[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: problems with trust
From: |
Bill Gunter |
Subject: |
Re: problems with trust |
Date: |
Tue, 20 Sep 2005 10:45:18 -0500 |
GAAAAA! I knew it would be something stupid. Thanks for being my second
pair of eyes.
bg
On Tue, 2005-09-20 at 10:36 -0500, Ed Brown wrote:
> Your debug output indicates you are attempting to connect to (copy
> from)
> boa. Yet boa is defined as 'colo_server', not 'cfengine_server', so
> the
> TrustKeysFrom line in cfservd.conf is not applicable.
>
>
>
> On Tue, 2005-09-20 at 09:01, Bill Gunter wrote:
> > The domain values are the same. Here are my configs.
> >
> > cfservd.conf:
> > #
> > groups:
> > # the name of our server is 'server'
> > cfengine_server = ( asp )
> > colo_server = ( boa )
> >
> > control:
> >
> > domain = ( (ExecResult(/bin/domainname) )
> >
> > cfengine_server::
> > # tcp_wrappers-like access control
> > AllowConnectionsFrom = (
> > 208.10.199.0/24
> > 66.162.222.0/24
> > 216.54.235.0/24
> > 192.168.199.0/24
> > )
> >
> > TrustKeysFrom = (
> > 208.10.199.0/24
> > 66.162.222.0/24
> > 216.54.235.0/24
> > 192.168.199.0/24
> > )
> >
> > admit:
> > /var/cfengine/ppkeys/localhost.pub *.arcsystems.com
> >
> > cfengine_server::
> > # Various directories #
> > colo_server::
> > # Various directories #
> > #
> >
> >
> >
> > update.conf
> > #
> > groups:
> > webserver = ( HostRange(web,1-255) )
> > cwebserver = ( HostRange(cweb,1-255) )
> >
> > control:
> > sysadm = ( email@email )
> > actionsequence = ( copy directories links processes tidy )
> >
> > domain = ( ExecResult(/bin/domainname) )
> >
> > !cfengine_server::
> > SplayTime = ( 5 )
> >
> > workdir = ( /var/cfengine )
> > configroot = ( /cfengine )
> >
> > AddInstallable = ( new_cfenvd new_cfservd )
> >
> > solaris::
> > cf_remote_bin_dir = ( /usr/local/sbin )
> > cf_local_bin_dir = ( /usr/local/sbin )
> > bin_server = ( asp.arcsystems.com )
> >
> > linux::
> > cf_remote_bin_dir = ( /usr/local/sbin )
> > cf_local_bin_dir = ( /usr/local/sbin )
> >
> > 208_10_199|216_54_235::
> > server = ( asp.arcsystems.com )
> > webserver::
> > server = ( z_asp.arcsystems.com )
> > 66_162_222::
> > server = ( boa.arcsystems.com )
> > cwebserver::
> > server = ( z_boa.arcsystems.com )
> >
> > copy:
> > ${configroot}/config/cfengine
> > dest=${workdir}
> > mode=700
> > owner=root
> > recurse=inf
> > ignore=CVS
> > server=$(server)
> > trustkey=true
> > type=binary
> >
> >
> > #
> >
> > And here is a portion of the output from a "cfagent -vq -d1".
> >
> >
> *********************************************************************
> > Update Sched: copy pass 1 @ Tue Sep 20 09:58:58 2005
> >
> *********************************************************************
> >
> > (BuildClassEnvironment)
> > Actionsequence item copy
> > New server connection...
> > ExpandVarstring(boa.arcsystems.com)
> > ExpandVarstring(boa.arcsystems.com)
> > ExpandVarstring(/cfengine/config/cfengine)
> > ExpandVarstring(/var/cfengine)
> > Checking copy from boa.arcsystems.com:/cfengine/config/cfengine
> > to /var/cfengine
> > ExpandVarstring(boa.arcsystems.com)
> > Opening server connnection to boa.arcsystems.com
> > IPV4 address
> > sockaddr_ntop(66.162.222.44)
> > Connect to boa.arcsystems.com = 66.162.222.44 on port cfengine
> > IPV4 address
> > sockaddr_ntop(66.162.222.44)
> > IPV4 address
> > sockaddr_ntop(66.162.222.44)
> > Found address (66.162.222.44) for host boa.arcsystems.com
> > Updating last-seen time for boa.arcsystems.com
> > Remote IP set to 66.162.222.44
> > IPV4 address
> > sockaddr_ntop(66.162.222.71)
> > Identifying this agent as 66.162.222.71 i.e.
