Re: krb5 auth problem
xinetd must be configured to run amandad as root. Jean-Louis Chad Kotil wrote: I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server and client --with-krb5-security, added a new principal to my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it on the server. It is locked down so only amandabackup (the user that runs amanda) can read it. The clients have a .k5amandahosts file containing the following: [EMAIL PROTECTED] REALM backupmaster.f.q.d.n [EMAIL PROTECTED] REALM my amanda.conf file contains krb5keytab "/etc/amanda/krb5.keytab-amanda" krb5principal "[EMAIL PROTECTED] REALM" On both of my krb5 auth clients I am seeing this error: 1214425629.641678: amandad: critical (fatal): gss_server failed: real uid is 10036, needs to be 0 to read krb5 host key 10036 is the UID for amandabackup, 0 is the UID for root. Both clients work fine if I just use bsdtcp auth. I am using ssh auth everywhere else but for these two particular hosts I cannot use ssh keys. Any ideas? Thanks, --Chad
Re: krb5 auth problem
Hi there,
We use this on 2.5.2.
On the client, amandad should be spawned by root (makes sense really,
as it's the only user who can see all files :) )
Here's my xinetd.d/k5amandad file :
service k5amanda
{
socket_type = stream
protocol = tcp
wait = no
user = root
group = backup
server = /usr/libexec/amandad
server_args = -auth=krb5
disable = no
}
HTH,
---
AlanP
On 25 Jun 2008, at 21:45, Chad Kotil wrote:
I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server
and client --with-krb5-security, added a new principal to my KDC
([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it
on the server. It is locked down so only amandabackup (the user that
runs amanda) can read it. The clients have a .k5amandahosts file
containing the following:
[EMAIL PROTECTED] REALM
backupmaster.f.q.d.n [EMAIL PROTECTED] REALM
my amanda.conf file contains
krb5keytab "/etc/amanda/krb5.keytab-amanda"
krb5principal "[EMAIL PROTECTED] REALM"
On both of my krb5 auth clients I am seeing this error:
1214425629.641678: amandad: critical (fatal): gss_server failed:
real uid is 10036, needs to be 0 to read krb5 host key
10036 is the UID for amandabackup, 0 is the UID for root.
Both clients work fine if I just use bsdtcp auth. I am using ssh
auth everywhere else but for these two particular hosts I cannot use
ssh keys.
Any ideas?
Thanks,
--Chad
krb5 auth problem
I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server and client --with-krb5-security, added a new principal to my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it on the server. It is locked down so only amandabackup (the user that runs amanda) can read it. The clients have a .k5amandahosts file containing the following: [EMAIL PROTECTED] REALM backupmaster.f.q.d.n [EMAIL PROTECTED] REALM my amanda.conf file contains krb5keytab "/etc/amanda/krb5.keytab-amanda" krb5principal "[EMAIL PROTECTED] REALM" On both of my krb5 auth clients I am seeing this error: 1214425629.641678: amandad: critical (fatal): gss_server failed: real uid is 10036, needs to be 0 to read krb5 host key 10036 is the UID for amandabackup, 0 is the UID for root. Both clients work fine if I just use bsdtcp auth. I am using ssh auth everywhere else but for these two particular hosts I cannot use ssh keys. Any ideas? Thanks, --Chad
Re: Amanda 2.6.0 spanning
On 2008-06-25 17:12, Johan Booysen wrote: Thanks for your replies. Wow - you guys confuse me! :) Ermmm...ok. Part of my problem is that I have one humongously huge DLE, and several smaller ones. And there has been some resistance to my suggestions that the one massive DLE be split up on disk. I'm now pretty much at a stage where very soon any full dump of this single DLE will require two tapes in itself. So I don't think I'll realistically be able to never have any DLE span two tapes... You can still split up a very large DLE using tar with include/exclude lists: http://wiki.zmanda.com/index.php/How_To:Split_DLEs_With_Exclude_Lists E.g. I have a DLE with thousands of subfolders. The folders are just numbers, and new folders get new numbers. I divided the DLE in 11 smaller DLE's depending on the last digit of the foldername (0-9 + one DLE with the rest). Even though Amanda can split a single DLE accross tapes, having smaller DLE's to backup still have other advantages: - Restores of single files are faster. The accidental deletes of