[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cfrun authentication debugging
|
From: |
Ed Brown |
|
Subject: |
Re: cfrun authentication debugging |
|
Date: |
Wed, 08 Feb 2006 16:31:38 -0700 |
I don't use cfrun, but this sure looks like problems with cfagent on
ols5 failing to talk to cfservd on cint0. Sure you can run cfagent on
ols5? If you suspect problems with keys, drop all the 'foreign' keys
from /var/cfengine/ppkeys on both machines, and enable TrustKeysFrom for
those ip's in cfservd.conf on both machines to let cfengine handle the
key exchanges.
-Ed
On Tue, 2006-02-07 at 14:31 -0800, paul beard wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> As suggested, I have cfagent running on my policy host and a
> potential client. Now I am trying to test cfrun from the policyhost
> to the client. I have attached conf files and some debug output.
>
> I have made new keys, exchanged them with scp, and I seem to be no
> better off. What can I try next?
>
> this is the authentication part of what cfrun -v yields:
>
> The time is now Tue Feb 7 14:25:26 2006
>
>
> - ------------------------------------------------------------------------
>
> Additional hard class defined as: 32_bit
> Additional hard class defined as: freebsd_6_0_STABLE
> Additional hard class defined as: freebsd_i386
> Additional hard class defined as: freebsd_i386_6_0_STABLE
> Additional hard class defined as:
> freebsd_i386_6_0_STABLE_FreeBSD_6_0_STABLE__0__Wed_Jan_11_12_29_14_PST_2
> 006_____root_int0_waypath_com__usr_obj_usr_src_sys_GENERIC
>
> GNU autoconf class from compile time: compiled_on_freebsd5_4
>
> Address given by nameserver: 192.168.10.20
> Setting cfengine new port to 48148
> Setting cfengine old port to 5308
> Checking integrity of the state database
> Checking integrity of the module directory
> Checking integrity of the input data for RPC
> Checking integrity of the output data for RPC
> Checking integrity of the PKI directory
> Making sure that locks are private...
> Loaded /var/cfengine/ppkeys/localhost.priv
> Loaded /var/cfengine/ppkeys/localhost.pub
> Looking for a source of entropy in /var/cfengine/randseed
> cfrun(0): .......... [ Hailing ols5.waypath.com ] ..........
> Connecting to server ols5.waypath.com to port 0 with options
> Loaded /var/cfengine/ppkeys/root-192.168.10.35.pub
> Connect to ols5.waypath.com = 192.168.10.35 on port 5308
> Updating last-seen time for ols5.waypath.com
> Loaded /var/cfengine/ppkeys/root-192.168.10.35.pub
>
> ...............................................................
> cfrun:int0.waypath.com: Strong authentication of
> server=ols5.waypath.com connection confirmed
> ols5.waypath.com replies..
>
> gine::
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - -
>
> cfengine:: cfengine:: Authentication dialogue with cint0.waypath.com
> failed
> cfengine:: Unable to establish connection with cint0.waypath.com
> (failover)
> gine:ols5: cfengine:ols5: cfengine:ols5: Authentication dialogue with
> cint0.waypath.com failed
> cfengine:ols5: Unable to establish connection with cint0.waypath.com
> (failover)
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - -
>
> Connection with ols5.waypath.com completed
>
>
>
> update.conf:
> # /etc/cfengine/update.conf - for the clients
> #
>
> control:
> domain = ( waypath.com )
> actionsequence = ( copy tidy )
> # DefaultCopyType = ( checksum )
> master_cfinput = ( /exports/files )
> workdir = ( /var/cfengine )
> policyhost = ( cint0.waypath.com )
> freebsd::
> cf_install_dir = ( /usr/local/sbin )
> linux::
> cf_install_dir = ( /usr/sbin )
>
> # Download the most recent 'cfagent.conf' file from the
> # server, and install it to /var/cfengine
> #
>
> any::
> # SplayTime = ( 5 )
> copy:
>
> $(master_cfinput) dest=$(workdir)/inputs
> r=inf
> mode=700
> type=binary
> exclude=*.lst
> exclude=*~
> exclude=#*
> server=$(policyhost)
>
> $(cf_install_dir)/cfagent dest=$(workdir)/bin/cfagent
> mode=755
> backup=false
> type=checksum
>
> $(cf_install_dir)/cfservd dest=$(workdir)/bin/cfservd
> mode=755
> backup=false
> type=checksum
>
> $(cf_install_dir)/cfexecd dest=$(workdir)/bin/cfexecd
> mode=755
> backup=false
> type=checksum
>
> tidy:
> $(workdir)/outputs pattern=* age=31
>
> cfagent.conf:
> control:
> domain = ( waypath.com )
> access = ( root )
> freebsd::
> cfrunCommand = ( "/usr/local/sbin/cfagent" )
> linux::
> cfrunCommand = ( "/usr/sbin/cfagent" )
> timezone = ( PST GMT UTC )
> maxage = ( 7 )
> actionsequence = ( copy files )
>
> #
> # Fix some basic file permissions.
> #
> files:
> freebsd::
> /etc/sudoers mode=440 owner=root group=wheel action=fixall
> /etc/passwd mode=644 owner=root group=wheel action=fixall
> /etc/hosts mode=644 owner=root group=wheel action=fixall
> linux::
> /etc/shadow mode=640 owner=root group=root action=fixall
> /etc/sudoers mode=440 owner=root group=root action=fixall
> /etc/passwd mode=644 owner=root group=root action=fixall
> /etc/hosts mode=644 owner=root group=root action=fixall
> #
> # Clean out *ALL* files older than $(maxage) days from /tmp.
> #
> # Clean out files older than $(maxage) which match the pattern *~
> # inside user home directories.
> #
> copy:
> /exports/files/etc/hosts
> dest=/etc/hosts
> server=cint0.waypath.com
>
> - --
> Paul Beard
> contact info: www.paulbeard.org/paulbeard.vcf
>
> Are you trying to win an argument or solve a problem?
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFD6R/ffHLPwpj1/JQRAsy+AJ9h6FrBORyKkPJtiFRooXGbjtJBcACgu0QR
> JwMc2xn3bd008ryV6l8OQss=
> =EtRo
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine
--
Ed Brown <ebrown@lanl.gov>