Access as localuser not allowed from remoteuser@remotehost: Difference between revisions
No edit summary |
(man links) |
||
| (20 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
{{Troubleshooting Header}} | |||
=Problem= | |||
{{man|8|amcheck}} may give this error message: | |||
Amanda Backup Client Hosts Check | |||
-------------------------------- | |||
ERROR: clienthost: [access as ''localuser'' not allowed from ''remoteuser''@''remotehost''] | |||
=Solution= | |||
===(x)inetd configuration on the client=== | |||
First, if the ''localuser'' is not what you expect (i.e., not what you have specified in the --with-user flag, at configure time for that client), check the (x)inetd configuration file on the client: you must have specified the wrong username there. | |||
Verify this is the name that is compiled into the Amanda client: look in the amandad debug file in the [[AMANDA_DBGDIR]] directory, and verify the CLIENT_LOGIN value). | |||
===File .amandahosts or .rhosts on the client=== | |||
The file .amandahosts on the client has lines of the format: | |||
remotehost remoteuser | |||
indicating that user "remoteuser" from host "remotehost" is allowed to initiate a backup on this client. | |||
The "remoteuser" is optional, and if omitted, defaults to the localuser that is running ''amandad'', i.e. the user listed in the (x)inetd configuration file. | |||
Make sure you specify the hostname exactly as it appears in the error message after the `@' sign. You'll need a fully-qualified domain name or not, depending on how your client resolves IP addresses to hostnames. | |||
Depending on the error message saying: | |||
access as backup not allowed from [email protected] | |||
or | |||
access as backup not allowed from amanda@saturn | |||
then .amandahosts file on the client needs the first or the second line: | |||
saturn.example.com amanda | |||
saturn amanda | |||
You may add both lines. | |||
The .amandahosts file need strict permissions since version 2.5.0. | |||
The file should be owned by the [[dumpuser]] and not be readable or writeable by anyone else. | |||
Also, the home directory of the [[dumpuser]] (containing the .amandahosts file) should not be writeable by anyone else. Otherwise the file is ignored. | |||
# chown amanda ~amanda ~/.amandahosts | |||
# chmod 755 ~amanda | |||
# chmod 600 ~amanda/.amandahosts | |||
Make sure the dumpuser does have read access to the file, | |||
including the complete path leading to the file. | |||
Check the permissions of all the parent directories up to the root directory | |||
for at least 'x' access as the dumpuser on that client. | |||
When the programs were compiled with "--without-amandahosts", then Amanda uses the file '''.rhosts''' | |||
instead. That file has the same format, and the same restrictions on permissions. | |||
===DNS issues on the client=== | |||
If the "remotehost" is not what you expect, there may be a problem with the DNS resolution on the client. | |||
You can add your preferred server hostname to the file /etc/hosts on the client: | |||
'''/etc/hosts''': | |||
1.2.3.4 amandaserver.example.com | |||
And change the name lookup order in: | |||
'''/etc/nsswitch.conf''': | |||
hosts: files, dns | |||
making sure the hosts file is searched before name servers, by putting "files" in front of the other methods (ldap, nis, dns...) | |||
You can use this technique also when the server is behind multiple NAT addresses, and the NAT address that the client sees is unpredictable (but only from a limited range). In that case add the possible names to /etc/hosts, and to .amandahosts: | |||
'''/etc/hosts''': | |||
100.100.100.1 ip001.example.com | |||
100.100.100.2 ip002.example.com | |||
'''.amandahosts''': | |||
ip001.example.com amanda | |||
ip002.example.com amanda | |||
= Credits = | |||
This text was originally contributed to the AMANDA-FAQ-O-Matic by [email protected]. | |||
Latest revision as of 23:36, 30 June 2008
This article is a part of the Troubleshooting collection.
Problem
amcheck(8) may give this error message:
Amanda Backup Client Hosts Check -------------------------------- ERROR: clienthost: [access as localuser not allowed from remoteuser@remotehost]
Solution
(x)inetd configuration on the client
First, if the localuser is not what you expect (i.e., not what you have specified in the --with-user flag, at configure time for that client), check the (x)inetd configuration file on the client: you must have specified the wrong username there.
Verify this is the name that is compiled into the Amanda client: look in the amandad debug file in the AMANDA_DBGDIR directory, and verify the CLIENT_LOGIN value).
File .amandahosts or .rhosts on the client
The file .amandahosts on the client has lines of the format:
remotehost remoteuser
indicating that user "remoteuser" from host "remotehost" is allowed to initiate a backup on this client.
The "remoteuser" is optional, and if omitted, defaults to the localuser that is running amandad, i.e. the user listed in the (x)inetd configuration file.
Make sure you specify the hostname exactly as it appears in the error message after the `@' sign. You'll need a fully-qualified domain name or not, depending on how your client resolves IP addresses to hostnames.
Depending on the error message saying:
access as backup not allowed from [email protected]
or
access as backup not allowed from amanda@saturn
then .amandahosts file on the client needs the first or the second line:
saturn.example.com amanda saturn amanda
You may add both lines.
The .amandahosts file need strict permissions since version 2.5.0. The file should be owned by the dumpuser and not be readable or writeable by anyone else. Also, the home directory of the dumpuser (containing the .amandahosts file) should not be writeable by anyone else. Otherwise the file is ignored.
# chown amanda ~amanda ~/.amandahosts # chmod 755 ~amanda # chmod 600 ~amanda/.amandahosts
Make sure the dumpuser does have read access to the file, including the complete path leading to the file. Check the permissions of all the parent directories up to the root directory for at least 'x' access as the dumpuser on that client.
When the programs were compiled with "--without-amandahosts", then Amanda uses the file .rhosts instead. That file has the same format, and the same restrictions on permissions.
DNS issues on the client
If the "remotehost" is not what you expect, there may be a problem with the DNS resolution on the client.
You can add your preferred server hostname to the file /etc/hosts on the client:
/etc/hosts:
1.2.3.4 amandaserver.example.com
And change the name lookup order in:
/etc/nsswitch.conf:
hosts: files, dns
making sure the hosts file is searched before name servers, by putting "files" in front of the other methods (ldap, nis, dns...)
You can use this technique also when the server is behind multiple NAT addresses, and the NAT address that the client sees is unpredictable (but only from a limited range). In that case add the possible names to /etc/hosts, and to .amandahosts:
/etc/hosts:
100.100.100.1 ip001.example.com 100.100.100.2 ip002.example.com
.amandahosts:
ip001.example.com amanda ip002.example.com amanda
Credits
This text was originally contributed to the AMANDA-FAQ-O-Matic by [email protected].