Re: krb5 auth problem
Heres an update to the kerberos realm issue I am now seeing. I want to use my secondary KDC (UVWX.YZ.EDU) rather than the primary KDC (YZ.EDU), but amanda doesnt seem to know how to look for it. I include the KDC realm in all of my config's. amanda.conf, and .k5login. Here is my .k5login backup/[EMAIL PROTECTED] I am able to kinit with the secondary KDC on the client using the keytab that I have on the server. [EMAIL PROTECTED] tmp]$ kinit backup/[EMAIL PROTECTED] -kt /home/ ckotil/keytab-amanda [EMAIL PROTECTED] tmp]$ This works just fine. Here is what i have in my amanda.conf krb5keytab /etc/amanda/keytab-amanda krb5principal backup/[EMAIL PROTECTED] The reason I think that amanda is ignoring the kerberos realm is because of this error that I see on the client in /tmp/amanda/amandad. 1214918169.546254: amandad: gss_name host/[EMAIL PROTECTED] 1214918169.546587: amandad: critical (fatal): gss_server failed: can't acquire creds for host key host/skip: No such file or directory It claims the gss_name is host/[EMAIL PROTECTED] when it should be host/[EMAIL PROTECTED] Any ideas? Thanks, --Chad On Jun 26, 2008, at 9:37 PM, Chad Kotil wrote: Ian, Jean-Loiuis provided me with a patch that fixed this problem. The patch was posted to the list. I now face a new problem. I need to use my secondary kdc REALM to authenticate, and not my default realm. The keytab on the server is from the second kdc realm and the principal is from this realm too. But, the client tries to authenticate with the default realm. Any idea how I can tell the client to use the secondary kerberos realm? Thanks, --Chad On Jun 26, 2008, at 6:46 PM, Ian Turner wrote: Chad, This is a bug in Amanda. I have filed a bug report. As a workaround, you can probably make it work by compiling --without-force-uid. I don't think we have any kerberos users who test out daily builds, so sometimes things break and nobody notices right away. Maybe if you have a spare machine, you can become the community kerberos tester. :-) Cheers, --Ian On Thursday 26 June 2008 10:36:56 you wrote: When i run spawn amandad via xinetd as root, i get this error. 1214490832.259079: amandad: critical (fatal): running as user root instead of amandabackup In the kerberos wiki it says amandad will relinquish root permissions after reading the keytab. It doesnt seem to be doing that. Also, What keytab on the client needs to be read as root? --Chad On Jun 25, 2008, at 5:29 PM, Jean-Louis Martineau wrote: xinetd must be configured to run amandad as root. Jean-Louis Chad Kotil wrote: I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server and client --with-krb5-security, added a new principal to my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it on the server. It is locked down so only amandabackup (the user that runs amanda) can read it. The clients have a .k5amandahosts file containing the following: [EMAIL PROTECTED] REALM backupmaster.f.q.d.n [EMAIL PROTECTED] REALM my amanda.conf file contains krb5keytab /etc/amanda/krb5.keytab-amanda krb5principal [EMAIL PROTECTED] REALM On both of my krb5 auth clients I am seeing this error: 1214425629.641678: amandad: critical (fatal): gss_server failed: real uid is 10036, needs to be 0 to read krb5 host key 10036 is the UID for amandabackup, 0 is the UID for root. Both clients work fine if I just use bsdtcp auth. I am using ssh auth everywhere else but for these two particular hosts I cannot use ssh keys. Any ideas? Thanks, --Chad Chad E. Kotil Global Research NOC [EMAIL PROTECTED] Phone: 812 855-5288 -- Forums for Amanda discussion: http://forums.zmanda.com/ Chad E. Kotil Global Research NOC [EMAIL PROTECTED] Phone: 812 855-5288
Re: krb5 auth problem
