How To:Configure bsdtcp authentication: Difference between revisions
Line 3: | Line 3: | ||
== Configure amanda to support bsdudp or bsdtcp security== | == Configure amanda to support bsdudp or bsdtcp security== | ||
Amanda must | If wanting to use bsdudp or bsdtcp authentication with Amanda and you are compiling from source, you must specify the configure flag | ||
--with-bsdudp-security | |||
or | |||
--with-bsdtcp-security | --with-bsdtcp-security | ||
when compiling. | |||
Otherwise, amcheck will return messages like: | Otherwise, amcheck will return messages like: | ||
Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid | Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid | ||
See [ | See [[Server/Client_authentication]] for alternate authentication methods. | ||
== Changes in the disklist file == | == Changes in the disklist file == |
Revision as of 22:39, 10 November 2008
XXX | User:Dustin: Needs TLC, merging |
Other languages: [[::How To:Configure bsdtcp authentication|English]] {{#ifexist: {{#if: | | {{#if: | :}}How To:Configure bsdtcp authentication}}/Fr | • {{#if: |français| [[::How To:Configure bsdtcp authentication/Fr|français]]}}|}}
{{#ifexist: {{#if: | | {{#if: | :}}How To:Configure bsdtcp authentication}}/Zh-cn | • {{#if: |中文(中国大陆)| [[::How To:Configure bsdtcp authentication/Zh-cn|中文(中国大陆)]]}}|}}
These configuration file are valid only Amanda 2.5.1 or later releases.
Configure amanda to support bsdudp or bsdtcp security
If wanting to use bsdudp or bsdtcp authentication with Amanda and you are compiling from source, you must specify the configure flag
--with-bsdudp-security
or
--with-bsdtcp-security
when compiling.
Otherwise, amcheck will return messages like:
Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid
See Server/Client_authentication for alternate authentication methods.
Changes in the disklist file
On the Amanda server the entries in the disklist need to have the auth parameter.
server.example.com { comp-user-tar auth "bsdtcp" } 1
This may also be set globally in the definition of the dumptype in amanda.conf
define dumptype comp-user-tar { ... auth "bsdtcp" ... }
Older versions of Amanda client software (2.5.0 or earlier) have only the protocol "bsd" available. (The default protocol is "bsd".)
xinetd/inetd configuration file changes
Amandad (Amanda client process) must be configured correctly as xinetd or inetd server on each Amanda client. This configuration is necessary for backup process - amdump.
Template for /etc/xinet.d/amanda file
service amanda { only_from = <Amanda server> socket_type = dgram protocol = udp wait = yes user = <amanda backup user> group = <amanda backup user group id> groups = yes server = <absolute path to amandad> server_args = -auth=bsd amdump disable = no }
Example xinetd.d amanda client service file with backup user - amandabackup
service amanda { only_from = amandaserver.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsd amdump disable = no }
Amanda server (tape server) can be also configured to use "bsd" authentication for restore process - amrecover command. The server_args on the xinetd service entry on the server should include amindexd and amidxtaped. The only_from line should include all clients that can do recovery.
Example of xinetd server entry that used bsd and can do both backup as well as recovery
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsd amdump amindexd amidxtaped disable = no }
The bsdtcp authentication requires different xinetd/inetd service entries. The protocol will be tcp. An example bsdtcp authentication xinetd service entry for a machine that can do both backup and recovery (differences with bsd authentication entry is highlighted):
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = stream protocol = tcp wait = no user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsdtcp amdump amindexd amidxtaped disable = no }
The bsdudp authentication requires minor modification to xinetd service entry. An example showing differences with bsd authentication entry:
service amanda { only_from = amandaserver.example.com amandaclient.example.com socket_type = dgram protocol = udp wait = yes user = amandabackup group = disk groups = yes server = /usr/lib/amanda/amandad server_args = -auth=bsdudp amdump amindexd amidxtaped disable = no }
inetd.conf example
When using inetd, the only_from variable is controlled by your hosts.allow file on the local system.
Here is an example of using bsd authorization assuming Amanda user is "amanda"
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsd amdump amindexd amidxtaped
Using bsdudp authorization would be the same except for specifying "-auth=bsdudp" instead.
Here is an example of using bsdtcp authorization assuming Amanda user is "amanda"
amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump amindexd amidxtaped
When using ssh authorization, no inetd entry is needed.
If you are using TCP wrappers, your inetd entry may look like this assuming Amanda user is "amanda":
amanda dgram udp wait amanda /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped
.amandahosts configuration file changes
The .amandahosts file is located in the home directory of the backup user (For example: /var/lib/amanda). This file should be readable and writable only by the backup user.
The format of .amandahosts is
<FQDN of the server> <backup user> <service(s)>
FQDN is fully qualified domain name. The server can contact the local machine as backup server to perform the service(s).
Example: The .amandahosts file on the Amanda client should have
amandaserver.example.com amandabackup amdump
The .amandahosts file on the Amanda server should have
amandaclient1.example.com root amindexd amidxtaped
Backup an Older amanda 2.4 client
An amanda 2.5 server (user "amandabackup") can backup a amanda 2.4 client (user "amanda"). For this the server must use a auth "bsd" for communication, though a global auth "bsdtcp" entry can be overridden in special dumptype defines for use on older clients.
Example of xinetd server entry that using auth "bsd" on an older amanda 2.4 client (using user "amanda")
service amanda { only_from = amandaserver.example.com socket_type = dgram protocol = udp wait = yes user = amanda group = disk groups = yes server = /usr/lib/amanda/amandad disable = no }
The ".amandahosts" file still will need to specify that the server connection is from a "amandabackup" user.
amandaclient.example.com amandabackup amdump