[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cfservd configuration question
From: |
Mark . Burgess |
Subject: |
Re: cfservd configuration question |
Date: |
Mon, 22 Dec 2003 23:48:27 +0100 (MET) |
FreeBSD handles ipv6 differently to all other OSes, but it should work,
even in spite of the illogical way it is implemented. I believe
some freebsd users have verified this. It certainly works ok on linux
and solaris.
I do not understand the reference to /usr in these messages. Perhaps
there is an issue with symbolic links here. You need to grant access
to the true path, not via a symlink.
M
On 22 Dec, Stan Norton wrote:
> I've been attempting to get cfengine 2.1.0p1 running on freebsd 5.1-RELEASE.
> Ipv6 was not working, so I rebuilt kernels on two machines, to test in ipv4
> mode.
>
> cfagent work fine. I am experiencing problems attempting to connect via
> cfrun from another host (on which cfagent works) to cfservd.
>
>
> I'm concerned about two lines from -d2 output:
>
> AccessControl(/var/cfengine/bin/cfagent)
> AccessControl(/usr/var/cfengine/bin/cfagent,rtty2.domain.com)
>
> /var is symlinked from /usr/var. Is the symlink creating a problem with
> cfengine?
>
> This is the entry in cfservd.conf:
>
> cfrunCommand = ( "/var/cfengine/bin/cfagent" )
>
> grant:
>
> /var/cfengine/bin/cfagent rtty2.domain.com
>
> I have also tried these as:
>
>
> cfrunCommand = ( "/usr/var/cfengine/bin/cfagent" ) with an appropriate grant
> change. No effect.
>
> Thanks for any help. I'm looking forward to getting this going.
>
>
> --------------------------------------------------------------------------------------------------
>
>
> Edited -d2 output:
>
> ...
> ACCESS GRANTED ----------------------:
>
> Path: /var/cfengine/bin/cfagent (encrypt=0)
> Admit: rtty2.domain.com root=
> Path: /var/cfengine/inputs (encrypt=0)
> Admit: rtty2.domain.com root=
> ACCESS DENIAL ------------------------ :
>
> Host IPs allowed connection access :
>
> IP: 192.168.1.215
> Host IPs denied connection access :
>
> Host IPs allowed multiple connection access :
>
> Host IPs from whom we shall accept public keys on trust :
>
> IP: 192.168.1.215
>
> ...
>
> Connecting host identifies itself as 192.168.1.215 rtty2.domain.com
> root 0
> (ipstring=[192.168.1.215],fqname=[rtty2.domain.com],username=[root],socket=[192.168.1.215])
> cfservd: Allowing 192.168.1.215 to connect without (re)checking ID
> Non-verified Host ID is rtty2.domain.com (Using skipverify)
> Non-verified User ID seems to be root (Using skipverify)
>
> ...
>
> Havekey(root-192.168.1.215)
> Loaded /var/cfengine/ppkeys/root-192.168.1.215.pub
>
> ...
>
> A public key was already known from rtty2.domain.com/192.168.1.215 -
> no trust required
> Adding IP 192.168.1.215 to SkipVerify - no need to check this if we have a key
> Prepending 192.168.1.215
> The public key identity was confirmed as root@rtty2.domain.com
>
> ...
>
> cfservd: Strongly authentication of client
> rtty2.domain.com/192.168.1.215
>
> ...
>
>
>
> User root granted connection privileges
>>>>AccessControl(/var/cfengine/bin/cfagent)
>>>>AccessControl(/usr/var/cfengine/bin/cfagent,rtty2.domain.com)
> encrypt request=0
> cfservd: Host rtty2.domain.com denied access to
> /usr/var/cfengine/bin/cfagent
> cfservd: Host authorization/authentication failed or access denied
>
>
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~