BAD: keys did not match
From Brandonhutchinson.com
| (2 intermediate revisions not shown.) | |||
| Line 1: | Line 1: | ||
| + | In this example, I received a cfengine authentication error due to name resolution problems on a Solaris 10 client. | ||
| + | |||
# '''cfagent -qIK''' | # '''cfagent -qIK''' | ||
... | ... | ||
| Line 11: | Line 13: | ||
trustkey=true | trustkey=true | ||
| - | So what was the problem? To find out, | + | So what was the problem? To find out, I ran '''cfagent''' in debug mode. |
# '''cfagent -qIK -d1''' | # '''cfagent -qIK -d1''' | ||
| Line 27: | Line 29: | ||
10.205.0.66 mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com | 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com | ||
| - | From nsswitch.conf: | + | From /etc/nsswitch.conf: |
# Note that IPv4 addresses are searched for in all of the ipnodes databases | # Note that IPv4 addresses are searched for in all of the ipnodes databases | ||
# before searching the hosts databases. | # before searching the hosts databases. | ||
ipnodes: ldap [NOTFOUND=return] files | ipnodes: ldap [NOTFOUND=return] files | ||
| - | This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database. | + | This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database. In this case, I chose to fix the LDAP hosts entry using '''ldapmodrdn'''. |
| + | |||
| + | $ '''ldapmodrdn -r -h ''LDAP_server'' -D "cn=Directory Manager"''' | ||
| + | Enter bind password: | ||
| + | cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com | ||
| + | cn=mrpmmds012+ipHostNumber=10.205.0.66 | ||
| + | renaming entry cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com | ||
Current revision
In this example, I received a cfengine authentication error due to name resolution problems on a Solaris 10 client.
# cfagent -qIK ... cfengine:mrpmmds012: BAD: keys did not match
cfservd on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to /var/cfengine/ppkeys on the client.
# For boostrapping cfengine clients
/var/cfengine/ppkeys/localhost.pub
server=$(policyhost)
dest=/var/cfengine/ppkeys/root-$(policyhost).pub
mode=600 owner=root group=root
trustkey=true
So what was the problem? To find out, I ran cfagent in debug mode.
# cfagent -qIK -d1 ... IPV4 address sockaddr_ntop(10.205.0.66) Identifying this agent as 10.205.0.66 i.e. mrpmmds012.example.com, with signature 0 IsIPV6Address(mrpmmap010.prd.mrds.unix.example.com) SENT:::CAUTH 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com root 0
It turns out that this system is mrpmmds012.example.com in DNS and mrpmmap010.prd.mrds.unix.example.com in the LDAP hosts database.
$ getent ipnodes mrpmmds012.example.com 10.205.0.66 mrpmmds012.example.com loghost $ getent ipnodes 10.205.0.66 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com
From /etc/nsswitch.conf:
# Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases. ipnodes: ldap [NOTFOUND=return] files
This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database. In this case, I chose to fix the LDAP hosts entry using ldapmodrdn.
$ ldapmodrdn -r -h LDAP_server -D "cn=Directory Manager" Enter bind password: cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com cn=mrpmmds012+ipHostNumber=10.205.0.66 renaming entry cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com
