Hi Bill,
I run 'cfservd' on all systems - this allows me to do remote 'cfrun' commands. So, I have a single cfservd.conf that I distribute out to _all_ systems. In cfservd.conf, I basically have:
control:
any::
LogAllConnections = ( true )
domain = ( mydomain.com )
cfrunCommand = ( /var/cfengine/bin/cfagent )
ChecksumDatabase = ( /var/cfengine/checksum-server.db )
IfElapsed = ( 10 )
AllowUsers = ( root )
SyslogFacility = ( LOG_LOCAL3 )
any.!cfserver_mydomain_com:: # Clients should only accept and trust a connection from the FQDN CFserver
MaxConnections = ( 10 )
AllowConnectionsFrom = ( 10.0.7.165 ) # CFserver IP
TrustKeysFrom = ( 10.0.7.165 ) # CFserver IP
cfserver_mydomain_com:: # The CFserver should accept and trust any clients but only from our subnets
AllowConnectionsFrom = ( 10.0.0.0/16 192.168.0.0/16 ) # Our local subnets
AllowMultipleConnectionsFrom = ( 10.0.0.0/16 192.168.0.0/16 ) # Our local subnets
admit:
any::
$(cfrunCommand) *.mydomain.com
cfserver_mydomain_com::
/var/cfengine/master_inputs *.mydomain.com
/var/cfengine/master_modules *.mydomain.com
/var/cfengine/master_scripts *.mydomain.com
I also make it a habit to restart 'cfservd' jsut to be sure althought cfservd is supposed to detect cfservd.conf updates and re-read the config file.
Now, I personally use a bootstrap CF file and also define a 'TrustKeysFrom' entry - so I imagine that you'd put the following line in 'update.conf':
TrustKeysFrom = ( 10.0.7.165 ) # Clients should only trust the CFserver
Regards,
/\/elson
| Bill Gunter <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 09/19/2005 02:42 PM |
|
Sorry to re-post, but I'm afraid this has gotten lost in the din. I
really need to get this resolved, so any help would be greatly
appreciated.
bg
On Mon, 2005-09-12 at 12:51 -0500, Bill Gunter wrote:
> The clients and server are on the same network, 66.162.222.0/24. Here's
> the TrustKeys. The stuff on the 208.10.199.0/24 net works fine.
>
> TrustKeysFrom = (
> 208.10.199.0/24
> 66.162.222.0/24
> 216.54.235.0/24
> 192.168.199.0/24
> )
>
> On Mon, 2005-09-12 at 01:29 -0500, Tim Nelson wrote:
> > On Fri, 9 Sep 2005, Bill Gunter wrote:
> >
> > > I'm having trouble using trust to exchange keys. I got it working
> > for
> > > one server, but it's not working for another. I get this message on
> > the
> > > client while running 'cfagent -v'
> > >
> > > "cfengine:viper: BAD: key could not be accepted on trust"
> > >
> > > And similarly on the server from cfservd
> > >
> > > "No previous key found, and unable to accept this one on trust"
> > >
> > > I'm getting this when cfagent is parsing the update.conf file.
> > cfservd
> > > contains the correct TrustKeysFrom entries and update.conf has this:
> >
> > Are the server and client on different sides of a NAT?
> > What's your TrustKeysFrom line?
> >
> > :)
> >
> > --
> > Kind Regards,
> >
> > Tim Nelson
> > Server Administrator
> >
> > P: 03 9934 0888
> > F: 03 9934 0899
> > E: [EMAIL PROTECTED]
> > W: www.webalive.biz
> >
> > WebAlive Technologies
> > Level 1, Innovation Building
> > Digital Harbour
> > 1010 La Trobe Street
> > Docklands Melbourne VIC 3008
> >
> > This email (including all attachments) is intended solely for the
> > named addressee. It is confidential and may contain legally privileged
> > information. If
> >
> > you receive it in error, please let us know by reply email, delete it
> > from your system and destroy any copies. This email is also subject to
> > copyright. No
> >
> > part of it should be reproduced, adapted or transmitted without the
> > written consent of the copyright owner.
> >
> > Emails may be interfered with, may contain computer viruses or other
> > defects and may not be successfully replicated on other systems. We
> > give no
> >
> > warranties in relation to these matters. If you have any doubts about
> > the authenticity of an email purportedly sent by us, please contact us
> > immediately.
> >
>
>
> _______________________________________________
> Help-cfengine mailing list
> [email protected]
> http://lists.gnu.org/mailman/listinfo/help-cfengine
_______________________________________________
Help-cfengine mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/help-cfengine
_______________________________________________ Help-cfengine mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-cfengine
