[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: problems with trust
From: |
Ed Brown |
Subject: |
Re: problems with trust |
Date: |
Tue, 20 Sep 2005 09:36:17 -0600 |
Your debug output indicates you are attempting to connect to (copy from)
boa. Yet boa is defined as 'colo_server', not 'cfengine_server', so the
TrustKeysFrom line in cfservd.conf is not applicable.
On Tue, 2005-09-20 at 09:01, Bill Gunter wrote:
> The domain values are the same. Here are my configs.
>
> cfservd.conf:
> #
> groups:
> # the name of our server is 'server'
> cfengine_server = ( asp )
> colo_server = ( boa )
>
> control:
>
> domain = ( (ExecResult(/bin/domainname) )
>
> cfengine_server::
> # tcp_wrappers-like access control
> AllowConnectionsFrom = (
> 208.10.199.0/24
> 66.162.222.0/24
> 216.54.235.0/24
> 192.168.199.0/24
> )
>
> TrustKeysFrom = (
> 208.10.199.0/24
> 66.162.222.0/24
> 216.54.235.0/24
> 192.168.199.0/24
> )
>
> admit:
> /var/cfengine/ppkeys/localhost.pub *.arcsystems.com
>
> cfengine_server::
> # Various directories #
> colo_server::
> # Various directories #
> #
>
>
>
> update.conf
> #
> groups:
> webserver = ( HostRange(web,1-255) )
> cwebserver = ( HostRange(cweb,1-255) )
>
> control:
> sysadm = ( email@email )
> actionsequence = ( copy directories links processes tidy )
>
> domain = ( ExecResult(/bin/domainname) )
>
> !cfengine_server::
> SplayTime = ( 5 )
>
> workdir = ( /var/cfengine )
> configroot = ( /cfengine )
>
> AddInstallable = ( new_cfenvd new_cfservd )
>
> solaris::
> cf_remote_bin_dir = ( /usr/local/sbin )
> cf_local_bin_dir = ( /usr/local/sbin )
> bin_server = ( asp.arcsystems.com )
>
> linux::
> cf_remote_bin_dir = ( /usr/local/sbin )
> cf_local_bin_dir = ( /usr/local/sbin )
>
> 208_10_199|216_54_235::
> server = ( asp.arcsystems.com )
> webserver::
> server = ( z_asp.arcsystems.com )
> 66_162_222::
> server = ( boa.arcsystems.com )
> cwebserver::
> server = ( z_boa.arcsystems.com )
>
> copy:
> ${configroot}/config/cfengine
> dest=${workdir}
> mode=700
> owner=root
> recurse=inf
> ignore=CVS
> server=$(server)
> trustkey=true
> type=binary
>
>
> #
>
> And here is a portion of the output from a "cfagent -vq -d1".
>
> *********************************************************************
> Update Sched: copy pass 1 @ Tue Sep 20 09:58:58 2005
> *********************************************************************
>
> (BuildClassEnvironment)
> Actionsequence item copy
> New server connection...
> ExpandVarstring(boa.arcsystems.com)
> ExpandVarstring(boa.arcsystems.com)
> ExpandVarstring(/cfengine/config/cfengine)
> ExpandVarstring(/var/cfengine)
> Checking copy from boa.arcsystems.com:/cfengine/config/cfengine
> to /var/cfengine
> ExpandVarstring(boa.arcsystems.com)
> Opening server connnection to boa.arcsystems.com
> IPV4 address
> sockaddr_ntop(66.162.222.44)
> Connect to boa.arcsystems.com = 66.162.222.44 on port cfengine
> IPV4 address
> sockaddr_ntop(66.162.222.44)
> IPV4 address
> sockaddr_ntop(66.162.222.44)
> Found address (66.162.222.44) for host boa.arcsystems.com
> Updating last-seen time for boa.arcsystems.com
> Remote IP set to 66.162.222.44
> IPV4 address
> sockaddr_ntop(66.162.222.71)
> Identifying this agent as 66.162.222.71 i.e. anaconda.arcsystems.com,
> with signature 0
> IsIPV6Address(anaconda)
> Appending domain arcsystems.com to anaconda
> SENT:::CAUTH 66.162.222.71 anaconda.arcsystems.com root 0
> Transaction Send[t 50][Packed text]
> Attempting to send 58 bytes
> SendSocketStream, sent 58
> OptionIs(update,HostnameKeys,1)
> GetMacroValue(update,HostnameKeys)
> KeyAuthentication(with IP keyname root-66.162.222.44)
> Havekey(root-66.162.222.44)
> Did not have key root-66.162.222.44
> Transaction Send[t 61][Packed text]
> Attempting to send 69 bytes
> SendSocketStream, sent 69
> Transaction Send[t 261][Packed text]
> Attempting to send 269 bytes
> SendSocketStream, sent 269
> Transaction Send[t 5][Packed text]
> Attempting to send 13 bytes
> SendSocketStream, sent 13
> RecvSocketStream(8)
> (Concatenated 8 from stream)
> Transaction Receive [t 39][]
> RecvSocketStream(39)
> (Concatenated 39 from stream)
> cfengine:: BAD: key could not be accepted on trust
> cfengine:: Authentication dialogue with boa.arcsystems.com failed
> Closing current connection
> cfengine:: Unable to establish connection with boa.arcsystems.com
> (failover)
> Closing current connection
> Saving the setuid log in /var/cfengine/cfagent.anaconda.log
> Job start time set to Tue Sep 20 09:58:59 2005
>
> On Mon, 2005-09-19 at 17:52 -0600, Ed Brown wrote:
> > The same cfservd.conf, including 'domain' value? Does that match the
> > domain in your update.conf? (Not sure that would result in a key/trust
> > error message, but it wouldn't be the only misleading error in
> > cfengine.)
