Re: krb5 auth problem

Chad,

I don't have a krb5 setup and the developers sometimes break it.
amandad relinquish root permissions too soon.

Can you try the attached patch?

Jean-Louis

Chad Kotil wrote:

When i run spawn amandad via xinetd as root, i get this error.
1214490832.259079: amandad: critical (fatal): running as user "root"instead of "amandabackup"
In the kerberos wiki it says amandad will relinquish root permissionsafter reading the keytab. It doesnt seem to be doing that.
Also, What keytab on the client needs to be read as root?

--Chad


On Jun 25, 2008, at 5:29 PM, Jean-Louis Martineau wrote:
xinetd must be configured to run amandad as root.

Jean-Louis

Chad Kotil wrote:
I am trying to setup krb5 auth on amanda 2.6.0p1. I built the serverand client --with-krb5-security, added a new principal to my KDC(amandabackup@KERBEROS REALM), and wrote a keytab file and placed iton the server. It is locked down so only amandabackup (the user thatruns amanda) can read it. The clients have a .k5amandahosts filecontaining the following:
amandabackup@KERBEROS REALM
backupmaster.f.q.d.n amandabackup@KERBEROS REALM

my amanda.conf file contains

krb5keytab      "/etc/amanda/krb5.keytab-amanda"
krb5principal   "amandabackup@KERBEROS REALM"


On both of my krb5 auth clients I am seeing this error:
1214425629.641678: amandad: critical (fatal): gss_server failed:real uid is 10036, needs to be 0 to read krb5 host key
10036 is the UID for amandabackup, 0 is the UID for root.
Both clients work fine if I just use bsdtcp auth. I am using sshauth everywhere else but for these two particular hosts I cannot usessh keys.
Any ideas?

Thanks,

--Chad
Chad E. Kotil
Global Research NOC
ckotil AT grnoc.iu DOT edu
Phone: 812 855-5288

--- amandad-src/amandad.c.orig  2008-06-26 13:35:38.000000000 -0400
+++ amandad-src/amandad.c       2008-06-26 13:35:47.000000000 -0400
@@ -218,7 +218,15 @@ main(
 
     config_init(CONFIG_INIT_CLIENT, NULL);
 
-    check_running_as(RUNNING_AS_CLIENT_LOGIN);
+    if (geteuid() == 0) {
+       check_running_as(RUNNING_AS_ROOT);
+       initgroups(CLIENT_LOGIN, get_client_gid());
+       setgid(get_client_gid());
+       setegid(get_client_gid());
+       seteuid(get_client_uid());
+    } else {
+       check_running_as(RUNNING_AS_CLIENT_LOGIN);
+    }
 
     erroutput_type = (ERR_INTERACTIVE|ERR_SYSLOG);
 
@@ -409,6 +417,18 @@ main(
        exit_on_qlength = 1;
     }
 
+    if (getuid() == 0) {
+       if (strcasecmp(auth, "krb5") != 0) {
+           error(_("'%s' auth require amandad to be run as '%s'"), auth,
+                 CLIENT_LOGIN);
+       }
+    } else {
+       if (strcasecmp(auth, "krb5") == 0) {
+           error(_("'krb5' auth require amandad to be run as root"));
+       }
+    }
+
+
     /* initialize */
 
     startclock();
@@ -422,6 +442,11 @@ main(
        dbprintf(_("WARNING: argv[0] not defined: check inetd.conf\n"));
     }
 
+    /* krb5 require the euid to be 0 */
+    if (strcasecmp(auth, "krb5") == 0) {
+       seteuid((uid_t)0);
+    }
+
     /*
      * Schedule to call protocol_accept() when new security handles
      * are created on stdin.

<Prev in Thread]	Current Thread	[Next in Thread>
RE: Amanda 2.6.0 spanning, (continued) RE: Amanda 2.6.0 spanning, Johan Booysen Re: Amanda 2.6.0 spanning, Dustin J. Mitchell RE: Amanda 2.6.0 spanning, Johan Booysen Re: Amanda 2.6.0 spanning, Dustin J. Mitchell RE: Amanda 2.6.0 spanning, Johan Booysen Re: Amanda 2.6.0 spanning, Paul Bijnens krb5 auth problem, Chad Kotil Re: krb5 auth problem, Alan Pearson Re: krb5 auth problem, Jean-Louis Martineau Re: krb5 auth problem, Chad Kotil Re: krb5 auth problem, Jean-Louis Martineau <= Re: krb5 auth problem, Chad Kotil Re: krb5 auth problem, Chad Kotil Message not available Re: krb5 auth problem, Chad Kotil Re: Amanda 2.6.0 spanning, Paul Bijnens Re: IO Errors backing up to new LTO3, Andrew Best