BAD: keys did not match
From Brandonhutchinson.com
(Difference between revisions)
(New page: # '''cfagent -qIK''' ... cfengine:mrpmmds012: BAD: keys did not match '''cfservd''' on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom...) |
|||
| Line 1: | Line 1: | ||
| - | |||
# '''cfagent -qIK''' | # '''cfagent -qIK''' | ||
... | ... | ||
cfengine:mrpmmds012: BAD: keys did not match | cfengine:mrpmmds012: BAD: keys did not match | ||
| - | '''cfservd''' on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to '''/var/cfengine/ppkeys''' on the client. | + | '''cfservd''' on the policyserver was correctly configured. My cfengine client was listed in '''AllowConnectionsFrom''' and '''TrustKeysFrom'''. I also allow the policyserver's public cfengine key to be copied to '''/var/cfengine/ppkeys''' on the client. |
# For boostrapping cfengine clients | # For boostrapping cfengine clients | ||
/var/cfengine/ppkeys/localhost.pub | /var/cfengine/ppkeys/localhost.pub | ||
| Line 12: | Line 11: | ||
trustkey=true | trustkey=true | ||
| - | So what was the problem? | + | So what was the problem? To find out, run '''cfagent''' in debug mode. |
| + | |||
| + | # '''cfagent -qIK -d1''' | ||
| + | ... | ||
| + | IPV4 address | ||
| + | sockaddr_ntop(10.205.0.66) | ||
| + | Identifying this agent as 10.205.0.66 i.e. mrpmmds012.example.com, with signature 0 | ||
| + | IsIPV6Address(mrpmmap010.prd.mrds.unix.example.com) | ||
| + | SENT:::CAUTH 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com root 0 | ||
| + | |||
| + | It turns out that this system is mrpmmds012.example.com in DNS and mrpmmap010.prd.mrds.unix.example.com in the LDAP hosts database. | ||
| + | $ '''getent ipnodes mrpmmds012.example.com''' | ||
| + | 10.205.0.66 mrpmmds012.example.com loghost | ||
| + | $ '''getent ipnodes 10.205.0.66''' | ||
| + | 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com | ||
| + | |||
| + | From nsswitch.conf: | ||
| + | # Note that IPv4 addresses are searched for in all of the ipnodes databases | ||
| + | # before searching the hosts databases. | ||
| + | ipnodes: ldap [NOTFOUND=return] files | ||
| + | |||
| + | This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database. | ||
Revision as of 20:46, 14 January 2008
# cfagent -qIK ... cfengine:mrpmmds012: BAD: keys did not match
cfservd on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to /var/cfengine/ppkeys on the client.
# For boostrapping cfengine clients
/var/cfengine/ppkeys/localhost.pub
server=$(policyhost)
dest=/var/cfengine/ppkeys/root-$(policyhost).pub
mode=600 owner=root group=root
trustkey=true
So what was the problem? To find out, run cfagent in debug mode.
# cfagent -qIK -d1 ... IPV4 address sockaddr_ntop(10.205.0.66) Identifying this agent as 10.205.0.66 i.e. mrpmmds012.example.com, with signature 0 IsIPV6Address(mrpmmap010.prd.mrds.unix.example.com) SENT:::CAUTH 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com root 0
It turns out that this system is mrpmmds012.example.com in DNS and mrpmmap010.prd.mrds.unix.example.com in the LDAP hosts database.
$ getent ipnodes mrpmmds012.example.com 10.205.0.66 mrpmmds012.example.com loghost $ getent ipnodes 10.205.0.66 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com
From nsswitch.conf:
# Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases. ipnodes: ldap [NOTFOUND=return] files
This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database.