a few files by endusers are much more frequent than disk crashes. (Amanda is growing features to speed the recovery of single files in very large images as well, but they are not yet ready.) - With smaller DLE's Amanda can spread the full dumps better accross the dumpcycle. Otherwise, when the full dump of that large DLE is due, the backup time takes too long, or could push out incremental dumps of other DLE's as well. - And last, smaller DLE's fit better on a tape avoiding splitting of a single DLE accross tapes. If one tape goes bad, the value of the following tapes becomes close to 0, especialy if you have compression enabled. And even then, I can understand there are still cases when one very large DLE need to be split accross tapes. But, if possible, I still try to avoid that situation. On the other hand, that won't really be a problem to me, unless I find myself in a situation where one tape drive dies and I can't do restores of DLEs split across multiple tapes. I'm hoping that, if I understand Dustin's reply correctly, that it will work. I'll switch off one tape drive tomorrow and test it. Summary: amrecover will prompt for a new tape (not by mail, but interactively) when you specify a device instead of a changer like: amrecover -d /dev/nst0 A few years ago, I did test that (and debugged and patched and patches got merged in), and it did work then. With "amrecover_check_label" Amanda would even verify if the correct tape was inserted, and prompt again if not. And, if my memory is correct, even a changer would loop through the slots, and, if not the correct tape found, would prompt as well. Feedback that it still works or not would be nice. Thanks very much. Wouldn't have been able to get this done without your kind advice. Johan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin J. Mitchell Sent: 25 June 2008 15:35 To: Johan Booysen Cc: amanda List Subject: Re: Amanda 2.6.0 spanning If you give amrecover a specific tape drive to use, then it will prompt you to manually insert the correct tapes. If you configure chg-multi with only one tape device, though, then it will not prompt you -- it will just inform amrecover that it can't find the requested volume. So I'd recommend the first option. Dustin -- Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***
RE: Amanda 2.6.0 spanning
Thanks for your replies. Wow - you guys confuse me! :) Ermmm...ok. Part of my problem is that I have one humongously huge DLE, and several smaller ones. And there has been some resistance to my suggestions that the one massive DLE be split up on disk. I'm now pretty much at a stage where very soon any full dump of this single DLE will require two tapes in itself. So I don't think I'll realistically be able to never have any DLE span two tapes... On the other hand, that won't really be a problem to me, unless I find myself in a situation where one tape drive dies and I can't do restores of DLEs split across multiple tapes. I'm hoping that, if I understand Dustin's reply correctly, that it will work. I'll switch off one tape drive tomorrow and test it. Thanks very much. Wouldn't have been able to get this done without your kind advice. Johan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin J. Mitchell Sent: 25 June 2008 15:35 To: Johan Booysen Cc: amanda List Subject: Re: Amanda 2.6.0 spanning If you give amrecover a specific tape drive to use, then it will prompt you to manually insert the correct tapes. If you configure chg-multi with only one tape device, though, then it will not prompt you -- it will just inform amrecover that it can't find the requested volume. So I'd recommend the first option. Dustin -- Storage Software Engineer http://www.zmanda.com
Re: Amanda 2.6.0 spanning
If you give amrecover a specific tape drive to use, then it will prompt you to manually insert the correct tapes. If you configure chg-multi with only one tape device, though, then it will not prompt you -- it will just inform amrecover that it can't find the requested volume. So I'd recommend the first option. Dustin -- Storage Software Engineer http://www.zmanda.com
Re: Amanda 2.6.0 spanning
