No takers? I got tired of the false positives, so I invented a poor man's
solution - mark email containing this error message as read when it hits the
cfe inbox folder, at least then I will not see it as unread mail. Any hopes
of finding a solution to the problem? Is it a general problem or is it just
my setup?
- Erlend
On 11 August 2011 06:36, Erlend Leganger <erlend.legan...@gmail.com> wrote:
> In my cfe setup, the clients send me email every time the output changes
> (which I think is fairly common in smaller installations). I always have a
> report in a policy, so if it kicks in on a client to make a change, I get an
> email receipt, very nice.
>
> However, this feature is plagued by the spurios "Challenge response...
> incorrect!" messages that keep on coming at irregular intervals, this spams
> my inbox. I had hoped that this would go away with community cfe v3.2.0b3,
> but the messages are still there. Below are some examples showing variations
> of the error message when no policy has kicked in (1 and 2), confirmation
> emails when something did change (3,4 - note that in 4, you have the error,
> but the policy is still carried out), along with the server and update
> policy I use.
>
> Is there something wrong in my setup or is this a bug in cfe? How can I get
> rid of this?
>
> - Erlend
>
> Example 1:
> Challenge response from server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 172 !!
> Authentication dialogue with 10.0.1.230 failed
>
> Example 2:
> Challenge response from server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 134 !!
> Authentication dialogue with 10.0.1.230 failed Challenge response from
> server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 141 !!
> Authentication dialogue with 10.0.1.230 failed Challenge response from
> server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 151 !!
> Authentication dialogue with 10.0.1.230 failed Challenge response from
> server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 158 !!
> Authentication dialogue with 10.0.1.230 failed Challenge response from
> server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 165 !!
> Authentication dialogue with 10.0.1.230 failed Challenge response from
> server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 172 !!
> Authentication dialogue with 10.0.1.230 failed
>
> Example 3:
> R: my_common_bashrc: updated /etc/bashrc
>
> Example 4:
> Challenge response from server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 151 !!
> Authentication dialogue with 10.0.1.230 failed Challenge response from
> server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 158 !!
> Authentication dialogue with 10.0.1.230 failed Challenge response from
> server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 165 !!
> Authentication dialogue with 10.0.1.230 failed Challenge response from
> server 10.0.1.230/10.0.1.230 was incorrect!
> I: Made in version '1' of '/var/cfengine/inputs/site.cf' near line 172 !!
> Authentication dialogue with 10.0.1.230 failed
> R: my_common_bashrc: updated /etc/bashrc
>
> The server policy:
> root@m5000# cat -n cf-serverd.cf
> 1
> 2
> #------------------------------------------------------------------------
> 3 #controls for the cf-serverd process
> 4 body server control {
> 5 #trustkeysfrom => { "10.0.1.0/24" };
> 6 trustkeysfrom => { "10.0.1.*" };
> 7 allowconnects => { "10.0.1.*" };
> 8 allowusers => { "root" };
> 9 maxconnections => "100";
> 10 logallconnections => "true";
> 11 }
> 12
> 13
> #------------------------------------------------------------------------
> 14 body executor control {
> 15 splaytime => "4"; #rule of thumb: 1+clientcount/50
> 16 mailto => "sys...@some.domain.com";
> 17 smtpserver => "mail.some.domain.com";
> 18 mailmaxlines => "1000";
> 19 #make policy updates apply in first run
> 20 exec_command => "$(sys.workdir)/bin/cf-agent -f failsafe.cf &&
> $(sys.workdir)/bin/cf-agent";
> 21 }
> 22
> 23
> #------------------------------------------------------------------------
> 24 #access rules for the cf-serverd process
> 25 bundle server access_rules {
> 26 access:
> 27 "/export/cfengine/master"
> 28 admit => { "10.0.1.*" };
> 29 "/export/cfengine/depot"
> 30 admit => { "10.0.1.*" };
> 31 "/usr/local/sbin"
> 32 admit => { "10.0.1.*" };
> 33 }
>
> The update policy:
> root@m5000# cat -n update.cf
> 1
> #------------------------------------------------------------------------
> 2 bundle agent update{
> 3 vars:
> 4 "policyserver" string => "10.0.1.230";
> 5 "policyfiles" string => "/export/cfengine/master";
> 6 "cf3binaries" string => "/export/cfengine/depot/cfebin";
> 7
> 8 files:
> 9
> 10
> #---------------------------------------------------------------------
> 11 #get policy files from policy server
> 12 "${sys.workdir}/inputs"
> 13 handle => "update_policy_files",
> 14 copy_from => getfiles("${policyserver}", "${policyfiles}"),
> 15 depth_search => recurse;
> 16
> 17
> #---------------------------------------------------------------------
> 18 #get cf3 binaries from policy server
> 19 "/var/cfengine/bin"
> 20 handle => "cf3_update_binaries",
> 21 #perms => u_p("700"),
> 22 copy_from => getfiles("${policyserver}","${cf3binaries}"),
> 23 depth_search => recurse,
> 24 action => "immediate";
> 25 }
> 26
> 27
> #------------------------------------------------------------------------
> 28 #define body of the getfiles "subroutine"
> 29 body copy_from getfiles(server, path) {
> 30 servers => { "${server}" };
> 31 encrypt => "true";
> 32 trustkey => "true";
> 33 source => "${path}";
> 34 compare => "digest";
> 35 preserve => "true";
> 36 verify => "true";
> 37 #purge => "true"; #can in some cases remove cfe binaries
> completely
> 38 }
> 39
> 40
> #------------------------------------------------------------------------
> 41 body depth_search recurse {
> 42 depth => "inf";
> 43 }
>
>
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