> >
> > Key exchange happens within cfengine, and doesn't require 'admit' or
> > 'grant' statements to the keys (or 'copy:' statements). I don't think
> > you need the 'admit:' line below, though you do need one or more for the
> > files that you are trying to copy.
> >
> > Suggest you post more of your cfservd.conf and update.conf files, as
> > well as more of the error output, which could hold other clues. (Delete
> > or disguise info you don't want to share, but if you really want help,
> > provide more information up front!)
> >
> >
> >
> >
> > On Mon, 2005-09-19 at 16:12, Bill Gunter wrote:
> > > Sorry, the repost I sent didn't include the entire original post. Here's
> > > the deal.
> > >
> > > I'm using the same cfservd.conf on two servers on two different nets,
> > > 208.10.199 and 66.162.222. Clients on the 208 net can connect and
> > > establish trust automatically with the cfservd on the 208 net, but the
> > > clients on the 66 net throw "BAD: key could not be accepted on trust,"
> > > and the cfservd throws the same error, when they try to connect to the
> > > cfservd on the 66 net.
> > >
> > > Here are the relevant parts of the cfservd.conf. You can ignore the
> > > other two nets listed.
> > >
> > > control:
> > > cfengine_server::
> > > # tcp_wrappers-like access control
> > > AllowConnectionsFrom = (
> > > 208.10.199.0/24
> > > 66.162.222.0/24
> > > 216.54.235.0/24
> > > 192.168.199.0/24
> > > )
> > >
> > > TrustKeysFrom = (
> > > 208.10.199.0/24
> > > 66.162.222.0/24
> > > 216.54.235.0/24
> > > 192.168.199.0/24
> > > )
> > >
> > > admit:
> > > /var/cfengine/ppkeys/localhost.pub *.arcsystems.com
> > >
> > >
> > > On Mon, 2005-09-19 at 16:30 -0500, Ed Brown wrote:
> > > > > On Mon, 2005-09-12 at 12:51 -0500, Bill Gunter wrote:
> > > > > > The clients and server are on the same network, 66.162.222.0/24.
> > > > Here's
> > > > > > the TrustKeys. The stuff on the 208.10.199.0/24 net works fine.
> > > > > >
> > > > > > TrustKeysFrom = (
> > > > > > 208.10.199.0/24
> > > > > > 66.162.222.0/24
> > > > > > 216.54.235.0/24
> > > > > > 192.168.199.0/24
> > > > > > )
> > > >
> > > > This raises lots of questions, like about the topology and network
> > > > configuration of your clients and server[s?] (multiple interfaces,
> > > > routing, hostnames and 'domain' value...?) What 'stuff' is
> > > > working?
> > > > More information might help get you an answer quicker. Are you
> > > > saying
> > > > clients on 208.10.199.0/24 are talking ok to the server on
> > > > 66.162.222.0/24, but not clients on the same subnet as the server, or
> > > > do
> > > > you have cfengine servers on each subnet?
> > > >
> > > >
> > > >
> >
- problems with trust, Bill Gunter, 2005/09/09
- Re: problems with trust, Tim Nelson, 2005/09/12
- Re: problems with trust, Bill Gunter, 2005/09/12
- Re: problems with trust, Bill Gunter, 2005/09/19
- Re: problems with trust, david . nelson, 2005/09/19
- Re: problems with trust, Ed Brown, 2005/09/19
- Re: problems with trust, Bill Gunter, 2005/09/19
- Re: problems with trust, Ed Brown, 2005/09/19
- Re: problems with trust, Bill Gunter, 2005/09/20
- Re: problems with trust,
Ed Brown <=
- Re: problems with trust, Bill Gunter, 2005/09/20