[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cfservd configuration question
From: |
Stan Norton |
Subject: |
cfservd configuration question |
Date: |
Mon, 22 Dec 2003 16:50:54 -0500 |
User-agent: |
Mutt/1.4.1i |
I've been attempting to get cfengine 2.1.0p1 running on freebsd 5.1-RELEASE.
Ipv6 was not working, so I rebuilt kernels on two machines, to test in ipv4
mode.
cfagent work fine. I am experiencing problems attempting to connect via
cfrun from another host (on which cfagent works) to cfservd.
I'm concerned about two lines from -d2 output:
AccessControl(/var/cfengine/bin/cfagent)
AccessControl(/usr/var/cfengine/bin/cfagent,rtty2.domain.com)
/var is symlinked from /usr/var. Is the symlink creating a problem with
cfengine?
This is the entry in cfservd.conf:
cfrunCommand = ( "/var/cfengine/bin/cfagent" )
grant:
/var/cfengine/bin/cfagent rtty2.domain.com
I have also tried these as:
cfrunCommand = ( "/usr/var/cfengine/bin/cfagent" ) with an appropriate grant
change. No effect.
Thanks for any help. I'm looking forward to getting this going.
--------------------------------------------------------------------------------------------------
Edited -d2 output:
...
ACCESS GRANTED ----------------------:
Path: /var/cfengine/bin/cfagent (encrypt=0)
Admit: rtty2.domain.com root=
Path: /var/cfengine/inputs (encrypt=0)
Admit: rtty2.domain.com root=
ACCESS DENIAL ------------------------ :
Host IPs allowed connection access :
IP: 192.168.1.215
Host IPs denied connection access :
Host IPs allowed multiple connection access :
Host IPs from whom we shall accept public keys on trust :
IP: 192.168.1.215
...
Connecting host identifies itself as 192.168.1.215 rtty2.domain.com
root 0
(ipstring=[192.168.1.215],fqname=[rtty2.domain.com],username=[root],socket=[192.168.1.215])
cfservd: Allowing 192.168.1.215 to connect without (re)checking ID
Non-verified Host ID is rtty2.domain.com (Using skipverify)
Non-verified User ID seems to be root (Using skipverify)
...
Havekey(root-192.168.1.215)
Loaded /var/cfengine/ppkeys/root-192.168.1.215.pub
...
A public key was already known from rtty2.domain.com/192.168.1.215 -
no trust required
Adding IP 192.168.1.215 to SkipVerify - no need to check this if we have a key
Prepending 192.168.1.215
The public key identity was confirmed as root@rtty2.domain.com
...
cfservd: Strongly authentication of client
rtty2.domain.com/192.168.1.215
...
User root granted connection privileges
>>>AccessControl(/var/cfengine/bin/cfagent)
>>>AccessControl(/usr/var/cfengine/bin/cfagent,rtty2.domain.com)
encrypt request=0
cfservd: Host rtty2.domain.com denied access to
/usr/var/cfengine/bin/cfagent
cfservd: Host authorization/authentication failed or access denied
- cfservd configuration question,
Stan Norton <=