How To:Configure bsdtcp authentication: Difference between revisions

These configuration file are valid only Amanda 2.5.1 or later releases.

xinetd/inetd configuration file changes

Amandad (Amanda client process) must be configured correctly as xinetd or inetd server on each Amanda client. This configuration is necessary for backup process - amdump.

Template for /etc/xinet.d/amanda file

 service amanda
 {
       only_from               = <Amanda server>
       socket_type             = dgram
       protocol                = udp
       wait                    = yes
       user                    = <amanda backup user>
       group                   = <amanda backup user group id>
       groups                  = yes
       server                  = <absolute path to amandad>
       server_args             = -auth=bsd amdump
       disable                 = no
 }

Example xinetd.d amanda client service file with backup user - amandabackup

service amanda
{
       only_from       = amandaserver.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsd amdump
       disable         = no 
}

Amanda server (tape server) can be also configured to use "bsd" authentication for restore process - amrecover command. The server_args on the xinetd service entry on the server should include amindexd and amidxtaped. The only_from line should include all clients that can do recovery.

Example of xinetd server entry that used bsd and can do both backup as well as recovery

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsd amdump amindexd amidxtaped
       disable         = no 
}

The bsdtcp authentication requires different xinetd/inetd service entries. The protocol will be tcp. An example bsdtcp authentication xinetd service entry for a machine that can do both backup and recovery (differences with bsd authentication entry is highlighted):

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = stream
       protocol        = tcp
       wait            = no
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdtcp amdump amindexd amidxtaped
       disable         = no 
}

The bsdudp authentication requires minor modification to xinetd service entry. An example showing differences with bsd authentication entry:

service amanda
{
       only_from       = amandaserver.example.com amandaclient.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amandabackup
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       server_args     = -auth=bsdudp amdump amindexd amidxtaped
       disable         = no 
}

inetd.conf example

When using inetd, the only_from variable is controlled by your hosts.allow file on the local system. The example below assumes: user=amanda and auth=bsd.

amanda          dgram   udp     wait    amanda  /usr/lib/amanda/amandad      amandad -auth=bsd amdump amindexd amidxtaped

When using auth=ssh, the above stuff is irrelevant and is not needed.

If you are using TCP wrappers, example inetd entry:

amanda          dgram   udp     wait    amanda  /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped

.amandahosts configuration file changes

The .amandahosts file is located in the home directory of the backup user (For example: /var/lib/amanda). This file should be readable and writable only by the backup user.

The format of .amandahosts is

<FQDN of the server> <backup user> <service(s)>

FQDN is fully qualified domain name. The server can contact the local machine as backup server to perform the service(s).

Example: The .amandahosts file on the Amanda client should have

amandaserver.example.com amandabackup amdump 

The .amandahosts file on the Amanda server should have

amandaclient1.example.com root amindexd amidxtaped

Backup an Older amanda 2.4 client

An amanda 2.5 server (user "amandabackup") can backup a amanda 2.4 client (user "amanda"). For this the server must use a auth "bsd" for communication, though a global auth "bsdtcp" entry can be overridden in special dumptype defines for use on older clients.

Example of xinetd server entry that using auth "bsd" on an older amanda 2.4 client (using user "amanda")

service amanda
{
       only_from       = amandaserver.example.com
       socket_type     = dgram
       protocol        = udp
       wait            = yes
       user            = amanda
       group           = disk
       groups          = yes
       server          = /usr/lib/amanda/amandad
       disable         = no 
}

The ".amandahosts" file still will need to specify that the server connection is from a "amandabackup" user.

 amandaclient.example.com amandabackup amdump