BAD: keys did not match

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(New page: # '''cfagent -qIK''' ... cfengine:mrpmmds012: BAD: keys did not match '''cfservd''' on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom...)
Line 1: Line 1:
- 
# '''cfagent -qIK'''
# '''cfagent -qIK'''
...
...
cfengine:mrpmmds012: BAD: keys did not match
cfengine:mrpmmds012: BAD: keys did not match
-
'''cfservd''' on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to '''/var/cfengine/ppkeys''' on the client.
+
'''cfservd''' on the policyserver was correctly configured. My cfengine client was listed in '''AllowConnectionsFrom''' and '''TrustKeysFrom'''. I also allow the policyserver's public cfengine key to be copied to '''/var/cfengine/ppkeys''' on the client.
# For boostrapping cfengine clients
# For boostrapping cfengine clients
/var/cfengine/ppkeys/localhost.pub
/var/cfengine/ppkeys/localhost.pub
Line 12: Line 11:
trustkey=true
trustkey=true
-
So what was the problem?
+
So what was the problem? To find out, run '''cfagent''' in debug mode.
 +
 
 +
# '''cfagent -qIK -d1'''
 +
...
 +
IPV4 address
 +
sockaddr_ntop(10.205.0.66)
 +
Identifying this agent as 10.205.0.66 i.e. mrpmmds012.example.com, with signature 0
 +
IsIPV6Address(mrpmmap010.prd.mrds.unix.example.com)
 +
SENT:::CAUTH 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com root 0
 +
 
 +
It turns out that this system is mrpmmds012.example.com in DNS and mrpmmap010.prd.mrds.unix.example.com in the LDAP hosts database.
 +
$ '''getent ipnodes mrpmmds012.example.com'''
 +
10.205.0.66 mrpmmds012.example.com loghost
 +
$ '''getent ipnodes 10.205.0.66'''
 +
10.205.0.66 mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com
 +
 
 +
From nsswitch.conf:
 +
# Note that IPv4 addresses are searched for in all of the ipnodes databases
 +
# before searching the hosts databases.
 +
ipnodes: ldap [NOTFOUND=return] files
 +
 
 +
This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database.

Revision as of 20:46, 14 January 2008

# cfagent -qIK
...
cfengine:mrpmmds012: BAD: keys did not match

cfservd on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to /var/cfengine/ppkeys on the client.

                # For boostrapping cfengine clients
               /var/cfengine/ppkeys/localhost.pub
                       server=$(policyhost)
                       dest=/var/cfengine/ppkeys/root-$(policyhost).pub
                       mode=600 owner=root group=root
                       trustkey=true

So what was the problem? To find out, run cfagent in debug mode.

# cfagent -qIK -d1
...
IPV4 address
sockaddr_ntop(10.205.0.66)
Identifying this agent as 10.205.0.66 i.e. mrpmmds012.example.com, with signature 0
IsIPV6Address(mrpmmap010.prd.mrds.unix.example.com)
SENT:::CAUTH 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com root 0

It turns out that this system is mrpmmds012.example.com in DNS and mrpmmap010.prd.mrds.unix.example.com in the LDAP hosts database.

$ getent ipnodes mrpmmds012.example.com
10.205.0.66     mrpmmds012.example.com loghost
$ getent ipnodes 10.205.0.66
10.205.0.66     mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com

From nsswitch.conf:

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    ldap [NOTFOUND=return] files

This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database.

Personal tools