Yah, A little background might help. UVWX.YZ.EDU is the realm of my secondary KDC for these two hosts (the clients) which I am trying to configure krb auth on. YZ.EDU is the primary KDC on these hosts. These two hosts are my bastion servers , i.e. hop off boxes to protect my local machines. The local machines are all members of the UVWX.YZ.EDU realm. But the two bastion servers also have UVWX.YZ.EDU configured in the krb5.conf as secondary realms, which is why I can kinit to the UVWX.YZ.EDU realm w/ the keytab I created. I admin the UVWX.YZ.EDU realm, so it is easy for me to generate keytabs and the like. The YZ.EDU realm i do not admin. Hope this helps. --Chad On Jul 1, 2008, at 10:58 AM, Mitch Collinsworth wrote: If your realm is YZ.EDU, then that's what you use. If UVWX.YZ.EDU is a host name and not a realm name, then it doesn't belong in your principal names. Can you explain why you want to auth against the secondary rather than the primary? I can't think of any reason that should matter. -Mitch On Tue, 1 Jul 2008, Chad Kotil wrote: Heres an update to the kerberos realm issue I am now seeing. I want to use my secondary KDC (UVWX.YZ.EDU) rather than the primary KDC (YZ.EDU), but amanda doesnt seem to know how to look for it. I include the KDC realm in all of my config's. amanda.conf, and .k5login. Here is my .k5login backup/[EMAIL PROTECTED] I am able to kinit with the secondary KDC on the client using the keytab that I have on the server. [EMAIL PROTECTED] tmp]$ kinit backup/[EMAIL PROTECTED] -kt / home/ ckotil/keytab-amanda [EMAIL PROTECTED] tmp]$ This works just fine. Here is what i have in my amanda.conf krb5keytab /etc/amanda/keytab-amanda krb5principal backup/[EMAIL PROTECTED] The reason I think that amanda is ignoring the kerberos realm is because of this error that I see on the client in /tmp/amanda/ amandad. 1214918169.546254: amandad: gss_name host/[EMAIL PROTECTED] 1214918169.546587: amandad: critical (fatal): gss_server failed: can't acquire creds for host key host/skip: No such file or directory It claims the gss_name is host/[EMAIL PROTECTED] when it should be host/[EMAIL PROTECTED] Any ideas? Thanks, --Chad On Jun 26, 2008, at 9:37 PM, Chad Kotil wrote: Ian, Jean-Loiuis provided me with a patch that fixed this problem. The patch was posted to the list. I now face a new problem. I need to use my secondary kdc REALM to authenticate, and not my default realm. The keytab on the server is from the second kdc realm and the principal is from this realm too. But, the client tries to authenticate with the default realm. Any idea how I can tell the client to use the secondary kerberos realm? Thanks, --Chad On Jun 26, 2008, at 6:46 PM, Ian Turner wrote: Chad, This is a bug in Amanda. I have filed a bug report. As a workaround, you can probably make it work by compiling --without-force-uid. I don't think we have any kerberos users who test out daily builds, so sometimes things break and nobody notices right away. Maybe if you have a spare machine, you can become the community kerberos tester. :-) Cheers, --Ian On Thursday 26 June 2008 10:36:56 you wrote: When i run spawn amandad via xinetd as root, i get this error. 1214490832.259079: amandad: critical (fatal): running as user root instead of amandabackup In the kerberos wiki it says amandad will relinquish root permissions after reading the keytab. It doesnt seem to be doing that. Also, What keytab on the client needs to be read as root? --Chad On Jun 25, 2008, at 5:29 PM, Jean-Louis Martineau wrote: xinetd must be configured to run amandad as root. Jean-Louis Chad Kotil wrote: I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server and client --with-krb5-security, added a new principal to my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it on the server. It is locked down so only amandabackup (the user that runs amanda) can read it. The clients have a .k5amandahosts file containing the following: [EMAIL PROTECTED] REALM backupmaster.f.q.d.n [EMAIL PROTECTED] REALM my amanda.conf file contains krb5keytab /etc/amanda/krb5.keytab-amanda krb5principal [EMAIL PROTECTED] REALM On both of my krb5 auth clients I am seeing this error: 1214425629.641678: amandad: critical (fatal): gss_server failed: real uid is 10036, needs to be 0 to read krb5 host key 10036 is the UID for amandabackup, 0 is the UID for root. Both clients work fine if I just use bsdtcp auth. I am using ssh auth everywhere else but for these two particular hosts I cannot use ssh keys. Any ideas? Thanks, --Chad Chad E. Kotil Global Research NOC [EMAIL PROTECTED] Phone: 812 855-5288