On 2008-06-25 14:48, Johan Booysen wrote: Well, that seems to work beautifully. I've forced a full dump of about 180GB, and amdump successfully spanned across the two tape drives. I'm doing a test restore now, but can already see that it works just fine. I'm still not 100% sure on how to perform restores if a disklist entry is spanned across two tapes, but one of the tape drives have died. Would I need to use amrestore instead of amrecover, and then manually untar all the restored chunks? In the parameters for the config that I added, a single DLE does not span two tapes, so you do not encounter that problem. You need to configure a dumptype for that having a parameter "tape_splitsize" and then only those DLE's having that dumptype will be split into chunks. See: http://wiki.zmanda.com/index.php/How_To:Split_Dumps_Across_Tapes I try to avoid that option if possible. Instead I try to fill my tapes using a technique that I explained here: http://wiki.zmanda.com/index.php/How_To:Fill_tapes_to_100%25 and, if you're using Amanda 2.6 or later, you can even add the newer parameters "flush-threshold-dumped" to achieve a better result. Thanks. Johan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johan Booysen Sent: 24 June 2008 13:39 To: amanda List Subject: RE: Amanda 2.6.0 spanning Hmm, that's weird. My tapecycle specifies 25 tapes. What I'm trying to do is to "bring over" the old server's index/log/tapelist/disklist files etc to the config on the new server, to test that I can do restores from tapes written by the old server. What I've done in the meantime is to create a second config to do a test amdump, so as not to affect the production config, so to speak. And I've labelled some spare tapes for the second config for this purpose so I don't mess with the production set of tapes. I must have missed something out regarding the existing tapes from the old server - will double-check it all again. Thanks! -Original Message- From: Paul Bijnens [mailto:[EMAIL PROTECTED] Sent: 24 June 2008 13:27 To: Johan Booysen Cc: amanda List Subject: Re: Amanda 2.6.0 spanning On 2008-06-24 13:49, Johan Booysen wrote: Hi, Looks like I'm getting somewhere this time. The server is happy with the two tape drives emulating a changer with 2 slots, and all amtape commands seem to complete ok. Just one question before I do a test run: Can I ignore the following warning about the second tape being "still active and cannot be overwritten" when doing an amcheck? No, you can't ignore that. slot 1:read label `daily-5', date `20080508'. .. .. slot 2:read label `daily-6', date `20080509'. Tape with label daily-6 is still active and cannot be overwriten. I'm assuming I can, since I double-checked that daily-6 is marked as "reuse" in the tapelist. The tapes are used by Amanda in an ordered rotation. The tapecycle parameter defines the size of that rotation. Amanda needs to be given the number specified in tapecycle before she accepts to overwrite that tape again. See "man amanda.conf", "tapecycle" for a more detailed explanation. When you REALLY are sure you want Amanda to overwrite it, you can "amrmtape" followed by "amlabel -f" (specifying correct configs and labels). Or you can (temporarily) lower the count given by tapecycle in amanda.conf -- Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***
RE: Amanda 2.6.0 spanning
Just to clarify: I have two identical tape drives daisy-chained to the server. I'm now using chg-multi, with a chg-multi.conf file that defines the two physical drives as two different slots: slot 1 tape:/dev/nst0 slot 2 tape:/dev/nst1 So if one of the tape drives should break or die, and I have to restore a disklist entry that is spanned across two tapes, how do I handle that? Paul pointed out that I'd be able to use amrecover and specify the working tape drive to use, or that I could change chg-multi.conf to define only one slot (pointing at the working drive). That would work in a case where the disklist entry isn't spanned across two tapes, in my mind. But if the disklist entry is spanned across two tapes, will amrecover prompt for a second tape during the recovery process (and accept it when inserted into the same slot as the previous tape), or will I have to use amrestore? Don't know if my question makes good sense...but thanks anyway for bearing with me. Johan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin J. Mitchell Sent: 25 June 2008 14:39 To: Johan Booysen Cc: amanda List Subject: Re: Amanda 2.6.0 spanning On Wed, Jun 25, 2008 at 8:48 AM, Johan Booysen <[EMAIL PROTECTED]> wrote: > I'm still not 100% sure on how to perform restores if a disklist entry > is spanned across two tapes, but one of the tape drives have died. > Would I need to use amrestore instead of amrecover, and then manually > untar all the restored chunks? If a recover requires multiple tapes, then amrecover will ask for them, either via the changer script (I've forgotten whether you're using chg-manual or not) or manually. Dustin -- Storage Software Engineer http://www.zmanda.com
