While this doesn't perhaps get to the heart of your question, is there any reason not to use the same expression (172.16.1.0/24 in your example) in 'admit:' that you use in 'control:'?
-Ed On Mon, 2006-01-23 at 13:27 -0800, Bob Smith wrote: > the following all takes place using cfengine 2.1.18 on Solaris 10. in this > environment the client's name is "elf.corp" and the client's dns domain is > "corp.abc.com". dns resolution works correctly in the environment. > > using the examples supplied with the distribution I am attempting to create > an update.conf for my site. in the admit section of the sample cfservd.conf > access is granted based on a glob dns domain name match (i.e. > "*.iu.hioslo.no") however when I attempt to do the same type of thing for my > site I hit access restrictions. > > my cfservd.conf looks like: > > control: > > domain = ( corp.abc.com ) > cfrunCommand = ( "/usr/local/sbin/cfagent" ) > > any:: > > IfElapsed = ( 1 ) > ExpireAfter = ( 15 ) > MaxConnections = ( 50 ) > MultipleConnections = ( true ) > LogAllConnections = ( true ) > AllowConnectionsFrom = ( 172.16.1.0/24 ) > TrustKeysFrom = ( 172.16.1.0/24 ) > AllowUsers = ( root ) > > admit: > /master_files/sysops/config_files *.corp.abc.com > > > > > > > my update.conf looks like: > > control: > > actionsequence = ( copy tidy ) > domain = ( corp.abc.com ) > > policyhost = ( monitor01.corp.abc.com ) > master_cfinput = > ( /master_files/sysops/config_files/env_dep/CORP/var/cfengine/inputs > ) > > workdir = ( /var/cfengine ) > > copy: > > $(master_cfinput) > dest=$(workdir)/inputs > timestamps=preserve > exclude=*.lst > exclude=*~ > exclude=*,v > exclude=*- > exclude=#* > ignore=SCCS > ignore=RCS > recurse=inf > type=sum > server=$(policyhost) > trustkey=true > encrypt=true > > > > > > > if I run cfservd in debug mode (-d3) I see the following: > > Checking whether to map root privileges.. > > FuzzyItemIn(LIST,172.16.1.68) > No root privileges granted > WildMatch(elf.corp,*.corp.abc.com) > WildMatch(*.corp.abc.com,elf.corp) > WildMatch(172.16.1.68,*.corp.abc.com) > WildMatch(*.corp.abc.com,172.16.1.68) > > FuzzyItemIn(LIST,172.16.1.68) > Try FuzzySetMatch(*.corp.abc.com,172.16.1.68) > cfservd: Host elf.corp denied access to > /master_files/sysops/config_files/env_dep/CORP/var/cfengine/modules > cfservd: Unspecified refusal by server > > > > from this it appears to me that the server is not doing either of the > behaviors I would expect: (a) it is not comparing the "domain" value set in > the client's update.conf to the access list specified in the server's > cfservd.conf; (b) it is not resolving, via dns, the client's IP address and > comparing that to the access list specified in the server's cfservd.conf. > > also, the documentation states, in section "4.3 Cfengine classes" > (http://www.cfengine.com/docs/cfengine-Reference.html#Cfengine-classes) that > "Cfengine uses both the unqualified and fully host names as classes. Some > sites and operating systems use fully qualified names for their hosts. i.e. > uname -n returns to full domain qualified hostname. This spoils the class > matching algorithms for cfengine, so cfengine automatically truncates names > which contain a dot `.' at the first `.' it encounters." > > given this I would have expected that the hostname used by cfservd for > access list matching would have been "elf" not "elf.corp" as shown by the > debug output. > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today - it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > > > _______________________________________________ > Help-cfengine mailing list > [email protected] > http://lists.gnu.org/mailman/listinfo/help-cfengine -- Ed Brown <[EMAIL PROTECTED]> _______________________________________________ Help-cfengine mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-cfengine
