Ticket #936 (closed defect: fixed)

Opened 13 years ago

Last modified 8 years ago

SSL authentication for floating clients without reverse DNS mapping (or with arbitrary one)

Reported by: Owned by: desai
Priority: major Milestone: Bcfg2 1.4.0 Release
Component: bcfg2-client Version: 1.0
Keywords: Cc:


This was already discussed on the mailing list but got lost, so this ticket is to refresh old topic:

Basically, bcfg2 expects clients to have consistent reverse DNS record even for mobile clients. I just verified this on 1.1.0pre4.

In addition to mentioned thread there is another strange behaviour:

<Clients version="3.0">
  <Client profile="basic" pingable="N" location="floating" uuid="" name="" auth="cert"/>

Without reverse DNS record running bcfg2 -vqn results in "Client metadata resolution error for; check server log"

When reverse mapping exists (and points to something like 44-33-22-11.dynamic.adsl.blah.blah) running bcfg2 client succeeds but automatically adds another line to clients.xml (do not remember how it looked exactly, but you should get the idea):

<Clients version="3.0">
  <Client profile="basic" pingable="N" location="floating" uuid="" name="" auth="cert"/>
  <Client profile="basic" name="44-33-22-11.dynamic.adsl.blah.blah" />


Change History

comment:1 Changed 13 years ago by m4z <[email protected]…>

For completeness on the first half (but not too helpful in case of mobile clients; sorry to do that here): You don't need a reverse DNS record, an entry in the servers' /etc/hosts suffices - as long as it's the same as the CN in the clients' certificate of course.

Why do I post this? Because the error messages along the way do not really help to find the cause of the problem:

bcfg2-server[bef7adca2083020a103eee4baf6fadc4c4537344] (SVN r2546): address resolution error for
bcfg2-server[bef7adca2083020a103eee4baf6fadc4c4537344] (SVN r2546): Unexpected Authentication Failure
bcfg2-server[5ba90c46c7372bc7979ae875c712d4d211c2820e] (SVN r2593): address resolution error for
bcfg2-server[5ba90c46c7372bc7979ae875c712d4d211c2820e] (SVN r2593): Client metadata resolution error for; check server log
bcfg2-server[bedb27cb29c9887b4340fdaff5a3975757a5da11] (SVN r2769): Got request for bcfg from incorrect address
bcfg2-server[bedb27cb29c9887b4340fdaff5a3975757a5da11] (SVN r2769): Resolved to bcfg.kellerloch
bcfg2-server[bedb27cb29c9887b4340fdaff5a3975757a5da11] (SVN r2769): Authentication Failure
  • First two lines: It would be nice if the error message indicated what kind of resolution was attempted so I have directions. This way I wrongly assumed it was some SSL problem. Later I thought that I just could not use bcfg without setting up a DNS server for my lab.
  • Next two lines: This is the server log (with -dv, even)! And why do I get a "metadata resolution error", does this mean the connecting got through somehow?
  • Third line: This sounds like I have a machine "bcfg" in clients.xml, which I don't. I'm easily confused. Not sure if those messages can be collapsed into one, but something like "Name resolution mismatch: The client connecting from IP has a forward name of 'bcfg', but reverse name 'bcfg.kellerloch'." would be much less confusing to me.

comment:2 Changed 12 years ago by desai

Is the use of the address attribute insufficient? You can use this to set an ip address (or several) that you want to map back to a client.

comment:3 Changed 12 years ago by

Unfortunately no, because client machines are mobile and I can not predict from which addresses they will connect to management server.

comment:4 Changed 12 years ago by solj

  • Milestone changed from Bcfg2 1.2.0 Release to Bcfg2 1.2.1 Release (Bugfix)

comment:5 Changed 12 years ago by

Issue #1030 (fixed in 5fe3867a3b75aff04eeb7ba8c910ee6939c1680f) addressed a very similar topic. (It did not fix messages in the log, though).

Did it change anything in regard to this bug?

comment:6 Changed 11 years ago by solj

  • Milestone changed from Bcfg2 1.2.1 Release (Bugfix) to Bcfg2 1.3.0 Release

comment:7 Changed 10 years ago by solj

  • Milestone changed from Bcfg2 1.3.0 Release to Bcfg2 1.4.0 Release

comment:8 Changed 8 years ago by solj

  • Status changed from new to closed
  • Resolution set to fixed

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.


Add a comment

Modify Ticket

Change Properties
<Author field>
as closed
The resolution will be deleted. Next status will be 'reopened'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.