[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cfservd access question
|
From: |
Bob Smith |
|
Subject: |
cfservd access question |
|
Date: |
Mon, 23 Jan 2006 13:27:14 -0800 |
the following all takes place using cfengine 2.1.18 on Solaris 10. in this
environment the client's name is "elf.corp" and the client's dns domain is
"corp.abc.com". dns resolution works correctly in the environment.
using the examples supplied with the distribution I am attempting to create
an update.conf for my site. in the admit section of the sample cfservd.conf
access is granted based on a glob dns domain name match (i.e.
"*.iu.hioslo.no") however when I attempt to do the same type of thing for my
site I hit access restrictions.
my cfservd.conf looks like:
control:
domain = ( corp.abc.com )
cfrunCommand = ( "/usr/local/sbin/cfagent" )
any::
IfElapsed = ( 1 )
ExpireAfter = ( 15 )
MaxConnections = ( 50 )
MultipleConnections = ( true )
LogAllConnections = ( true )
AllowConnectionsFrom = ( 172.16.1.0/24 )
TrustKeysFrom = ( 172.16.1.0/24 )
AllowUsers = ( root )
admit:
/master_files/sysops/config_files *.corp.abc.com
my update.conf looks like:
control:
actionsequence = ( copy tidy )
domain = ( corp.abc.com )
policyhost = ( monitor01.corp.abc.com )
master_cfinput =
( /master_files/sysops/config_files/env_dep/CORP/var/cfengine/inputs
)
workdir = ( /var/cfengine )
copy:
$(master_cfinput)
dest=$(workdir)/inputs
timestamps=preserve
exclude=*.lst
exclude=*~
exclude=*,v
exclude=*-
exclude=#*
ignore=SCCS
ignore=RCS
recurse=inf
type=sum
server=$(policyhost)
trustkey=true
encrypt=true
if I run cfservd in debug mode (-d3) I see the following:
Checking whether to map root privileges..
FuzzyItemIn(LIST,172.16.1.68)
No root privileges granted
WildMatch(elf.corp,*.corp.abc.com)
WildMatch(*.corp.abc.com,elf.corp)
WildMatch(172.16.1.68,*.corp.abc.com)
WildMatch(*.corp.abc.com,172.16.1.68)
FuzzyItemIn(LIST,172.16.1.68)
Try FuzzySetMatch(*.corp.abc.com,172.16.1.68)
cfservd: Host elf.corp denied access to
/master_files/sysops/config_files/env_dep/CORP/var/cfengine/modules
cfservd: Unspecified refusal by server
from this it appears to me that the server is not doing either of the
behaviors I would expect: (a) it is not comparing the "domain" value set in
the client's update.conf to the access list specified in the server's
cfservd.conf; (b) it is not resolving, via dns, the client's IP address and
comparing that to the access list specified in the server's cfservd.conf.
also, the documentation states, in section "4.3 Cfengine classes"
(http://www.cfengine.com/docs/cfengine-Reference.html#Cfengine-classes) that
"Cfengine uses both the unqualified and fully host names as classes. Some
sites and operating systems use fully qualified names for their hosts. i.e.
uname -n returns to full domain qualified hostname. This spoils the class
matching algorithms for cfengine, so cfengine automatically truncates names
which contain a dot `.' at the first `.' it encounters."
given this I would have expected that the hostname used by cfservd for
access list matching would have been "elf" not "elf.corp" as shown by the
debug output.
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
- cfservd access question,
Bob Smith <=