Access as localuser not allowed from remoteuser@remotehost

From The Open Source Backup Wiki (Amanda, MySQL Backup, BackupPC)
Jump to navigationJump to search

This article is a part of the Troubleshooting collection.

Problem

amcheck(8) may give this error message:

Amanda Backup Client Hosts Check
--------------------------------
ERROR: clienthost: [access as localuser not allowed from remoteuser@remotehost] 

Solution

(x)inetd configuration on the client

First, if the localuser is not what you expect (i.e., not what you have specified in the --with-user flag, at configure time for that client), check the (x)inetd configuration file on the client: you must have specified the wrong username there.

Verify this is the name that is compiled into the Amanda client: look in the amandad debug file in the AMANDA_DBGDIR directory, and verify the CLIENT_LOGIN value).

File .amandahosts or .rhosts on the client

The file .amandahosts on the client has lines of the format:

 remotehost  remoteuser

indicating that user "remoteuser" from host "remotehost" is allowed to initiate a backup on this client.

The "remoteuser" is optional, and if omitted, defaults to the localuser that is running amandad, i.e. the user listed in the (x)inetd configuration file.

Make sure you specify the hostname exactly as it appears in the error message after the `@' sign. You'll need a fully-qualified domain name or not, depending on how your client resolves IP addresses to hostnames.

Depending on the error message saying:

access as backup not allowed from [email protected]

or

access as backup not allowed from amanda@saturn

then .amandahosts file on the client needs the first or the second line:

saturn.example.com  amanda
saturn  amanda

You may add both lines.

The .amandahosts file need strict permissions since version 2.5.0. The file should be owned by the dumpuser and not be readable or writeable by anyone else. Also, the home directory of the dumpuser (containing the .amandahosts file) should not be writeable by anyone else. Otherwise the file is ignored.

# chown amanda  ~amanda  ~/.amandahosts
# chmod 755 ~amanda
# chmod 600 ~amanda/.amandahosts

Make sure the dumpuser does have read access to the file, including the complete path leading to the file. Check the permissions of all the parent directories up to the root directory for at least 'x' access as the dumpuser on that client.

When the programs were compiled with "--without-amandahosts", then Amanda uses the file .rhosts instead. That file has the same format, and the same restrictions on permissions.

DNS issues on the client

If the "remotehost" is not what you expect, there may be a problem with the DNS resolution on the client.

You can add your preferred server hostname to the file /etc/hosts on the client:

/etc/hosts:

  1.2.3.4   amandaserver.example.com

And change the name lookup order in:

/etc/nsswitch.conf:

  hosts:   files, dns

making sure the hosts file is searched before name servers, by putting "files" in front of the other methods (ldap, nis, dns...)

You can use this technique also when the server is behind multiple NAT addresses, and the NAT address that the client sees is unpredictable (but only from a limited range). In that case add the possible names to /etc/hosts, and to .amandahosts:

/etc/hosts:

   100.100.100.1  ip001.example.com
   100.100.100.2  ip002.example.com

.amandahosts:

   ip001.example.com  amanda
   ip002.example.com  amanda

Credits

This text was originally contributed to the AMANDA-FAQ-O-Matic by [email protected].