Modify

Ticket #936 (closed defect: fixed)

Opened 11 years ago

Last modified 6 years ago

SSL authentication for floating clients without reverse DNS mapping (or with arbitrary one)

Reported by: https://www.google.com/accounts/o8/id?id=AItOawmRt7tLBwyWzmVJmFuO9bCdKeMQnaFDP-I Owned by: desai
Priority: major Milestone: Bcfg2 1.4.0 Release
Component: bcfg2-client Version: 1.0
Keywords: Cc:

Description

This was already discussed on the mailing list but got lost, so this ticket is to refresh old topic: http://thread.gmane.org/gmane.comp.sysutils.bcfg2.devel/3781

Basically, bcfg2 expects clients to have consistent reverse DNS record even for mobile clients. I just verified this on 1.1.0pre4.

In addition to mentioned thread there is another strange behaviour:

<Clients version="3.0">
  <Client profile="basic" pingable="N" location="floating" uuid="example.com" name="example.com" auth="cert"/>
</Clients>

Without reverse DNS record running bcfg2 -vqn results in "Client metadata resolution error for 11.22.33.44; check server log"

When reverse mapping exists (and points to something like 44-33-22-11.dynamic.adsl.blah.blah) running bcfg2 client succeeds but automatically adds another line to clients.xml (do not remember how it looked exactly, but you should get the idea):

<Clients version="3.0">
  <Client profile="basic" pingable="N" location="floating" uuid="example.com" name="example.com" auth="cert"/>
  <Client profile="basic" name="44-33-22-11.dynamic.adsl.blah.blah" />
</Clients>

Attachments

Change History

comment:1 Changed 11 years ago by m4z <686f6c6d@…>

For completeness on the first half (but not too helpful in case of mobile clients; sorry to do that here): You don't need a reverse DNS record, an entry in the servers' /etc/hosts suffices - as long as it's the same as the CN in the clients' certificate of course.

Why do I post this? Because the error messages along the way do not really help to find the cause of the problem:

bcfg2-server[bef7adca2083020a103eee4baf6fadc4c4537344] (SVN r2546): address resolution error for 192.168.1.52
bcfg2-server[bef7adca2083020a103eee4baf6fadc4c4537344] (SVN r2546): Unexpected Authentication Failure
[...]
bcfg2-server[5ba90c46c7372bc7979ae875c712d4d211c2820e] (SVN r2593): address resolution error for 192.168.1.52
bcfg2-server[5ba90c46c7372bc7979ae875c712d4d211c2820e] (SVN r2593): Client metadata resolution error for 192.168.1.52; check server log
[...]
bcfg2-server[bedb27cb29c9887b4340fdaff5a3975757a5da11] (SVN r2769): Got request for bcfg from incorrect address 192.168.1.52
bcfg2-server[bedb27cb29c9887b4340fdaff5a3975757a5da11] (SVN r2769): Resolved to bcfg.kellerloch
bcfg2-server[bedb27cb29c9887b4340fdaff5a3975757a5da11] (SVN r2769): Authentication Failure
  • First two lines: It would be nice if the error message indicated what kind of resolution was attempted so I have directions. This way I wrongly assumed it was some SSL problem. Later I thought that I just could not use bcfg without setting up a DNS server for my lab.
  • Next two lines: This is the server log (with -dv, even)! And why do I get a "metadata resolution error", does this mean the connecting got through somehow?
  • Third line: This sounds like I have a machine "bcfg" in clients.xml, which I don't. I'm easily confused. Not sure if those messages can be collapsed into one, but something like "Name resolution mismatch: The client connecting from IP 192.168.1.52 has a forward name of 'bcfg', but reverse name 'bcfg.kellerloch'." would be much less confusing to me.

comment:2 Changed 11 years ago by desai

Is the use of the address attribute insufficient? You can use this to set an ip address (or several) that you want to map back to a client.

comment:3 Changed 11 years ago by https://www.google.com/accounts/o8/id?id=AItOawmRt7tLBwyWzmVJmFuO9bCdKeMQnaFDP-I

Unfortunately no, because client machines are mobile and I can not predict from which addresses they will connect to management server.

comment:4 Changed 10 years ago by solj

  • Milestone changed from Bcfg2 1.2.0 Release to Bcfg2 1.2.1 Release (Bugfix)

comment:5 Changed 10 years ago by https://www.google.com/accounts/o8/id?id=AItOawkfHvWdYf7g8kSZA32s7dhK0Xig9JKo_CA

Issue #1030 (fixed in 5fe3867a3b75aff04eeb7ba8c910ee6939c1680f) addressed a very similar topic. (It did not fix messages in the log, though).

Did it change anything in regard to this bug?

comment:6 Changed 10 years ago by solj

  • Milestone changed from Bcfg2 1.2.1 Release (Bugfix) to Bcfg2 1.3.0 Release

comment:7 Changed 9 years ago by solj

  • Milestone changed from Bcfg2 1.3.0 Release to Bcfg2 1.4.0 Release

comment:8 Changed 6 years ago by solj

  • Status changed from new to closed
  • Resolution set to fixed

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.