BAD: keys did not match

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
Line 13: Line 13:
trustkey=true
trustkey=true
-
So what was the problem? To find out, run '''cfagent''' in debug mode.
+
So what was the problem? To find out, I ran '''cfagent''' in debug mode.
# '''cfagent -qIK -d1'''
# '''cfagent -qIK -d1'''

Revision as of 21:00, 14 January 2008

In this example, I received a cfengine authentication error due to name resolution problems on a Solaris 10 client. 

# cfagent -qIK
...
cfengine:mrpmmds012: BAD: keys did not match

cfservd on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to /var/cfengine/ppkeys on the client. 

                # For boostrapping cfengine clients
               /var/cfengine/ppkeys/localhost.pub
                       server=$(policyhost)
                       dest=/var/cfengine/ppkeys/root-$(policyhost).pub
                       mode=600 owner=root group=root
                       trustkey=true

So what was the problem? To find out, I ran cfagent in debug mode. 

# cfagent -qIK -d1
...
IPV4 address
sockaddr_ntop(10.205.0.66)
Identifying this agent as 10.205.0.66 i.e. mrpmmds012.example.com, with signature 0
IsIPV6Address(mrpmmap010.prd.mrds.unix.example.com)
SENT:::CAUTH 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com root 0

It turns out that this system is mrpmmds012.example.com in DNS and mrpmmap010.prd.mrds.unix.example.com in the LDAP hosts database. 

$ getent ipnodes mrpmmds012.example.com
10.205.0.66     mrpmmds012.example.com loghost
$ getent ipnodes 10.205.0.66
10.205.0.66     mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com

From nsswitch.conf: 

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    ldap [NOTFOUND=return] files

This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database. In this case, I chose to fix the LDAP hosts entry using ldapmodrdn. 

$ ldapmodrdn -r -h LDAP_server -D "cn=Directory Manager"
Enter bind password: 
cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com
cn=mrpmmds012+ipHostNumber=10.205.0.66
renaming entry cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com
Retrieved from "http://brandonhutchinson.com/wiki/BAD:_keys_did_not_match"
Personal tools