BAD: keys did not match

From Brandonhutchinson.com

Revision as of 20:46, 14 January 2008 by Hutch (Talk | contribs)
Jump to: navigation, search
# cfagent -qIK
...
cfengine:mrpmmds012: BAD: keys did not match

cfservd on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to /var/cfengine/ppkeys on the client. 

                # For boostrapping cfengine clients
               /var/cfengine/ppkeys/localhost.pub
                       server=$(policyhost)
                       dest=/var/cfengine/ppkeys/root-$(policyhost).pub
                       mode=600 owner=root group=root
                       trustkey=true

So what was the problem? To find out, run cfagent in debug mode. 

# cfagent -qIK -d1
...
IPV4 address
sockaddr_ntop(10.205.0.66)
Identifying this agent as 10.205.0.66 i.e. mrpmmds012.example.com, with signature 0
IsIPV6Address(mrpmmap010.prd.mrds.unix.example.com)
SENT:::CAUTH 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com root 0

It turns out that this system is mrpmmds012.example.com in DNS and mrpmmap010.prd.mrds.unix.example.com in the LDAP hosts database. 

$ getent ipnodes mrpmmds012.example.com
10.205.0.66     mrpmmds012.example.com loghost
$ getent ipnodes 10.205.0.66
10.205.0.66     mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com

From nsswitch.conf: 

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    ldap [NOTFOUND=return] files

This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database.

Retrieved from "http://brandonhutchinson.com/wiki/BAD:_keys_did_not_match"
Personal tools