Access Denied

From Cfwiki

Jump to: navigation, search

How to deal with the infamous Host authentication failed. did you forget the domain? message:

This can occur under three main circumstances:

  1. The client and server disagree on the client's domain. The domain on the client side is configured within update.conf (and cfagent.conf), and the server gets the domain by calling gethostbyaddr() on the client. Generally, you hard-code the domain into the configuration for the client, and then you have your name service (DNS, LDAP, NIS, etc.) and/or /etc/hosts retrieve the domain for the server.
  2. Keys are either not set up or are set up incorrectly. Any untrusted side of a connection must have its public key on the other side. Calling cfrun on a new client will prompt you to store the key, if cfservd is running on it. Alternatively, you can copy the keys over manually or change the cfengine configuration to (temporarily!) trust the connection.
  3. Access is actually being denied. The server has to be configured to allow the machine to connect (by IP address) and to have access to the files it is trying to copy. Putting trailing slashes in the admit paths will also cause cfengine to deny access.
  4. CNAME: If you use a CNAME to point to your cfengine policy host, reverse DNS lookups might well refuse to allow that server to connect to your cfengine clients. Either use an A record, or use IP address in cfservd.conf

If you are having problems with authentication, try these three solutions, in this order. They will solve the vast majority (all?) of authentication problems. You might also be getting errors that look like access is being denied when the file being requested does not exist, but the server logs usually make this clear enough.


Keep in mind that even though this error warns you about a possible DNS issue, it is really just a general Access Denied Somewhere error.


A couple examples of things you should check if you are getting this error.

  • Is the cfrunCommand set correctly in the cfservd.conf?

Make sure cfrunCommand is set to the correct cfagent executable: 

cfrunCommand        = ( "/usr/sbin/cfagent" )
  • Is cfengine allowed access to the cfagent program?

Make sure you have granted access to the cfagent program in the cfservd.conf files grant: section.</li> 

grant:
  /usr/sbin/cfagent      host.domain.com
  • Is the server configured to allow connections from the client?

You may receive an error such as Challenge response from server x.x.x.x was incorrect! during the initial run of cfagent when setting up a new client. When this occurs one thing to check is what address ranges the server will accept a connection from an unknown client. If the client has an IP address outside this range, the server will refuse to talk to it.

This address range is specified by the AllowConnectionsFrom setting in the control: section of cfservd.conf. Make sure your client IP address is included there. 

control:
  AllowConnectionsFrom      ( "10.0.0.1:10.0.0.2" )

Another thing to verify is the system clock of the client host. If it is inccorrect and the server is configured with DenyBadClocks = ( true ) then the client may also be locked out.

Retrieved from "http://www.cfwiki.org/cfwiki/index.php/Access_Denied"
Personal tools