How To:Configure bsdtcp authentication: Difference between revisions
| Line 3: | Line 3: | ||
== Configure amanda to support bsdudp or bsdtcp security== | == Configure amanda to support bsdudp or bsdtcp security== | ||
Amanda must | If wanting to use bsdudp or bsdtcp authentication with Amanda and you are compiling from source, you must specify the configure flag | ||
--with-bsdudp-security | |||
or | |||
--with-bsdtcp-security | --with-bsdtcp-security | ||
when compiling. | |||
Otherwise, amcheck will return messages like: | Otherwise, amcheck will return messages like: | ||
Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid | Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid | ||
See [ | See [[Server/Client_authentication]] for alternate authentication methods. | ||
== Changes in the disklist file == | == Changes in the disklist file == | ||
Revision as of 22:39, 10 November 2008
| XXX | User:Dustin: Needs TLC, merging |
Other languages: [[::How To:Configure bsdtcp authentication|English]] {{#ifexist: {{#if: | | {{#if: | :}}How To:Configure bsdtcp authentication}}/Fr | • {{#if: |français| [[::How To:Configure bsdtcp authentication/Fr|français]]}}|}}
{{#ifexist: {{#if: | | {{#if: | :}}How To:Configure bsdtcp authentication}}/Zh-cn | • {{#if: |中文(中国大陆)| [[::How To:Configure bsdtcp authentication/Zh-cn|中文(中国大陆)]]}}|}}
These configuration file are valid only Amanda 2.5.1 or later releases.
Configure amanda to support bsdudp or bsdtcp security
If wanting to use bsdudp or bsdtcp authentication with Amanda and you are compiling from source, you must specify the configure flag
--with-bsdudp-security
or
--with-bsdtcp-security
when compiling.
Otherwise, amcheck will return messages like:
Could not find security driver "bsdtcp" for host "yourhost". auth for this dle is invalid
See Server/Client_authentication for alternate authentication methods.
Changes in the disklist file
On the Amanda server the entries in the disklist need to have the auth parameter.
server.example.com {
comp-user-tar
auth "bsdtcp"
} 1
This may also be set globally in the definition of the dumptype in amanda.conf
define dumptype comp-user-tar {
...
auth "bsdtcp"
...
}
Older versions of Amanda client software (2.5.0 or earlier) have only the protocol "bsd" available. (The default protocol is "bsd".)
xinetd/inetd configuration file changes
Amandad (Amanda client process) must be configured correctly as xinetd or inetd server on each Amanda client. This configuration is necessary for backup process - amdump.
Template for /etc/xinet.d/amanda file
service amanda
{
only_from = <Amanda server>
socket_type = dgram
protocol = udp
wait = yes
user = <amanda backup user>
group = <amanda backup user group id>
groups = yes
server = <absolute path to amandad>
server_args = -auth=bsd amdump
disable = no
}
Example xinetd.d amanda client service file with backup user - amandabackup
service amanda
{
only_from = amandaserver.example.com
socket_type = dgram
protocol = udp
wait = yes
user = amandabackup
group = disk
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsd amdump
disable = no
}
Amanda server (tape server) can be also configured to use "bsd" authentication for restore process - amrecover command. The server_args on the xinetd service entry on the server should include amindexd and amidxtaped. The only_from line should include all clients that can do recovery.
Example of xinetd server entry that used bsd and can do both backup as well as recovery
service amanda
{
only_from = amandaserver.example.com amandaclient.example.com
socket_type = dgram
protocol = udp
wait = yes
user = amandabackup
group = disk
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsd amdump amindexd amidxtaped
disable = no
}
The bsdtcp authentication requires different xinetd/inetd service entries. The protocol will be tcp. An example bsdtcp authentication xinetd service entry for a machine that can do both backup and recovery (differences with bsd authentication entry is highlighted):
service amanda
{
only_from = amandaserver.example.com amandaclient.example.com
socket_type = stream
protocol = tcp
wait = no
user = amandabackup
group = disk
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsdtcp amdump amindexd amidxtaped
disable = no
}
The bsdudp authentication requires minor modification to xinetd service entry. An example showing differences with bsd authentication entry:
service amanda
{
only_from = amandaserver.example.com amandaclient.example.com
socket_type = dgram
protocol = udp
wait = yes
user = amandabackup
group = disk
groups = yes
server = /usr/lib/amanda/amandad
server_args = -auth=bsdudp amdump amindexd amidxtaped
disable = no
}
inetd.conf example
When using inetd, the only_from variable is controlled by your hosts.allow file on the local system.
Here is an example of using bsd authorization assuming Amanda user is "amanda"
amanda dgram udp wait amanda /usr/lib/amanda/amandad amandad -auth=bsd amdump amindexd amidxtaped
Using bsdudp authorization would be the same except for specifying "-auth=bsdudp" instead.
Here is an example of using bsdtcp authorization assuming Amanda user is "amanda"
amanda stream tcp nowait amanda /usr/lib/amanda/amandad amandad -auth=bsdtcp amdump amindexd amidxtaped
When using ssh authorization, no inetd entry is needed.
If you are using TCP wrappers, your inetd entry may look like this assuming Amanda user is "amanda":
amanda dgram udp wait amanda /usr/sbin/tcpd /usr/lib/amanda/amandad -auth=bsd amdump amindexd amidxtaped
.amandahosts configuration file changes
The .amandahosts file is located in the home directory of the backup user (For example: /var/lib/amanda). This file should be readable and writable only by the backup user.
The format of .amandahosts is
<FQDN of the server> <backup user> <service(s)>
FQDN is fully qualified domain name. The server can contact the local machine as backup server to perform the service(s).
Example: The .amandahosts file on the Amanda client should have
amandaserver.example.com amandabackup amdump
The .amandahosts file on the Amanda server should have
amandaclient1.example.com root amindexd amidxtaped
Backup an Older amanda 2.4 client
An amanda 2.5 server (user "amandabackup") can backup a amanda 2.4 client (user "amanda"). For this the server must use a auth "bsd" for communication, though a global auth "bsdtcp" entry can be overridden in special dumptype defines for use on older clients.
Example of xinetd server entry that using auth "bsd" on an older amanda 2.4 client (using user "amanda")
service amanda
{
only_from = amandaserver.example.com
socket_type = dgram
protocol = udp
wait = yes
user = amanda
group = disk
groups = yes
server = /usr/lib/amanda/amandad
disable = no
}
The ".amandahosts" file still will need to specify that the server connection is from a "amandabackup" user.
amandaclient.example.com amandabackup amdump