Re: krb5 auth problem
If your realm is YZ.EDU, then that's what you use. If UVWX.YZ.EDU is a host name and not a realm name, then it doesn't belong in your principal names. Can you explain why you want to auth against the secondary rather than the primary? I can't think of any reason that should matter. -Mitch On Tue, 1 Jul 2008, Chad Kotil wrote: Heres an update to the kerberos realm issue I am now seeing. I want to use my secondary KDC (UVWX.YZ.EDU) rather than the primary KDC (YZ.EDU), but amanda doesnt seem to know how to look for it. I include the KDC realm in all of my config's. amanda.conf, and .k5login. Here is my .k5login backup/[EMAIL PROTECTED] I am able to kinit with the secondary KDC on the client using the keytab that I have on the server. [EMAIL PROTECTED] tmp]$ kinit backup/[EMAIL PROTECTED] -kt /home/ ckotil/keytab-amanda [EMAIL PROTECTED] tmp]$ This works just fine. Here is what i have in my amanda.conf krb5keytab /etc/amanda/keytab-amanda krb5principal backup/[EMAIL PROTECTED] The reason I think that amanda is ignoring the kerberos realm is because of this error that I see on the client in /tmp/amanda/amandad. 1214918169.546254: amandad: gss_name host/[EMAIL PROTECTED] 1214918169.546587: amandad: critical (fatal): gss_server failed: can't acquire creds for host key host/skip: No such file or directory It claims the gss_name is host/[EMAIL PROTECTED] when it should be host/[EMAIL PROTECTED] Any ideas? Thanks, --Chad On Jun 26, 2008, at 9:37 PM, Chad Kotil wrote: Ian, Jean-Loiuis provided me with a patch that fixed this problem. The patch was posted to the list. I now face a new problem. I need to use my secondary kdc REALM to authenticate, and not my default realm. The keytab on the server is from the second kdc realm and the principal is from this realm too. But, the client tries to authenticate with the default realm. Any idea how I can tell the client to use the secondary kerberos realm? Thanks, --Chad On Jun 26, 2008, at 6:46 PM, Ian Turner wrote: Chad, This is a bug in Amanda. I have filed a bug report. As a workaround, you can probably make it work by compiling --without-force-uid. I don't think we have any kerberos users who test out daily builds, so sometimes things break and nobody notices right away. Maybe if you have a spare machine, you can become the community kerberos tester. :-) Cheers, --Ian On Thursday 26 June 2008 10:36:56 you wrote: When i run spawn amandad via xinetd as root, i get this error. 1214490832.259079: amandad: critical (fatal): running as user root instead of amandabackup In the kerberos wiki it says amandad will relinquish root permissions after reading the keytab. It doesnt seem to be doing that. Also, What keytab on the client needs to be read as root? --Chad On Jun 25, 2008, at 5:29 PM, Jean-Louis Martineau wrote: xinetd must be configured to run amandad as root. Jean-Louis Chad Kotil wrote: I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server and client --with-krb5-security, added a new principal to my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it on the server. It is locked down so only amandabackup (the user that runs amanda) can read it. The clients have a .k5amandahosts file containing the following: [EMAIL PROTECTED] REALM backupmaster.f.q.d.n [EMAIL PROTECTED] REALM my amanda.conf file contains krb5keytab /etc/amanda/krb5.keytab-amanda krb5principal [EMAIL PROTECTED] REALM On both of my krb5 auth clients I am seeing this error: 1214425629.641678: amandad: critical (fatal): gss_server failed: real uid is 10036, needs to be 0 to read krb5 host key 10036 is the UID for amandabackup, 0 is the UID for root. Both clients work fine if I just use bsdtcp auth. I am using ssh auth everywhere else but for these two particular hosts I cannot use ssh keys. Any ideas? Thanks, --Chad
Re: krb5 auth problem
