BAD: keys did not match


Revision as of 20:46, 14 January 2008 by Hutch (Talk | contribs)
Jump to: navigation, search
# cfagent -qIK
cfengine:mrpmmds012: BAD: keys did not match

cfservd on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to /var/cfengine/ppkeys on the client.

                # For boostrapping cfengine clients
                       mode=600 owner=root group=root

So what was the problem? To find out, run cfagent in debug mode.

# cfagent -qIK -d1
IPV4 address
Identifying this agent as i.e., with signature 0
SENT:::CAUTH root 0

It turns out that this system is in DNS and in the LDAP hosts database.

$ getent ipnodes loghost
$ getent ipnodes

From nsswitch.conf:

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    ldap [NOTFOUND=return] files

This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database.

Personal tools