help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problems with trust


From: Bill Gunter
Subject: Re: problems with trust
Date: Tue, 20 Sep 2005 10:45:18 -0500

GAAAAA! I knew it would be something stupid. Thanks for being my second
pair of eyes.

bg

On Tue, 2005-09-20 at 10:36 -0500, Ed Brown wrote:
> Your debug output indicates you are attempting to connect to (copy
> from) 
> boa.  Yet boa is defined as 'colo_server', not 'cfengine_server', so
> the 
> TrustKeysFrom line in cfservd.conf is not applicable.
> 
> 
> 
> On Tue, 2005-09-20 at 09:01, Bill Gunter wrote: 
> > The domain values are the same. Here are my configs. 
> >  
> > cfservd.conf: 
> > # 
> > groups: 
> >     # the name of our server is 'server' 
> >     cfengine_server = ( asp ) 
> >     colo_server     = ( boa ) 
> >  
> > control: 
> >  
> >     domain = ( (ExecResult(/bin/domainname) ) 
> >  
> >     cfengine_server:: 
> >         # tcp_wrappers-like access control 
> >         AllowConnectionsFrom = ( 
> >             208.10.199.0/24 
> >             66.162.222.0/24 
> >             216.54.235.0/24 
> >             192.168.199.0/24 
> >         ) 
> >  
> >         TrustKeysFrom = ( 
> >             208.10.199.0/24 
> >             66.162.222.0/24 
> >             216.54.235.0/24 
> >             192.168.199.0/24 
> >         ) 
> >  
> > admit: 
> >     /var/cfengine/ppkeys/localhost.pub *.arcsystems.com 
> >  
> >     cfengine_server:: 
> >         # Various directories # 
> >     colo_server:: 
> >         # Various directories # 
> > # 
> >  
> >  
> >  
> > update.conf 
> > # 
> > groups: 
> >     webserver = ( HostRange(web,1-255) ) 
> >     cwebserver = ( HostRange(cweb,1-255) ) 
> >  
> > control: 
> >     sysadm = ( email@email ) 
> >     actionsequence = ( copy directories links processes tidy ) 
> >  
> >     domain = ( ExecResult(/bin/domainname) ) 
> >  
> >     !cfengine_server:: 
> >         SplayTime = ( 5 ) 
> >  
> >     workdir = ( /var/cfengine ) 
> >     configroot = ( /cfengine ) 
> >  
> >     AddInstallable = ( new_cfenvd new_cfservd ) 
> >  
> >     solaris:: 
> >         cf_remote_bin_dir = ( /usr/local/sbin ) 
> >         cf_local_bin_dir =  ( /usr/local/sbin ) 
> >         bin_server = ( asp.arcsystems.com ) 
> >  
> >     linux:: 
> >         cf_remote_bin_dir = ( /usr/local/sbin ) 
> >         cf_local_bin_dir =  ( /usr/local/sbin ) 
> >  
> >     208_10_199|216_54_235:: 
> >         server = ( asp.arcsystems.com ) 
> >     webserver:: 
> >         server = ( z_asp.arcsystems.com ) 
> >     66_162_222:: 
> >         server = ( boa.arcsystems.com ) 
> >     cwebserver:: 
> >         server = ( z_boa.arcsystems.com ) 
> >  
> > copy: 
> >     ${configroot}/config/cfengine 
> >        dest=${workdir} 
> >        mode=700 
> >        owner=root 
> >        recurse=inf 
> >        ignore=CVS 
> >        server=$(server) 
> >        trustkey=true 
> >        type=binary 
> >  
> >  
> > # 
> >  
> > And here is a portion of the output from a "cfagent -vq -d1". 
> >  
> >
> ********************************************************************* 
> >  Update Sched: copy pass 1 @ Tue Sep 20 09:58:58 2005 
> >
> ********************************************************************* 
> >  
> > (BuildClassEnvironment) 
> > Actionsequence item copy 
> > New server connection... 
> > ExpandVarstring(boa.arcsystems.com) 
> > ExpandVarstring(boa.arcsystems.com) 
> > ExpandVarstring(/cfengine/config/cfengine) 
> > ExpandVarstring(/var/cfengine) 
> > Checking copy from boa.arcsystems.com:/cfengine/config/cfengine 
> > to /var/cfengine 
> > ExpandVarstring(boa.arcsystems.com) 
> > Opening server connnection to boa.arcsystems.com 
> > IPV4 address 
> > sockaddr_ntop(66.162.222.44) 
> > Connect to boa.arcsystems.com = 66.162.222.44 on port cfengine 
> > IPV4 address 
> > sockaddr_ntop(66.162.222.44) 
> > IPV4 address 
> > sockaddr_ntop(66.162.222.44) 
> > Found address (66.162.222.44) for host boa.arcsystems.com 
> > Updating last-seen time for boa.arcsystems.com 
> > Remote IP set to 66.162.222.44 
> > IPV4 address 
> > sockaddr_ntop(66.162.222.71) 
> > Identifying this agent as 66.162.222.71 i.e.
> anaconda.arcsystems.com, 
> > with signature 0 
> > IsIPV6Address(anaconda) 
> > Appending domain arcsystems.com to anaconda 
> > SENT:::CAUTH 66.162.222.71 anaconda.arcsystems.com root 0 
> > Transaction Send[t 50][Packed text] 
> > Attempting to send 58 bytes 
> > SendSocketStream, sent 58 
> > OptionIs(update,HostnameKeys,1) 
> > GetMacroValue(update,HostnameKeys) 