> anaconda.arcsystems.com,
> > with signature 0
> > IsIPV6Address(anaconda)
> > Appending domain arcsystems.com to anaconda
> > SENT:::CAUTH 66.162.222.71 anaconda.arcsystems.com root 0
> > Transaction Send[t 50][Packed text]
> > Attempting to send 58 bytes
> > SendSocketStream, sent 58
> > OptionIs(update,HostnameKeys,1)
> > GetMacroValue(update,HostnameKeys)
> > KeyAuthentication(with IP keyname root-66.162.222.44)
> > Havekey(root-66.162.222.44)
> > Did not have key root-66.162.222.44
> > Transaction Send[t 61][Packed text]
> > Attempting to send 69 bytes
> > SendSocketStream, sent 69
> > Transaction Send[t 261][Packed text]
> > Attempting to send 269 bytes
> > SendSocketStream, sent 269
> > Transaction Send[t 5][Packed text]
> > Attempting to send 13 bytes
> > SendSocketStream, sent 13
> > RecvSocketStream(8)
> > (Concatenated 8 from stream)
> > Transaction Receive [t 39][]
> > RecvSocketStream(39)
> > (Concatenated 39 from stream)
> > cfengine:: BAD: key could not be accepted on trust
> > cfengine:: Authentication dialogue with boa.arcsystems.com failed
> > Closing current connection
> > cfengine:: Unable to establish connection with boa.arcsystems.com
> > (failover)
> > Closing current connection
> > Saving the setuid log in /var/cfengine/cfagent.anaconda.log
> > Job start time set to Tue Sep 20 09:58:59 2005
> >
> > On Mon, 2005-09-19 at 17:52 -0600, Ed Brown wrote:
> > > The same cfservd.conf, including 'domain' value? Does that match
> the
> > > domain in your update.conf? (Not sure that would result in a
> key/trust
> > > error message, but it wouldn't be the only misleading error in
> > > cfengine.)
> > >
> > > Key exchange happens within cfengine, and doesn't require 'admit'
> or
> > > 'grant' statements to the keys (or 'copy:' statements). I don't
> think
> > > you need the 'admit:' line below, though you do need one or more
> for the
> > > files that you are trying to copy.
> > >
> > > Suggest you post more of your cfservd.conf and update.conf files,
> as
> > > well as more of the error output, which could hold other clues.
> (Delete
> > > or disguise info you don't want to share, but if you really want
> help,
> > > provide more information up front!)
> > >
> > >
> > >
> > >
> > > On Mon, 2005-09-19 at 16:12, Bill Gunter wrote:
> > > > Sorry, the repost I sent didn't include the entire original
> post. Here's
> > > > the deal.
> > > >
> > > > I'm using the same cfservd.conf on two servers on two different
> nets,
> > > > 208.10.199 and 66.162.222. Clients on the 208 net can connect
> and
> > > > establish trust automatically with the cfservd on the 208 net,
> but the
> > > > clients on the 66 net throw "BAD: key could not be accepted on
> trust,"
> > > > and the cfservd throws the same error, when they try to connect
> to the
> > > > cfservd on the 66 net.
> > > >
> > > > Here are the relevant parts of the cfservd.conf. You can ignore
> the
> > > > other two nets listed.
> > > >
> > > > control:
> > > > cfengine_server::
> > > > # tcp_wrappers-like access control
> > > > AllowConnectionsFrom = (
> > > > 208.10.199.0/24
> > > > 66.162.222.0/24
> > > > 216.54.235.0/24
> > > > 192.168.199.0/24
> > > > )
> > > >
> > > > TrustKeysFrom = (
> > > > 208.10.199.0/24
> > > > 66.162.222.0/24
> > > > 216.54.235.0/24
> > > > 192.168.199.0/24
> > > > )
> > > >
> > > > admit:
> > > > /var/cfengine/ppkeys/localhost.pub *.arcsystems.com
> > > >
> > > >
> > > > On Mon, 2005-09-19 at 16:30 -0500, Ed Brown wrote:
> > > > > > On Mon, 2005-09-12 at 12:51 -0500, Bill Gunter wrote:
> > > > > > > The clients and server are on the same network,
> 66.162.222.0/24.
> > > > > Here's
> > > > > > > the TrustKeys. The stuff on the 208.10.199.0/24 net works
> fine.
> > > > > > >
> > > > > > > TrustKeysFrom = (
> > > > > > > 208.10.199.0/24
> > > > > > > 66.162.222.0/24
> > > > > > > 216.54.235.0/24
> > > > > > > 192.168.199.0/24
> > > > > > > )
> > > > >
> > > > > This raises lots of questions, like about the topology and
> network
> > > > > configuration of your clients and server[s?] (multiple
> interfaces,
> > > > > routing, hostnames and 'domain' value...?) What 'stuff' is
> > > > > working?
> > > > > More information might help get you an answer quicker. Are
> you
> > > > > saying
> > > > > clients on 208.10.199.0/24 are talking ok to the server on
> > > > > 66.162.222.0/24, but not clients on the same subnet as the
> server, or
> > > > > do
> > > > > you have cfengine servers on each subnet?
> > > > >
> > > > >
> > > > >
> > >
>
- problems with trust, Bill Gunter, 2005/09/09
- Re: problems with trust, Tim Nelson, 2005/09/12
- Re: problems with trust, Bill Gunter, 2005/09/12
- Re: problems with trust, Bill Gunter, 2005/09/19
- Re: problems with trust, david . nelson, 2005/09/19
- Re: problems with trust, Ed Brown, 2005/09/19
- Re: problems with trust, Bill Gunter, 2005/09/19
- Re: problems with trust, Ed Brown, 2005/09/19
- Re: problems with trust, Bill Gunter, 2005/09/20
- Re: problems with trust, Ed Brown, 2005/09/20
- Re: problems with trust,
Bill Gunter <=