BAD: keys did not match
In this example, I received a cfengine authentication error due to name resolution problems on a Solaris 10 client.
# cfagent -qIK ... cfengine:mrpmmds012: BAD: keys did not match
cfservd on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to /var/cfengine/ppkeys on the client.
# For boostrapping cfengine clients /var/cfengine/ppkeys/localhost.pub server=$(policyhost) dest=/var/cfengine/ppkeys/root-$(policyhost).pub mode=600 owner=root group=root trustkey=true
So what was the problem? To find out, I ran cfagent in debug mode.
# cfagent -qIK -d1 ... IPV4 address sockaddr_ntop(10.205.0.66) Identifying this agent as 10.205.0.66 i.e. mrpmmds012.example.com, with signature 0 IsIPV6Address(mrpmmap010.prd.mrds.unix.example.com) SENT:::CAUTH 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com root 0
It turns out that this system is mrpmmds012.example.com in DNS and mrpmmap010.prd.mrds.unix.example.com in the LDAP hosts database.
$ getent ipnodes mrpmmds012.example.com 10.205.0.66 mrpmmds012.example.com loghost $ getent ipnodes 10.205.0.66 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com
# Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases. ipnodes: ldap [NOTFOUND=return] files
This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database. In this case, I chose to fix the LDAP hosts entry using ldapmodrdn.
$ ldapmodrdn -r -h LDAP_server -D "cn=Directory Manager" Enter bind password: cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com cn=mrpmmds012+ipHostNumber=10.205.0.66 renaming entry cn=mrpmmap010+ipHostNumber=10.205.0.66,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com