When i run spawn amandad via xinetd as root, i get this error. 1214490832.259079: amandad: critical (fatal): running as user root instead of amandabackup In the kerberos wiki it says amandad will relinquish root permissions after reading the keytab. It doesnt seem to be doing that. Also, What keytab on the client needs to be read as root? --Chad On Jun 25, 2008, at 5:29 PM, Jean-Louis Martineau wrote: xinetd must be configured to run amandad as root. Jean-Louis Chad Kotil wrote: I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server and client --with-krb5-security, added a new principal to my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it on the server. It is locked down so only amandabackup (the user that runs amanda) can read it. The clients have a .k5amandahosts file containing the following: [EMAIL PROTECTED] REALM backupmaster.f.q.d.n [EMAIL PROTECTED] REALM my amanda.conf file contains krb5keytab /etc/amanda/krb5.keytab-amanda krb5principal [EMAIL PROTECTED] REALM On both of my krb5 auth clients I am seeing this error: 1214425629.641678: amandad: critical (fatal): gss_server failed: real uid is 10036, needs to be 0 to read krb5 host key 10036 is the UID for amandabackup, 0 is the UID for root. Both clients work fine if I just use bsdtcp auth. I am using ssh auth everywhere else but for these two particular hosts I cannot use ssh keys. Any ideas? Thanks, --Chad Chad E. Kotil Global Research NOC [EMAIL PROTECTED] Phone: 812 855-5288
Re: krb5 auth problem
Chad,
I don't have a krb5 setup and the developers sometimes break it.
amandad relinquish root permissions too soon.
Can you try the attached patch?
Jean-Louis
Chad Kotil wrote:
When i run spawn amandad via xinetd as root, i get this error.
1214490832.259079: amandad: critical (fatal): running as user root
instead of amandabackup
In the kerberos wiki it says amandad will relinquish root permissions
after reading the keytab. It doesnt seem to be doing that.
Also, What keytab on the client needs to be read as root?
--Chad
On Jun 25, 2008, at 5:29 PM, Jean-Louis Martineau wrote:
xinetd must be configured to run amandad as root.
Jean-Louis
Chad Kotil wrote:
I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server
and client --with-krb5-security, added a new principal to my KDC
([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it
on the server. It is locked down so only amandabackup (the user that
runs amanda) can read it. The clients have a .k5amandahosts file
containing the following:
[EMAIL PROTECTED] REALM
backupmaster.f.q.d.n [EMAIL PROTECTED] REALM
my amanda.conf file contains
krb5keytab /etc/amanda/krb5.keytab-amanda
krb5principal [EMAIL PROTECTED] REALM
On both of my krb5 auth clients I am seeing this error:
1214425629.641678: amandad: critical (fatal): gss_server failed:
real uid is 10036, needs to be 0 to read krb5 host key
10036 is the UID for amandabackup, 0 is the UID for root.
Both clients work fine if I just use bsdtcp auth. I am using ssh
auth everywhere else but for these two particular hosts I cannot use
ssh keys.
Any ideas?
Thanks,
--Chad
Chad E. Kotil
Global Research NOC
[EMAIL PROTECTED]
Phone: 812 855-5288
--- amandad-src/amandad.c.orig 2008-06-26 13:35:38.0 -0400
+++ amandad-src/amandad.c 2008-06-26 13:35:47.0 -0400
@@ -218,7 +218,15 @@ main(
config_init(CONFIG_INIT_CLIENT, NULL);
-check_running_as(RUNNING_AS_CLIENT_LOGIN);
+if (geteuid() == 0) {
+ check_running_as(RUNNING_AS_ROOT);
+ initgroups(CLIENT_LOGIN, get_client_gid());
+ setgid(get_client_gid());
+ setegid(get_client_gid());
+ seteuid(get_client_uid());
+} else {
+ check_running_as(RUNNING_AS_CLIENT_LOGIN);
+}
erroutput_type = (ERR_INTERACTIVE|ERR_SYSLOG);
@@ -409,6 +417,18 @@ main(
exit_on_qlength = 1;
}
+if (getuid() == 0) {
+ if (strcasecmp(auth, krb5) != 0) {
+ error(_('%s' auth require amandad to be run as '%s'), auth,
+ CLIENT_LOGIN);
+ }
+} else {
+ if (strcasecmp(auth, krb5) == 0) {
+ error(_('krb5' auth require amandad to be run as root));
+ }
+}
+
+
/* initialize */
startclock();
@@ -422,6 +442,11 @@ main(
dbprintf(_(WARNING: argv[0] not defined: check inetd.conf\n));
}
+/* krb5 require the euid to be 0 */
+if (strcasecmp(auth, krb5) == 0) {
+ seteuid((uid_t)0);
+}
+
/*
* Schedule to call protocol_accept() when new security handles
* are created on stdin.
