How To:Configure Backward-compatible Authentication Methods

From The Open Source Backup Wiki (Amanda, MySQL Backup, BackupPC)

Jump to: navigation, search

This article is a part of the How Tos collection.

Contents

Old Authentications

New versions of Amanda can communicate with very old versions of Amanda, and to do so they use some old authenticaitons. This page builds on How To:Configure bsdtcp authentication to explain how to configure some of these older authentication methods.

bsd

If an authentication method is not specified, bsd is the default used for amanda versions before 3.3.0. As with most defaults in Amanda, this is the case for backward-compatibility reasons, and unless you have old (Amanda-2.4) clients, you don't want to use bsd auth.

(For amanda version 3.3.0 and later, bsdtcp the default authentication method.)

The auth argument to the amandad command does not need to be specified if the default version is to be used, but because the default has changed over time, explicitly specifying it will help make clear exactly what method is being used.

client

Clients need to specify the amdump argument to the amandad command and may make the authentication method clear with the auth argument.

inetd example

Example of using bsd authorization for inetd server assuming Amanda user is "amanda"

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsd amdump amindexd amidxtaped

xinetd example

Example xinetd.d amanda client service file with backup user "amandabackup"

service amanda
{
       only_from       = amandaserver.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsd amdump
       disable         = no 
}

server

If an Amanda server will also be a backup client to itself, it will use the same client configuration. However, as the Amanda server is also the recovery server for all clients via the amrecover command, the x/inetd service entry on the Amanda server should also include amindexd and amidxtaped arguments to the amandad command.

The bsd authentication method is the default authentication method, thus a configuration with no auth parameter set will use bsd. Some packaged versions of Amanda, however, will set another authentication method in the global dumptype meaning it will now apply to all dumptypes based on this global dumptype (such as all dumptypes that ship with Amanda).

If you want to use the bsd authentication method to connect to a client and yet your server is trying to use some authentication method other than bsd, you must globally remove specifications to another authentication method in the global dumptype or explicitly specify bsd authentication method for desired clients in the disklist file on the Amanda server. For the latter, you must either specify the auth parameter directly in the disklist file or a dumptype that uses bsd authentication method.

Example of specifying bsd authentication directly in the disklist file.

server.example.com    {
       comp-user-tar
       auth "bsd"
       }    1

Example of a dumptype definition specifying bsd authentication.

define dumptype comp-user-tar {
        ...
        auth "bsd"
        ...
       }

inetd example

Example of using bsd authorization for inetd server assuming Amanda user is "amanda"

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsd amdump amindexd amidxtaped

If you are using TCP wrappers, your inetd entry may look like this assuming Amanda user is "amanda":

amanda          dgram   udp     wait    amanda  /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped

xinetd example

Example of xinetd server entry that uses bsd for being a backup client to itself as well as a recovery server for all clients

service amanda
{
       only_from       = amandaserver.example.com amandaclient1.example.com amandaclient2.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsd amdump amindexd amidxtaped
       disable         = no 
}

bsdudp

If you want to use bsdudp authentication and are compiling from source code, you must specify the configure flag

 --with-bsdudp-security

otherwise, amcheck will return messages like:

 Could not find security driver "bsdudp" for host "yourhost". auth for this dle is invalid

client

Clients need to specify the auth and amdump arguments to the amandad command.

inetd example

Example of using bsdudp authentication for inetd server on an Amanda client using Amanda user "amanda"

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsdudp amdump

xinetd example

Example of using bsdudp authentication for xinetd server on an Amanda client using Amanda user "amandabackup"

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdudp amdump
       disable         = no 
}

server

You must specify in the disklist file on the Amanda server that you will use the bsdtcp authentication method to connect to any clients. You must either specify the auth parameter directly in the disklist file or a dumptype that specifies bsdtcp authentication method.

Example of specifying bsdudp authentication directly in the disklist file.

server.example.com    {
       comp-user-tar
       auth "bsdudp"
       }    1

Example of a dumptype definition specifying bsdudp authentication.

define dumptype comp-user-tar {
        ...
        auth "bsdudp"
        ...
}

This may also be set globally in the same way by editing the "global" dumptype definition.

inetd example

Example of using bsdudp authentication for inetd server assuming Amanda user "amanda"

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsdudp amdump amindexd amidxtaped

xinetd example

Example of using bsdudp authentication for xinetd server assuming Amanda user "amanda"

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdudp amdump amindexd amidxtaped
       disable         = no 
}


Backing up an older Amanda 2.4 client

Older versions of Amanda client software (2.5.0 or earlier) have only the protocol "bsd" available.

An Amanda 2.5 or later server (using user "amandabackup") may still back up an Amanda 2.4 client (user "amanda"). For this, the server must use a auth "bsd" for communication, though a global auth "bsdtcp" entry can be overridden in special dumptype defines for use on older clients.

Example of an inetd file entry on an older Amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not as many amandad server arguments)

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad

Example of an xinetd file on an older amanda 2.4 client (using user "amanda") that only supports bsd authentication (and not some of the more current parameters such as "server_args")

service amanda
{
       only_from       = amandaserver.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amanda
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       disable         = no 
}

The client's ".amandahosts" file will need to specify that the server connection is from user "amandabackup".

 amandaserver.example.com amandabackup amdump
Personal tools