > > > > >             66.162.222.0/24 
> > > > > >             216.54.235.0/24 
> > > > > >             192.168.199.0/24 
> > > > > > )
> > > > 
> > > > This raises lots of questions, like about the topology and network 
> > > > configuration of your clients and server[s?] (multiple interfaces, 
> > > > routing, hostnames and 'domain' value...?)   What 'stuff' is
> > > > working?  
> > > > More information might help get you an answer quicker.  Are you
> > > > saying 
> > > > clients on  208.10.199.0/24 are talking ok to the server on 
> > > > 66.162.222.0/24, but not clients on the same subnet as the server, or
> > > > do 
> > > > you have cfengine servers on each subnet?
> > > > 
> > > > 
> > > > 
> >