"Server returned error: Unspecified server refusal (see verbose server output)"
A cfengine client was unable to copy files from a policyhost that it had admit/grant rights to. Public key authentication worked, so to determine the problem, I ran cfagent in verbose mode on the client.
cfengine:client: Server returned error: Unspecified server refusal (see verbose server output)
To determine the cause of the error, I ran cfservd in debug level 2 and saw the following error:
# /var/cfengine ...FuzzyItemIn(LIST,10.226.18.58) No root privileges granted WildMatch(client.navitiare.com,*.navitaire.com) WildMatch(*.navitaire.com,jqosdsawb802.navitiare.com) WildMatch(10.226.18.58,*.navitaire.com) WildMatch(*.navitaire.com,10.226.18.58) FuzzyItemIn(LIST,10.226.18.58) Try FuzzySetMatch(*.navitaire.com,10.226.18.58) cfservd: Host client.navitiare.com denied access to /var/cfengine/masterfiles/inputs
The cfengine client should be using the domain navitaire.com, not navitiare.com. The DNS PTR record for 22.214.171.124.in-addr.arpa was correct in our DNS, so where was the domain typo coming from?
It turns out that the client had an incorrect domain name in its /etc/hosts file.
10.226.18.58 client.navitiare.com client
Correcting the domain in the cfengine client's /etc/hosts file (to match the correct domain in the admit/grant rules) fixed the problem.