Re: Amanda 2.6.0 spanning
On Wed, Jun 25, 2008 at 8:48 AM, Johan Booysen <[EMAIL PROTECTED]> wrote: > I'm still not 100% sure on how to perform restores if a disklist entry > is spanned across two tapes, but one of the tape drives have died. > Would I need to use amrestore instead of amrecover, and then manually > untar all the restored chunks? If a recover requires multiple tapes, then amrecover will ask for them, either via the changer script (I've forgotten whether you're using chg-manual or not) or manually. Dustin -- Storage Software Engineer http://www.zmanda.com
RE: Amanda 2.6.0 spanning
Well, that seems to work beautifully. I've forced a full dump of about 180GB, and amdump successfully spanned across the two tape drives. I'm doing a test restore now, but can already see that it works just fine. I'm still not 100% sure on how to perform restores if a disklist entry is spanned across two tapes, but one of the tape drives have died. Would I need to use amrestore instead of amrecover, and then manually untar all the restored chunks? Thanks. Johan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johan Booysen Sent: 24 June 2008 13:39 To: amanda List Subject: RE: Amanda 2.6.0 spanning Hmm, that's weird. My tapecycle specifies 25 tapes. What I'm trying to do is to "bring over" the old server's index/log/tapelist/disklist files etc to the config on the new server, to test that I can do restores from tapes written by the old server. What I've done in the meantime is to create a second config to do a test amdump, so as not to affect the production config, so to speak. And I've labelled some spare tapes for the second config for this purpose so I don't mess with the production set of tapes. I must have missed something out regarding the existing tapes from the old server - will double-check it all again. Thanks! -Original Message- From: Paul Bijnens [mailto:[EMAIL PROTECTED] Sent: 24 June 2008 13:27 To: Johan Booysen Cc: amanda List Subject: Re: Amanda 2.6.0 spanning On 2008-06-24 13:49, Johan Booysen wrote: > Hi, > > Looks like I'm getting somewhere this time. The server is happy with the two tape drives emulating a changer with 2 slots, and all amtape commands seem to complete ok. > > Just one question before I do a test run: > > Can I ignore the following warning about the second tape being "still active and cannot be overwritten" when doing an amcheck? No, you can't ignore that. > > slot 1:read label `daily-5', date `20080508'. > .. > .. > slot 2:read label `daily-6', date `20080509'. > Tape with label daily-6 is still active and cannot be overwriten. > > I'm assuming I can, since I double-checked that daily-6 is marked as "reuse" in the tapelist. The tapes are used by Amanda in an ordered rotation. The tapecycle parameter defines the size of that rotation. Amanda needs to be given the number specified in tapecycle before she accepts to overwrite that tape again. See "man amanda.conf", "tapecycle" for a more detailed explanation. When you REALLY are sure you want Amanda to overwrite it, you can "amrmtape" followed by "amlabel -f" (specifying correct configs and labels). Or you can (temporarily) lower the count given by tapecycle in amanda.conf -- Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***
amreport: ERROR unexpected log line: ...
Hello, since I upgraded an Amanda installation from 2.4.4p4 to 2.5.2p1, backup reports always contain lines like these: FAILURE AND STRANGE DUMP SUMMARY: amreport: ERROR unexpected log line: 20080625 2 [sec 45.227 kb 41655 kps 921.7] amreport: ERROR unexpected log line: 20080625 0 [sec 35.747 kb 67281 kps 1883.0] The log file which causes these warnings contains amongst others the following two lines: grouper.salmi.ch /var/spool/imap 20080625 2 [sec 45.227 kb 41655 kps 921.7] grouper.salmi.ch /home 20080625 0 [sec 35.747 kb 67281 kps 1883.0] (grouper is the hostname of the host running amdump.) Any hints about what could be wrong here? TIA, Jukka -- bashian roulette: $ ((RANDOM%6)) || rm -rf ~