Re: krb5 auth problem
Im using the source version 2.6.0p1
Here are the results of the patch.
[EMAIL PROTECTED] amandad-src]# patch amandad.c amanda.patch
patching file amandad.c
Hunk #1 succeeded at 218 with fuzz 2.
Hunk #2 FAILED at 417.
Hunk #3 FAILED at 442.
2 out of 3 hunks FAILED -- saving rejects to file amandad.c.rej
I recompiled anyway and i get the same error.
--Chad
On Jun 26, 2008, at 1:42 PM, Jean-Louis Martineau wrote:
Chad,
I don't have a krb5 setup and the developers sometimes break it.
amandad relinquish root permissions too soon.
Can you try the attached patch?
Jean-Louis
Chad Kotil wrote:
When i run spawn amandad via xinetd as root, i get this error.
1214490832.259079: amandad: critical (fatal): running as user
root instead of amandabackup
In the kerberos wiki it says amandad will relinquish root
permissions after reading the keytab. It doesnt seem to be doing
that.
Also, What keytab on the client needs to be read as root?
--Chad
On Jun 25, 2008, at 5:29 PM, Jean-Louis Martineau wrote:
xinetd must be configured to run amandad as root.
Jean-Louis
Chad Kotil wrote:
I am trying to setup krb5 auth on amanda 2.6.0p1. I built the
server and client --with-krb5-security, added a new principal to
my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file and
placed it on the server. It is locked down so only amandabackup
(the user that runs amanda) can read it. The clients have
a .k5amandahosts file containing the following:
[EMAIL PROTECTED] REALM
backupmaster.f.q.d.n [EMAIL PROTECTED] REALM
my amanda.conf file contains
krb5keytab /etc/amanda/krb5.keytab-amanda
krb5principal [EMAIL PROTECTED] REALM
On both of my krb5 auth clients I am seeing this error:
1214425629.641678: amandad: critical (fatal): gss_server failed:
real uid is 10036, needs to be 0 to read krb5 host key
10036 is the UID for amandabackup, 0 is the UID for root.
Both clients work fine if I just use bsdtcp auth. I am using ssh
auth everywhere else but for these two particular hosts I cannot
use ssh keys.
Any ideas?
Thanks,
--Chad
Chad E. Kotil
Global Research NOC
[EMAIL PROTECTED]
Phone: 812 855-5288
--- amandad-src/amandad.c.orig 2008-06-26 13:35:38.0 -0400
+++ amandad-src/amandad.c 2008-06-26 13:35:47.0 -0400
@@ -218,7 +218,15 @@ main(
config_init(CONFIG_INIT_CLIENT, NULL);
-check_running_as(RUNNING_AS_CLIENT_LOGIN);
+if (geteuid() == 0) {
+ check_running_as(RUNNING_AS_ROOT);
+ initgroups(CLIENT_LOGIN, get_client_gid());
+ setgid(get_client_gid());
+ setegid(get_client_gid());
+ seteuid(get_client_uid());
+} else {
+ check_running_as(RUNNING_AS_CLIENT_LOGIN);
+}
erroutput_type = (ERR_INTERACTIVE|ERR_SYSLOG);
@@ -409,6 +417,18 @@ main(
exit_on_qlength = 1;
}
+if (getuid() == 0) {
+ if (strcasecmp(auth, krb5) != 0) {
+ error(_('%s' auth require amandad to be run as '%s'), auth,
+ CLIENT_LOGIN);
+ }
+} else {
+ if (strcasecmp(auth, krb5) == 0) {
+ error(_('krb5' auth require amandad to be run as root));
+ }
+}
+
+
/* initialize */
startclock();
@@ -422,6 +442,11 @@ main(
dbprintf(_(WARNING: argv[0] not defined: check inetd.conf\n));
}
+/* krb5 require the euid to be 0 */
+if (strcasecmp(auth, krb5) == 0) {
+ seteuid((uid_t)0);
+}
+
/*
* Schedule to call protocol_accept() when new security handles
* are created on stdin.
