Also, make sure that the IP that the server sees is the same IP that the workstation that's pulling the configuration (or the client attempting to make the conection for whatever reason).
in my case i have many NATs in a network and connections appear to come from the same IP. In the server side, I have to go to the ppkeys directory and delete the offending key -- a key that belongs to some other host with the same IP. and after that my connections work. make sure that you enable loging to /var/log/messages|syslog in the server so that you can see the connections made from the client when you get that error. in my case, the IP was always wrong... On 7/13/06, Mark Burgess <[EMAIL PROTECTED]> wrote: > Josh Greenberg wrote: > > I'm new to cfengine and I can't seem to get the clients to pull down the > > master config files. I have set the policyhost and master_cfinput > > variables in the update.conf file and I put update.conf and cfservd.conf > > in the master_cfinput directories but when I run cfagent on a client I > > get the following error: > > > > cfengine:<client>: BAD: key could not be accepted on trust > > cfengine:<client>: Authentication dialogue with <policyhost> failed > > cfengine:<client>: Unable to establish connection with <policyhost> > > (failover) > > > > It looks like there is a problem with the keys. I generated keys on the > > server and client but now I'm not sure what to do with them and the docs > > don't seem to help at all. I know how ssh keys work. Is it similar to > > that? Do I need to put the client key into a file on the server so it > > can connect? Also, should I be putting the cfagent.conf file in the > > master_cfinput directory to be pushed down? I'm running 2.1.20. Thanks, > > in advance, for any help. > > > > Josh > > _______________________________________________ > > Help-cfengine mailing list > > Help-cfengine@cfengine.org > > http://cfengine.org/mailman/listinfo/help-cfengine > > > Josh - unlikely that there is anything wrong with the keys, most > likely with the authentication. > > Connection rights in cfservd (AllowConnectionsFrom) > Trustkey = true (cfservd and cfagent) > Admit access control rules on file object > > The trustkey matter is the most likely explanation. > > Use -d2 on both sides to debug the connection. > > M > > -- > Mark Burgess > > Professor of Network and System Administration > Oslo University College > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Work: +47 22453272 Email: [EMAIL PROTECTED] > Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@cfengine.org > http://cfengine.org/mailman/listinfo/help-cfengine > -- ----)(----- Luis Mondesi *NIX Guru Kiskeyix.org "We think basically you watch television to turn your brain off, and you work on your computer when you want to turn your brain on" -- Steve Jobs in an interview for MacWorld Magazine 2004-Feb No .doc: http://www.gnu.org/philosophy/no-word-attachments.es.html _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org http://cfengine.org/mailman/listinfo/help-cfengine
