help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cfservd configuration question


From: Stan Norton
Subject: cfservd configuration question
Date: Mon, 22 Dec 2003 16:50:54 -0500
User-agent: Mutt/1.4.1i

I've been attempting to get cfengine 2.1.0p1 running on freebsd 5.1-RELEASE.
Ipv6 was not working, so I rebuilt kernels on two machines, to test in ipv4
mode.

cfagent work fine. I am experiencing problems attempting to connect via
cfrun from another host (on which cfagent works) to cfservd.


I'm concerned about two lines from -d2 output:

AccessControl(/var/cfengine/bin/cfagent)
AccessControl(/usr/var/cfengine/bin/cfagent,rtty2.domain.com)

/var is symlinked from /usr/var. Is the symlink creating a problem with
cfengine?

This is the entry in cfservd.conf:

cfrunCommand = ( "/var/cfengine/bin/cfagent" )

grant:

/var/cfengine/bin/cfagent       rtty2.domain.com

I have also tried these as:


cfrunCommand = ( "/usr/var/cfengine/bin/cfagent" ) with an appropriate grant
change. No effect.

Thanks for any help. I'm looking forward to getting this going.


--------------------------------------------------------------------------------------------------


Edited -d2 output: 

...
ACCESS GRANTED ----------------------:

Path: /var/cfengine/bin/cfagent (encrypt=0)
   Admit: rtty2.domain.com root=
Path: /var/cfengine/inputs (encrypt=0)
   Admit: rtty2.domain.com root=
ACCESS DENIAL ------------------------ :

Host IPs allowed connection access :

IP: 192.168.1.215
Host IPs denied connection access :

Host IPs allowed multiple connection access :

Host IPs from whom we shall accept public keys on trust :

IP: 192.168.1.215

...

Connecting host identifies itself as 192.168.1.215 rtty2.domain.com
root 0
(ipstring=[192.168.1.215],fqname=[rtty2.domain.com],username=[root],socket=[192.168.1.215])
cfservd: Allowing 192.168.1.215 to connect without (re)checking ID
Non-verified Host ID is rtty2.domain.com (Using skipverify)
Non-verified User ID seems to be root (Using skipverify)

...

Havekey(root-192.168.1.215)
Loaded /var/cfengine/ppkeys/root-192.168.1.215.pub

...

A public key was already known from rtty2.domain.com/192.168.1.215 -
no trust required
Adding IP 192.168.1.215 to SkipVerify - no need to check this if we have a key
Prepending 192.168.1.215
The public key identity was confirmed as root@rtty2.domain.com

...

cfservd: Strongly authentication of client
rtty2.domain.com/192.168.1.215

...



User root granted connection privileges
>>>AccessControl(/var/cfengine/bin/cfagent)
>>>AccessControl(/usr/var/cfengine/bin/cfagent,rtty2.domain.com)
encrypt request=0
cfservd: Host rtty2.domain.com denied access to
/usr/var/cfengine/bin/cfagent
cfservd: Host authorization/authentication failed or access denied






reply via email to

[Prev in Thread] Current Thread [Next in Thread]