Chad E. Kotil
Global Research NOC
[EMAIL PROTECTED]
Phone: 812 855-5288
Re: krb5 auth problem
I realized I could apply this patch by hand based on the diff. I did,
recompiled, and still same result.
Here is the diff for version 2.6.0p1.
[EMAIL PROTECTED] amandad-src]# diff amandad.c amandad.c.orig
221,229c221
if (geteuid() == 0) {
check_running_as(RUNNING_AS_ROOT);
initgroups(CLIENT_LOGIN, get_client_gid());
setgid(get_client_gid());
setegid(get_client_gid());
seteuid(get_client_uid());
} else {
check_running_as(RUNNING_AS_CLIENT_LOGIN);
}
---
check_running_as(RUNNING_AS_CLIENT_LOGIN);
420,430d411
if (getuid() == 0) {
if (strcasecmp(auth, krb5) != 0) {
error(_('%s' auth require amandad to be run as '%s'),
auth,
CLIENT_LOGIN);
}
} else {
if (strcasecmp(auth, krb5) == 0) {
error(_('krb5' auth require amandad to be run as root));
}
}
444,448d424
/* krb5 require the euid to be 0 */
if (strcasecmp(auth, krb5) == 0) {
seteuid((uid_t)0);
}
--Chad
On Jun 26, 2008, at 2:06 PM, Chad Kotil wrote:
Im using the source version 2.6.0p1
Here are the results of the patch.
[EMAIL PROTECTED] amandad-src]# patch amandad.c amanda.patch
patching file amandad.c
Hunk #1 succeeded at 218 with fuzz 2.
Hunk #2 FAILED at 417.
Hunk #3 FAILED at 442.
2 out of 3 hunks FAILED -- saving rejects to file amandad.c.rej
I recompiled anyway and i get the same error.
--Chad
On Jun 26, 2008, at 1:42 PM, Jean-Louis Martineau wrote:
Chad,
I don't have a krb5 setup and the developers sometimes break it.
amandad relinquish root permissions too soon.
Can you try the attached patch?
Jean-Louis
Chad Kotil wrote:
When i run spawn amandad via xinetd as root, i get this error.
1214490832.259079: amandad: critical (fatal): running as user
root instead of amandabackup
In the kerberos wiki it says amandad will relinquish root
permissions after reading the keytab. It doesnt seem to be doing
that.
Also, What keytab on the client needs to be read as root?
--Chad
On Jun 25, 2008, at 5:29 PM, Jean-Louis Martineau wrote:
xinetd must be configured to run amandad as root.
Jean-Louis
Chad Kotil wrote:
I am trying to setup krb5 auth on amanda 2.6.0p1. I built the
server and client --with-krb5-security, added a new principal to
my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file
and placed it on the server. It is locked down so only
amandabackup (the user that runs amanda) can read it. The
clients have a .k5amandahosts file containing the following:
[EMAIL PROTECTED] REALM
backupmaster.f.q.d.n [EMAIL PROTECTED] REALM
my amanda.conf file contains
krb5keytab /etc/amanda/krb5.keytab-amanda
krb5principal [EMAIL PROTECTED] REALM
On both of my krb5 auth clients I am seeing this error:
1214425629.641678: amandad: critical (fatal): gss_server failed:
real uid is 10036, needs to be 0 to read krb5 host key
10036 is the UID for amandabackup, 0 is the UID for root.
