Cfrun and Cfservd Confusion

From Cfwiki

(Redirected from Cfservd Confusion)
Jump to: navigation, search

FAQ from the mailing list: (the names and IP addresses have been changed, but the stories are true...)

please help me, I'm almost ripping my hair out. I RTFM about 5 times and still can't figure out how to do this properly. 
cfrun:clienthost.: Strong authentication of server=10.0.0.1 
connection confirmed
10.0.0.1 replies..
 Host authentication failed. Did you forget the domain name or IP/DNS 
address registration (for ipv4 or ipv6)?cfrun:clienthost.: Couldn't recv

This is confusing for a lot of people because in a sense cfservd.conf is overloaded. It's used on your master server to determine what clients can connect and what areas of the filesystem they can download from *AND* it's used on 'client' machines when you trigger execution via cfrun to determine a) whether the machine that's contacting them is allowed to do so b) if it is, what commands to run

So you'll need to define a 'cfruncommand' and change the 'grant:' section to match. Although the docs are a bit vague on the purpose of cfRunCommand (making it sounds like it could be anything, or maybe should be '/usr/sbin/cfrun' itself!), make sure it points to a valid location for the 'cfagent' binary.

With that in mind, your cfservd.conf 'grant:' section should have a structure similar to the 'control:' section, where you have different class offsets for 'cfservers::' and 'any.!cfservers::'. For cfservers, grant access from your client IP ranges to your master inputs repository and any file distribution areas you use. For !cfservers, grant access *only from your cfserver IPs* to the location of your cfruncommand. Everybody has the first one because it's necessary to get normal cfagent->cfservd update.conf/copy actions working. Lots of people miss the second one, and I think that's whats causing the confusion.

Other things to check:

- If you use hostnames in your 'grant:' section, make sure the IP addresses of the client/server actually resolve to those hostnames. ie. dig -x 10.0.0.1 should include the domain/hostname you're granting access to. If in doubt, use an IP wildcard like "10.0.0.*" and see if that changes anything.

- The error string about "Host authentication failed, Did you forget the domain name or IP/DNS address registration" may not have anything to do with dns. Mark has said many times that this is a generic error to avoid giving away too much information to an attacker. The best way to find out what's really going on is to run 'cfservd -d -f' to keep it in the foreground and output debug information. It is noisy but accurate.

Retrieved from "http://www.cfwiki.org/cfwiki/index.php/Cfrun_and_Cfservd_Confusion"
Personal tools