Re: Can't get a client to authorize?

[christian pearce]

Please run cfservd with a -v.  And reattempt to connect.  Failing a
good message run it with a -d1.  Send us the messages if you don't
understand them.  It could be the ranges are not working in the
cfengine codebase.

The only other thing I see is you are defining TrustedKeys and
AllowConnectionFrom twice.  I am not certain how Cfengine behaves when
you do this.


On 2/22/06, Josh Hurd <JoshH@revenuescience.com> wrote:
>
>
> I am seeing this error when I run cfagent on a new client I just built.  I
> am stumped. Can someone help me understand this?
>
> Denying connection from non-authorized IP 10.12.1.77
>
> My update.conf:
>
>
> # update.conf 2/15/05 Dougc
> groups:
>  sea1_dc_digimine_com   = ( IPRange(192.168.0.0/16) IPRange(10.254.0.0/16)
> IPRange(10.1.0.0/16) )
>  qa_dmtest_com          = ( IPRange(172.16.0.0/16) IPRange(10.12.0.0/16) )
>  sb_dmtest_com          = ( IPRange(172.16.0.0/16) IPRange(10.12.0.0/16) )
>
> control:
>  sea1_dc_digimine_com::
>    domain               = ( sea1.dc.digimine.com )
>    server               = ( sea1-util01 )
>  qa_dmtest_com::
>    domain               = ( qa.dmtest.com )
>    server               = ( qa-util01 )
>  sb_dmtest_com::
>    domain               = ( sb.dmtest.com )
>    server               = ( sea1-util01 )
>
>  any::
>    actionsequence       = ( copy files )
>    workdir              = ( /var/cfengine )
>    configroot           = ( /var/cfengine/master/inputs )
>    SplayTime            = ( 35 )
>
> copy:
>  any::
>   "$(configroot)"   dest=$(workdir)/inputs
>                     mode=664
>                     owner=rsiadmin
>                     include=*.conf
>                     type=binary
>                     recurse=inf
>                     trustkey=true
>                     server=$(server)
> files:
>  any::
>   "$(workdir)/inputs/"
>                     mode=664
>                     owner=rsiadmin
>                     group=rsiadmin
>                     action=fixall
>                     recurse=inf
>
>
>
> My cfservd.conf:
>
> # $Header: /cfengine/Production/cfservd.conf 3     2/03/05
> 10:47 JeffreyC $
> control:
> any::
>    domain               = ( sea1.dc.digimine.com sb.dmtest.com )
>    server               = ( sea1-util01 )
>    TrustKeysFrom        = ( 192.168.0.0/16 127.0.0.1/32 10.254.0.0/16
> 10.1.30.0/24 10.12.0.0/16 )
>    AllowConnectionsFrom = ( 192.168.0.0/16 127.0.0.1/32 10.254.0.0/16
> 10.1.30.0 10.12.0.0/16 )
>    TrustKeysFrom        = ( 127.0.0.1 10.1 192.168 10.254 10.12.0.0/16 )
>    AllowConnectionsFrom = ( 127.0.0.1 10.1 192.168 10.254 10.12.0.0/16 )
>    SkipVerify           = ( 10.1 10.12 )
>    AllowUsers           = ( root )
>    cfrunCommand         = ( "/usr/sbin/cfexecd -F" )
>    HostnameKeys         = ( off )
>
> sea1_util01::
>    MaxConnections = ( 20 )
>
>
> admit:
>  sea1_dc_digimine_com::
>        /var/cfengine/master     192.168.0.0/16 127.0.0.1/32 10.254.0.0/16
> 10.1.30.0/24
>        /usr/sbin/cfagent        192.168.0.0/16 127.0.0.1/32 10.254.0.0/16
> 10.1.30.0/24
>        /usr/sbin/cfexecd        192.168.0.0/16 127.0.0.1/32 10.254.0.0/16
> 10.1.30.0/24
>  sb_dmtest_com::
>        /var/cfengine/master     10.12.0.0/16
>        /usr/sbin/cfagent        10.12.0.0/16
>        /usr/sbin/cfexecd        10.12.0.0/16
>
>  sea1_util01::
>     /var/ftp/pub/linux          192.168.0.0/16 127.0.0.1/32 10.254.0.0/16
> 10.1.30.0/24 10.12.0.0/16
>     /mnt/rsi/logs02/Network/ExtractFiles 192.168.0.0/16
> 127.0.0.1/32 10.254.0.0/16 10.1.30.0/24 10.12.0.0/16
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine
>
>
>


--
Christian Pearce