Both clients work fine if I just use bsdtcp auth. I am using ssh
auth everywhere else but for these two particular hosts I cannot
use ssh keys.
Any ideas?
Thanks,
--Chad
Chad E. Kotil
Global Research NOC
[EMAIL PROTECTED]
Phone: 812 855-5288
--- amandad-src/amandad.c.orig 2008-06-26 13:35:38.0 -0400
+++ amandad-src/amandad.c 2008-06-26 13:35:47.0 -0400
@@ -218,7 +218,15 @@ main(
config_init(CONFIG_INIT_CLIENT, NULL);
-check_running_as(RUNNING_AS_CLIENT_LOGIN);
+if (geteuid() == 0) {
+ check_running_as(RUNNING_AS_ROOT);
+ initgroups(CLIENT_LOGIN, get_client_gid());
+ setgid(get_client_gid());
+ setegid(get_client_gid());
+ seteuid(get_client_uid());
+} else {
+ check_running_as(RUNNING_AS_CLIENT_LOGIN);
+}
erroutput_type = (ERR_INTERACTIVE|ERR_SYSLOG);
@@ -409,6 +417,18 @@ main(
exit_on_qlength = 1;
}
+if (getuid() == 0) {
+ if (strcasecmp(auth, krb5) != 0) {
+ error(_('%s' auth require amandad to be run as '%s'), auth,
+ CLIENT_LOGIN);
+ }
+} else {
+ if (strcasecmp(auth, krb5) == 0) {
+ error(_('krb5' auth require amandad to be run as root));
+ }
+}
+
+
/* initialize */
startclock();
@@ -422,6 +442,11 @@ main(
dbprintf(_(WARNING: argv[0] not defined: check inetd.conf\n));
}
+/* krb5 require the euid to be 0 */
+if (strcasecmp(auth, krb5) == 0) {
+ seteuid((uid_t)0);
+}
+
/*
* Schedule to call protocol_accept() when new security handles
* are created on stdin.
Chad E. Kotil
Global Research NOC
[EMAIL PROTECTED]
Phone: 812 855-5288
Chad E. Kotil
Global Research NOC
[EMAIL PROTECTED]
Phone: 812 855-5288
Re: krb5 auth problem
Ian, Jean-Loiuis provided me with a patch that fixed this problem. The patch was posted to the list. I now face a new problem. I need to use my secondary kdc REALM to authenticate, and not my default realm. The keytab on the server is from the second kdc realm and the principal is from this realm too. But, the client tries to authenticate with the default realm. Any idea how I can tell the client to use the secondary kerberos realm? Thanks, --Chad On Jun 26, 2008, at 6:46 PM, Ian Turner wrote: Chad, This is a bug in Amanda. I have filed a bug report. As a workaround, you can probably make it work by compiling --without-force-uid. I don't think we have any kerberos users who test out daily builds, so sometimes things break and nobody notices right away. Maybe if you have a spare machine, you can become the community kerberos tester. :-) Cheers, --Ian On Thursday 26 June 2008 10:36:56 you wrote: When i run spawn amandad via xinetd as root, i get this error. 1214490832.259079: amandad: critical (fatal): running as user root instead of amandabackup In the kerberos wiki it says amandad will relinquish root permissions after reading the keytab. It doesnt seem to be doing that. Also, What keytab on the client needs to be read as root? --Chad On Jun 25, 2008, at 5:29 PM, Jean-Louis Martineau wrote: xinetd must be configured to run amandad as root. Jean-Louis Chad Kotil wrote: I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server and client --with-krb5-security, added a new principal to my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it on the server. It is locked down so only amandabackup (the user that runs amanda) can read it. The clients have a .k5amandahosts file containing the following: [EMAIL PROTECTED] REALM backupmaster.f.q.d.n [EMAIL PROTECTED] REALM my amanda.conf file contains krb5keytab /etc/amanda/krb5.keytab-amanda krb5principal [EMAIL PROTECTED] REALM On both of my krb5 auth clients I am seeing this error: 1214425629.641678: amandad: critical (fatal): gss_server failed: real uid is 10036, needs to be 0 to read krb5 host key 10036 is the UID for amandabackup, 0 is the UID for root. Both clients work fine if I just use bsdtcp auth. I am using ssh auth everywhere else but for these two particular hosts I cannot use ssh keys. Any ideas? Thanks, --Chad Chad E. Kotil Global Research NOC [EMAIL PROTECTED] Phone: 812 855-5288 -- Forums for Amanda discussion: http://forums.zmanda.com/
