Access as localuser not allowed from remoteuser@remotehost

From wiki.zmanda.com
Jump to navigation Jump to search

--- This text was originally contributed to the AMANDA-FAQ-O-Matic by [email protected]. ---

Amcheck may give this error message: 

Amanda Backup Client Hosts Check
--------------------------------
ERROR: clienthost: [access as localuser not allowed from remoteuser@remotehost]

(x)inetd configuration on the client

First, if the localuser is not what you expect (i.e., not what you have specified in the --with-user flag, at configure time for that client), check the (x)inetd configuration file on the client: you must have specified the wrong username there.

Verify this is the name that is compiled into the Amanda client: look in the amandad debug file in the AMANDA_DBG directory, and verify the CLIENT_LOGIN value).

File .amandahosts or .rhosts on the client

The file .amandahosts on the client has lines of the format: 

 remotehost  remoteuser

indicating that user "remoteuser" from host "remotehost" is allowed to initiate a backup on this client.

Make sure you specify the hostname exactly as it appears in the error message after the `@' sign. You'll need a fully-qualified domain name or not, depending on how your client resolves IP addresses to hostnames.

Depending on the error message saying: 

access as backup not allowed from [email protected]

or 

access as backup not allowed from amanda@saturn

then .amandahosts file on the client needs the first or the second line: 

saturn.example.com  amanda
saturn  amanda

You may add both lines.

Also check the ownership and permissions of .amandahosts. Make sure the dumpuser on the client can read the file. Also check the permissions of all the parent directories up to the root directory for access as the dumpuser on that client.

When using a .rhosts file (i.e. when compiled with --without-amandahosts) that file needs strict permissions, otherwise it is silently ignored. It should be owned by the dumpuser and be unreadeable and unwriteable by anyone else. The home directory of the dumpser should also be unwriteable by anyone except the dumpuser. Adjust it assuming "amanda" is the dumpuser on that client: 

# chown amanda:disk  ~amanda  ~amanda/.rhosts
# chmod 600 ~amanda/.rhosts
# chmod 755 ~amanda

DNS issues on the client

If the "remotehost" is not what you expect, there may be a problem with the DNS resolution on the client.

You can add your preferred server hostname to the file /etc/hosts on the client:

/etc/hosts: 

  1.2.3.4   amandaserver.example.com

And change the name lookup order in:

/etc/nsswitch.conf: 

  hosts:   files, dns

making sure the hosts file is searched before name servers, by putting "files" in front of the other methods (ldap, nis, dns...)

You can use this technique also when the server is behind multiple NAT addresses, and the NAT address that the client sees is unpredictable (but only from a limited range). In that case add the possible names to /etc/hosts, and to .amandahosts:

/etc/hosts: 

   100.100.100.1  ip001.example.com
   100.100.100.2  ip002.example.com

.amandahosts: 

   ip001.example.com  amanda
   ip002.example.com  amanda
Retrieved from ‘http://wiki.zmanda.com/index.php?title=Access_as_localuser_not_allowed_from_remoteuser@remotehost&oldid=1821