BAD: keys did not match

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
Current revision (21:01, 14 January 2008) (edit) (undo)
 
(2 intermediate revisions not shown.)
Line 1: Line 1:
 +
In this example, I received a cfengine authentication error due to name resolution problems on a Solaris 10 client.
 +
# '''cfagent -qIK'''
# '''cfagent -qIK'''
...
...
Line 11: Line 13:
trustkey=true
trustkey=true
-
So what was the problem? To find out, run '''cfagent''' in debug mode.
+
So what was the problem? To find out, I ran '''cfagent''' in debug mode.
# '''cfagent -qIK -d1'''
# '''cfagent -qIK -d1'''
Line 27: Line 29:
10.205.0.66 mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com
10.205.0.66 mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com
-
From nsswitch.conf:
+
From /etc/nsswitch.conf:
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
# before searching the hosts databases.
ipnodes: ldap [NOTFOUND=return] files
ipnodes: ldap [NOTFOUND=return] files
-
This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database.
+
This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database. In this case, I chose to fix the LDAP hosts entry using '''ldapmodrdn'''.
 +
 
 +
$ '''ldapmodrdn -r -h ''LDAP_server'' -D "cn=Directory Manager"'''
 +
Enter bind password:
 +
cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com
 +
cn=mrpmmds012+ipHostNumber=10.205.0.66
 +
renaming entry cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com

Current revision

In this example, I received a cfengine authentication error due to name resolution problems on a Solaris 10 client.

# cfagent -qIK
...
cfengine:mrpmmds012: BAD: keys did not match

cfservd on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to /var/cfengine/ppkeys on the client.

                # For boostrapping cfengine clients
               /var/cfengine/ppkeys/localhost.pub
                       server=$(policyhost)
                       dest=/var/cfengine/ppkeys/root-$(policyhost).pub
                       mode=600 owner=root group=root
                       trustkey=true

So what was the problem? To find out, I ran cfagent in debug mode.

# cfagent -qIK -d1
...
IPV4 address
sockaddr_ntop(10.205.0.66)
Identifying this agent as 10.205.0.66 i.e. mrpmmds012.example.com, with signature 0
IsIPV6Address(mrpmmap010.prd.mrds.unix.example.com)
SENT:::CAUTH 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com root 0

It turns out that this system is mrpmmds012.example.com in DNS and mrpmmap010.prd.mrds.unix.example.com in the LDAP hosts database.

$ getent ipnodes mrpmmds012.example.com
10.205.0.66     mrpmmds012.example.com loghost
$ getent ipnodes 10.205.0.66
10.205.0.66     mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com

From /etc/nsswitch.conf:

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    ldap [NOTFOUND=return] files

This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database. In this case, I chose to fix the LDAP hosts entry using ldapmodrdn.

$ ldapmodrdn -r -h LDAP_server -D "cn=Directory Manager"
Enter bind password: 
cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com
cn=mrpmmds012+ipHostNumber=10.205.0.66
renaming entry cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com
Personal tools