BAD: keys did not match


Jump to: navigation, search

In this example, I received a cfengine authentication error due to name resolution problems on a Solaris 10 client.

# cfagent -qIK
cfengine:mrpmmds012: BAD: keys did not match

cfservd on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to /var/cfengine/ppkeys on the client.

                # For boostrapping cfengine clients
                       mode=600 owner=root group=root

So what was the problem? To find out, I ran cfagent in debug mode.

# cfagent -qIK -d1
IPV4 address
Identifying this agent as i.e., with signature 0
SENT:::CAUTH root 0

It turns out that this system is in DNS and in the LDAP hosts database.

$ getent ipnodes loghost
$ getent ipnodes

From /etc/nsswitch.conf:

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    ldap [NOTFOUND=return] files

This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database. In this case, I chose to fix the LDAP hosts entry using ldapmodrdn.

$ ldapmodrdn -r -h LDAP_server -D "cn=Directory Manager"
Enter bind password: 
renaming entry cn=mrpmmap010+ipHostNumber=,ou=Hosts,dc=prd,dc=mrds,dc=unix,dc=example,dc=com
Personal tools