help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfservd access question


From: Bob Smith
Subject: Re: cfservd access question
Date: Mon, 23 Jan 2006 19:29:33 -0800


for this network no but i do have several networks that are shared between logical environments and thus DNS subdomains, e.g. i have 172.16.7.0/24 which contains hosts from each of corp.abc.com, test.abc.com, and stg.abc.com.

in any case i'd like to understand what cfengine is doing and either adjust the documentation to match the behavior or adjust the behavior to match the documentation.

thx.




From: Ed Brown <address@hidden>
To: Bob Smith <address@hidden>
CC: address@hidden
Subject: Re: cfservd access question
Date: Mon, 23 Jan 2006 16:57:18 -0700

While this doesn't perhaps get to the heart of your question, is there
any reason not to use the same expression (172.16.1.0/24 in your
example) in 'admit:' that you use in 'control:'?

-Ed


On Mon, 2006-01-23 at 13:27 -0800, Bob Smith wrote:
> the following all takes place using cfengine 2.1.18 on Solaris 10. in this > environment the client's name is "elf.corp" and the client's dns domain is
> "corp.abc.com". dns resolution works correctly in the environment.
>
> using the examples supplied with the distribution I am attempting to create > an update.conf for my site. in the admit section of the sample cfservd.conf
> access is granted based on a glob dns domain name match (i.e.
> "*.iu.hioslo.no") however when I attempt to do the same type of thing for my
> site I hit access restrictions.
>
> my cfservd.conf looks like:
>
> control:
>
>   domain                        = ( corp.abc.com )
>   cfrunCommand                  = ( "/usr/local/sbin/cfagent" )
>
>   any::
>
>     IfElapsed                   = ( 1 )
>     ExpireAfter                 = ( 15 )
>     MaxConnections              = ( 50 )
>     MultipleConnections         = ( true )
>     LogAllConnections           = ( true )
>     AllowConnectionsFrom        = ( 172.16.1.0/24 )
>     TrustKeysFrom               = ( 172.16.1.0/24 )
>     AllowUsers                  = ( root )
>
> admit:
>   /master_files/sysops/config_files   *.corp.abc.com
>
>
>
>
>
>
> my update.conf looks like:
>
> control:
>
>   actionsequence  = ( copy tidy )
>   domain          = ( corp.abc.com )
>
>   policyhost      = ( monitor01.corp.abc.com )
>   master_cfinput  =
> ( /master_files/sysops/config_files/env_dep/CORP/var/cfengine/inputs
> )
>
>   workdir         = ( /var/cfengine )
>
> copy:
>
>   $(master_cfinput)
>         dest=$(workdir)/inputs
>         timestamps=preserve
>         exclude=*.lst
>         exclude=*~
>         exclude=*,v
>         exclude=*-
>         exclude=#*
>         ignore=SCCS
>         ignore=RCS
>         recurse=inf
>         type=sum
>         server=$(policyhost)
>         trustkey=true
>         encrypt=true
>
>
>
>
>
>
> if I run cfservd in debug mode (-d3) I see the following:
>
> Checking whether to map root privileges..
>
> FuzzyItemIn(LIST,172.16.1.68)
> No root privileges granted
> WildMatch(elf.corp,*.corp.abc.com)
> WildMatch(*.corp.abc.com,elf.corp)
> WildMatch(172.16.1.68,*.corp.abc.com)
> WildMatch(*.corp.abc.com,172.16.1.68)
>
> FuzzyItemIn(LIST,172.16.1.68)
> Try FuzzySetMatch(*.corp.abc.com,172.16.1.68)
> cfservd: Host elf.corp denied access to
> /master_files/sysops/config_files/env_dep/CORP/var/cfengine/modules
> cfservd: Unspecified refusal by server
>
>
>
> from this it appears to me that the server is not doing either of the
> behaviors I would expect: (a) it is not comparing the "domain" value set in
> the client's update.conf to the access list specified in the server's
> cfservd.conf; (b) it is not resolving, via dns, the client's IP address and > comparing that to the access list specified in the server's cfservd.conf.
>
> also, the documentation states, in section "4.3 Cfengine classes"
> (http://www.cfengine.com/docs/cfengine-Reference.html#Cfengine-classes) that > "Cfengine uses both the unqualified and fully host names as classes. Some > sites and operating systems use fully qualified names for their hosts. i.e. > uname -n returns to full domain qualified hostname. This spoils the class > matching algorithms for cfengine, so cfengine automatically truncates names
> which contain a dot `.' at the first `.' it encounters."
>
> given this I would have expected that the hostname used by cfservd for
> access list matching would have been "elf" not "elf.corp" as shown by the
> debug output.

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/





reply via email to

[Prev in Thread] Current Thread [Next in Thread]