krb5 auth problem
I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server and client --with-krb5-security, added a new principal to my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it on the server. It is locked down so only amandabackup (the user that runs amanda) can read it. The clients have a .k5amandahosts file containing the following: [EMAIL PROTECTED] REALM backupmaster.f.q.d.n [EMAIL PROTECTED] REALM my amanda.conf file contains krb5keytab /etc/amanda/krb5.keytab-amanda krb5principal [EMAIL PROTECTED] REALM On both of my krb5 auth clients I am seeing this error: 1214425629.641678: amandad: critical (fatal): gss_server failed: real uid is 10036, needs to be 0 to read krb5 host key 10036 is the UID for amandabackup, 0 is the UID for root. Both clients work fine if I just use bsdtcp auth. I am using ssh auth everywhere else but for these two particular hosts I cannot use ssh keys. Any ideas? Thanks, --Chad
Re: krb5 auth problem
Hi there,
We use this on 2.5.2.
On the client, amandad should be spawned by root (makes sense really,
as it's the only user who can see all files :) )
Here's my xinetd.d/k5amandad file :
service k5amanda
{
socket_type = stream
protocol = tcp
wait = no
user = root
group = backup
server = /usr/libexec/amandad
server_args = -auth=krb5
disable = no
}
HTH,
---
AlanP
On 25 Jun 2008, at 21:45, Chad Kotil wrote:
I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server
and client --with-krb5-security, added a new principal to my KDC
([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it
on the server. It is locked down so only amandabackup (the user that
runs amanda) can read it. The clients have a .k5amandahosts file
containing the following:
[EMAIL PROTECTED] REALM
backupmaster.f.q.d.n [EMAIL PROTECTED] REALM
my amanda.conf file contains
krb5keytab /etc/amanda/krb5.keytab-amanda
krb5principal [EMAIL PROTECTED] REALM
On both of my krb5 auth clients I am seeing this error:
1214425629.641678: amandad: critical (fatal): gss_server failed:
real uid is 10036, needs to be 0 to read krb5 host key
10036 is the UID for amandabackup, 0 is the UID for root.
Both clients work fine if I just use bsdtcp auth. I am using ssh
auth everywhere else but for these two particular hosts I cannot use
ssh keys.
Any ideas?
Thanks,
--Chad
Re: krb5 auth problem
xinetd must be configured to run amandad as root. Jean-Louis Chad Kotil wrote: I am trying to setup krb5 auth on amanda 2.6.0p1. I built the server and client --with-krb5-security, added a new principal to my KDC ([EMAIL PROTECTED] REALM), and wrote a keytab file and placed it on the server. It is locked down so only amandabackup (the user that runs amanda) can read it. The clients have a .k5amandahosts file containing the following: [EMAIL PROTECTED] REALM backupmaster.f.q.d.n [EMAIL PROTECTED] REALM my amanda.conf file contains krb5keytab /etc/amanda/krb5.keytab-amanda krb5principal [EMAIL PROTECTED] REALM On both of my krb5 auth clients I am seeing this error: 1214425629.641678: amandad: critical (fatal): gss_server failed: real uid is 10036, needs to be 0 to read krb5 host key 10036 is the UID for amandabackup, 0 is the UID for root. Both clients work fine if I just use bsdtcp auth. I am using ssh auth everywhere else but for these two particular hosts I cannot use ssh keys. Any ideas? Thanks, --Chad