> > KeyAuthentication(with IP keyname root-66.162.222.44) 
> > Havekey(root-66.162.222.44) 
> > Did not have key root-66.162.222.44 
> > Transaction Send[t 61][Packed text] 
> > Attempting to send 69 bytes 
> > SendSocketStream, sent 69 
> > Transaction Send[t 261][Packed text] 
> > Attempting to send 269 bytes 
> > SendSocketStream, sent 269 
> > Transaction Send[t 5][Packed text] 
> > Attempting to send 13 bytes 
> > SendSocketStream, sent 13 
> > RecvSocketStream(8) 
> >     (Concatenated 8 from stream) 
> > Transaction Receive [t 39][] 
> > RecvSocketStream(39) 
> >     (Concatenated 39 from stream) 
> > cfengine:: BAD: key could not be accepted on trust 
> > cfengine:: Authentication dialogue with boa.arcsystems.com failed 
> > Closing current connection 
> > cfengine:: Unable to establish connection with boa.arcsystems.com 
> > (failover) 
> > Closing current connection 
> > Saving the setuid log in /var/cfengine/cfagent.anaconda.log 
> > Job start time set to Tue Sep 20 09:58:59 2005 
> >  
> > On Mon, 2005-09-19 at 17:52 -0600, Ed Brown wrote: 
> > > The same cfservd.conf, including 'domain' value?  Does that match
> the 
> > > domain in your update.conf?  (Not sure that would result in a
> key/trust 
> > > error message, but it wouldn't be the only misleading error in 
> > > cfengine.) 
> > >  
> > > Key exchange happens within cfengine, and doesn't require 'admit'
> or 
> > > 'grant' statements to the keys (or 'copy:' statements). I don't
> think 
> > > you need the 'admit:' line below, though you do need one or more
> for the 
> > > files that you are trying to copy.    
> > >  
> > > Suggest you post more of your cfservd.conf and update.conf files,
> as 
> > > well as more of the error output, which could hold other clues.
> (Delete 
> > > or disguise info you don't want to share, but if you really want
> help, 
> > > provide more information up front!) 
> > >  
> > >  
> > >  
> > >  
> > > On Mon, 2005-09-19 at 16:12, Bill Gunter wrote: 
> > > > Sorry, the repost I sent didn't include the entire original
> post. Here's 
> > > > the deal. 
> > > >  
> > > > I'm using the same cfservd.conf on two servers on two different
> nets, 
> > > > 208.10.199 and 66.162.222. Clients on the 208 net can connect
> and 
> > > > establish trust automatically with the cfservd on the 208 net,
> but the 
> > > > clients on the 66 net throw "BAD: key could not be accepted on
> trust," 
> > > > and the cfservd throws the same error, when they try to connect
> to the 
> > > > cfservd on the 66 net. 
> > > >  
> > > > Here are the relevant parts of the cfservd.conf. You can ignore
> the 
> > > > other two nets listed. 
> > > >  
> > > > control: 
> > > >     cfengine_server:: 
> > > >         # tcp_wrappers-like access control 
> > > >         AllowConnectionsFrom = ( 
> > > >             208.10.199.0/24 
> > > >             66.162.222.0/24 
> > > >             216.54.235.0/24 
> > > >             192.168.199.0/24 
> > > >         ) 
> > > >  
> > > >         TrustKeysFrom = ( 
> > > >             208.10.199.0/24 
> > > >             66.162.222.0/24 
> > > >             216.54.235.0/24 
> > > >             192.168.199.0/24 
> > > >         ) 
> > > >  
> > > > admit: 
> > > >     /var/cfengine/ppkeys/localhost.pub *.arcsystems.com 
> > > >  
> > > >  
> > > > On Mon, 2005-09-19 at 16:30 -0500, Ed Brown wrote: 
> > > > > > On Mon, 2005-09-12 at 12:51 -0500, Bill Gunter wrote:  
> > > > > > > The clients and server are on the same network,
> 66.162.222.0/24. 
> > > > > Here's  
> > > > > > > the TrustKeys. The stuff on the 208.10.199.0/24 net works
> fine.  
> > > > > > >   
> > > > > > > TrustKeysFrom = (  
> > > > > > >             208.10.199.0/24  
> > > > > > >             66.162.222.0/24  
> > > > > > >             216.54.235.0/24  
> > > > > > >             192.168.199.0/24  
> > > > > > > ) 
> > > > >  
> > > > > This raises lots of questions, like about the topology and
> network  
> > > > > configuration of your clients and server[s?] (multiple
> interfaces,  
> > > > > routing, hostnames and 'domain' value...?)   What 'stuff' is 
> > > > > working?   
> > > > > More information might help get you an answer quicker.  Are
> you 
> > > > > saying  
> > > > > clients on  208.10.199.0/24 are talking ok to the server on  
> > > > > 66.162.222.0/24, but not clients on the same subnet as the
> server, or 
> > > > > do  
> > > > > you have cfengine servers on each subnet? 
> > > > >  
> > > > >  
> > > > >  
> > > 
> 




reply via email to

[Prev in Thread] Current Thread [Next in Thread]