Re: several questions on running cfengine

[Eva Hocks]

Thanks for all your help and suggestion. Unfortunately cfengine seems to
be real stubborn. Even though cfservd sais:


Define:: variable [domain=sdsc.edu] when any)

Host IPs allowed connection access :

IP: 192.168
IP: 192.168.240
IP: 192.168.240.1-254
IP: 192.168.240.0/24
Host IPs denied connection access :

Host IPs allowed multiple connection access :

IP: 192.168
IP: 192.168.240
IP: 192.168.240.1-254
IP: 192.168.240.0/24
Host IPs from whom we shall accept public keys on trust :

IP: 192.168
IP: 192.168.240
IP: 192.168.240.1-254
IP: 192.168.240.0/24
Host IPs from NAT which we don't verify :

IP: 192.168
IP: 192.168.240
IP: 192.168.240.1-254
IP: 192.168.240.0/24
Dynamical Host IPs (e.g. DHCP) whose bindings could vary over time :


ACCESS GRANTED ----------------------:

Path: /var/cfengine/inputs (encrypt=0)
   Admit: 192.168.240.* root=b80n11.sdsc.edu,
Path: /usr/local (encrypt=0)
   Admit: 192.168.240.* root=b80n11.sdsc.edu,
Path: /etc (encrypt=0)
   Admit: 192.168.240.* root=b80n11.sdsc.edu,
Path: /usr/local/apps/sbin/cfagent (encrypt=0)
   Admit: 192.168.240.* root=


the client is still not trusted:
Connect to b80cw = 192.168.240.254 on port cfengine
Loaded /var/cfengine/ppkeys/root-192.168.240.254.pub
cfengine:b80n11: Strong authentication of server=b80cw connection
confirmed
Checking copy from b80cw://etc/inetd.conf.nodes to /etc/inetd.conf
cfengine:b80n11: Server returned error:  Host authentication failed. Did
you forget the domain name?


I put the domain name in all and every configuration file just to make
sure cfengine wouldn't miss it. Still the cfagent on the client machine
returns the same error with no further explaination (even in -d3). The
internal network adapter names are in no DNS and they are not the
hostname. They are in the /etc/hosts file:
192.168.240.11 b80n11e b80n11e.sdsc.edu
The /etc/hosts file it kept the same on all nodes in the cluster by
a scp script, one of the things I hoped to be able to do with cfengine.

Where else should I put the domain name or whatever to allow the copy?
Maybe I should just run the scp with ssh authentication rather than use
the cfengine authentication?


Thanks,
Eva

On Tue, 11 Mar 2003, Martin A. Brooks wrote:

> At 17:39 07/03/2003 -0800, you wrote:
> >Saving public key /var/cfengine/ppkeys/root-192.168.240.254.pub
> >cfengine:b80n11: Server returned error:  Host authentication failed. Did
> >you forget the domain name?
>
> Hi Eva
>
> I see this problem with our installation every now and then.  Our internal
> domain is "lon4.fastsearch.net" and we use a replicated hosts file for
> internal DNS. Whenever we see this problem, we do two things which always
> seems to fix it.
>
> 1)  We make sure than the FQDN is listed in the master hosts file  i.e.
>
> 1.2.3.4 machine.lon4.fastsearch.net     machine
>
> 2) We manually copy the master hosts file onto the affected machine.
>
> Hope this helps.
>
>
> Martin A. Brooks
> ---------------------------------
> I/O, I/O, it's off to disk we go,
> A bit or byte, to read or write,
> I/O, I/O, I/O......
>