On Fri, May 20, 2011 at 5:59 AM, Neil Watson wrote: > When you run cf-serverd in verbose mode it should show how it parses its > configuration such has access rules. Look there for a clue.
Excellent, thank you, Neil. Here is my cfserverd verbose output concerning access_rules bundle. There is an admit rule, there is no deny rule. client IP (10.10.10.10) is admitted, and no IP is denied. Everything looks OK to me, am I missing something? First it says: Host myhost.example.org granted access to /var/cfengine/masterfiles Then it says: REFUSAL of request from connecting host: (SYNCH 1305903621 STAT /var/cfengine/masterfiles/cfengine_stdlib.cf) cf-serverd access list is empty, no files are visible ***************************************************************** BUNDLE access_rules ***************************************************************** ========================================================= access in bundle access_rules (0) ========================================================= ========================================================= roles in bundle access_rules (0) ========================================================= Summarize control promises Granted access to paths : Path: /var/cfengine/masterfiles (encrypt=0) Admit: .* root= Denied access to paths : Path: /var/cfengine/masterfiles -> Host IPs allowed connection access : .... IP: 10.10.10.10 .... IP: ::1 Host IPs denied connection access : Host IPs allowed multiple connection access : .... IP: 10.10.10.10 .... IP: ::1 Host IPs from whom we shall accept public keys on trust : .... IP: 10.10.10.10 .... IP: ::1 Users from whom we accept connections : .... USERS: root Host IPs from NAT which we don't verify : Dynamical Host IPs (e.g. DHCP) whose bindings could vary over time : Listening for connections ... And here is what happens when client (10.10.10.10) connects to download from /var/cfengine/masterfiles - -> Writing last-seen observations -> Keyring is empty -> Accepting a connection Accepting connection from "::ffff:10.10.10.10" New connection...(from ::ffff:10.10.10.10:sd 4) Spawning new thread... >> Detected change in /var/cfengine/inputs Allowing 10.10.10.10 to connect without (re)checking ID -> Quick search detected file changes Non-verified Host ID is myhost.example.org (Using skipverify) -> New promises detected... Non-verified User ID seems to be root (Using skipverify) -> Verifying the syntax of the inputs... -> Public key identity of host "::ffff:10.10.10.10" is "MD5=e8ae97fa2e979bc9a2158220d2a416c5" -> Last saw ::ffff:10.10.10.10 (-MD5=e8ae97fa2e979bc9a2158220d2a416c5) first time now -> Going to secondary storage for key -> Going to secondary storage for key A public key was already known from myhost.example.org/::ffff:10.10.10.10 - no trust required Adding IP ::ffff:10.10.10.10 to SkipVerify - no need to check this if we have a key The public key identity was confirmed as r...@myhost.example.org -> Strong authentication of client myhost.example.org/::ffff:10.10.10.10 achieved -> Receiving session key from client (size=256)... Found a matching rule in access list (/var/cfengine/masterfiles in /var/cfengine/masterfiles) Host myhost.example.org granted access to /var/cfengine/masterfiles Found a matching rule in access list (/var/cfengine/masterfiles in /var/cfengine/masterfiles) Host myhost.example.org granted access to /var/cfengine/masterfiles Found a matching rule in access list (/var/cfengine/masterfiles/cf_promises_validated in /var/cfengine/masterfiles) Host myhost.example.org granted access to /var/cfengine/masterfiles/cf_promises_validated Found a matching rule in access list (/var/cfengine/masterfiles/add-local-group.cf in /var/cfengine/masterfiles) Host myhost.example.org granted access to /var/cfengine/masterfiles/add-local-group.cf -> Caching the state of validation Rereading config files /var/cfengine/inputs/promises.cf.. Cfengine - 3.1.4 Copyright (C) Cfengine AS 2008,2010- ------------------------------------------------------------------------ Host name is: myhost.example.org Operating System Type is linux Operating System Release is 2.6.18-028stab070.4 Architecture = x86_64 Using internal soft-class linux for host myhost.example.org The time is now Fri May 20 08:00:21 2011 ------------------------------------------------------------------------ # Extended system discovery is only available in version Nova and above Additional hard class defined as: 64_bit Additional hard class defined as: linux_2_6_18_028stab070_4 Additional hard class defined as: linux_x86_64 Additional hard class defined as: linux_x86_64_2_6_18_028stab070_4 GNU autoconf class from compile time: compiled_on_linux_gnu Address given by nameserver: 205.186.147.195 Interface 1: lo Interface 2: venet0 Adding alias localhost.. Skipping apparent virtual interface 3: venet0:0 Trying to locate my IPv6 address Looking for environment from cf-monitord... Loading environment... cf-serverd access list is empty, no files are visible Access control in sync >From (host=myhost.example.org,user=root,ip=::ffff:10.10.10.10) REFUSAL of request from connecting host: (SYNCH 1305903621 STAT /var/cfengine/masterfiles/cfengine_stdlib.cf) cf-serverd access list is empty, no files are visible _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
