Landon,

After searching through the list archives I came across this thread
from last May. I'm having a similar issue with the 'fd' where it will
crash after I attempt a redirected restore of an encrypted file using
the master key.

Here is a tail of the output with a couple names edited for confidentiality:

fd restore.c:1101 Flush write 34351 bytes, JobBytes=362031
fd restore.c:839 Could not find a valid public key for signature on
/mnt/database/bacula_restores/etc/services
Kaboom! bacula-fd, fd got signal 11. Attempting traceback.
Kaboom! exepath=/usr/sbin
Calling: /usr/sbin/btraceback /usr/sbin/bacula-fd 11254
Traceback complete, attempting cleanup ...
fd: pythonlib.c:237 No startup module.

Unfortunately putting the "PKI Signatures = no" in the config file of
the 'fd' where I'm redirecting the restore to does not seem to solve
the problem.  I can copy the original fd's key pair over to the host
where I'm redirecting the output and everything works fine.

Has there been any movement on this issue?  Something that stops the
daemon from crashing and allows the restore to continue in an
emergency?

Regards,

Jon Amundsen
jamundsen AT gmail DOT com


Massano,

Thanks for the debugging output, it's exactly what's needed. The
crash-causing logic error was already fixed in subversion by Kern,
and I believe a release is planned soon; As a temporary work-around,
you can set "PKI Signatures = no" in the configuration file when
doing the emergency restore.

The "Could not find a valid public key for signature" message is
expected -- the signatures are created using available signing keys,
and your signing public key is no longer available to Bacula. Since
the master private key is not available at encryption time, the files
are not signed with it. This should obviously not cause a crash, though.

I eventually intend on implementing HMAC signing -- in addition to
being much faster, it will allow any valid decryption key to verify
the signature, regardless of public key availability.

-landonf

On May 11, 2007, at 8:32 AM, massano jerome wrote:

> Here is the output of the debug (followed the instructions on the
> manual
> to get more debugging infos) :
>
>
> sme-fd: bnet.c:1154 who=client host=192.168.0.1 port=36387
> [New Thread -1211208784 (LWP 4619)]
> sme-fd: find.c:81 init_find_files ff=8e528e0
> sme-fd: job.c:232 <dird: Hello Director nec-dir calling
> sme-fd: job.c:248 Executing Hello command.
> sme-fd: job.c:351 Calling Authenticate
> sme-fd: cram-md5.c:71 send: auth cram-md5
> <1352298699.1178897275 <at> sme-fd>
> ssl=0
> sme-fd: cram-md5.c:131 cram-get: auth cram-md5
> <446678098.1178897276 <at> nec-dir> ssl=0
> sme-fd: cram-md5.c:150 sending resp to challenge: bEU/R4lTp/+WMm+N/i
> +saA
> sme-fd: job.c:355 OK Authenticate
> sme-fd: job.c:232 <dird: JobId=401 Job=RestoreFiles.
> 2007-05-11_17.27.53
> SDid=28 SDtime=1178874819
> Authorization=OEFH-DFHP-ABNJ-OJEH-KLNL-LBOF-FPNC-IONP
> sme-fd: job.c:248 Executing JobId= command.
> sme-fd: job.c:449 JobId=401 Auth=OEFH-DFHP-ABNJ-OJEH-KLNL-LBOF-FPNC-
> IONP
> sme-fd: job.c:232 <dird: storage address=192.168.0.1 port=9103 ssl=0
> sme-fd: job.c:248 Executing storage command.
> sme-fd: job.c:1253 StorageCmd: storage address=192.168.0.1 port=9103
> ssl=0
> sme-fd: job.c:1259 Open storage: 192.168.0.1:9103 ssl=0
> sme-fd: bnet.c:792 Current host[ipv4:192.168.0.1:9103] All
> host[ipv4:192.168.0.1:9103]
> sme-fd: bnet.c:1154 who=Storage daemon host=192.168.0.1 port=9103
> sme-fd: job.c:1271 Connection OK to SD.
> sme-fd: cram-md5.c:131 cram-get: auth cram-md5
> <877297817.1178897276 <at> nec-sd> ssl=0
> sme-fd: cram-md5.c:150 sending resp to challenge: Hj/7R/+Gu6/TOTVfP1
> +SfC
> sme-fd: cram-md5.c:78 send: auth cram-md5
> <1036016859.1178897276 <at> sme-fd>
> ssl=0
> sme-fd: cram-md5.c:97 Authenticate OK 62/xH8NSmS4n165Ilg+/SC
> sme-fd: job.c:1280 Authenticated with SD.
> sme-fd: job.c:232 <dird: bootstrap
> sme-fd: job.c:248 Executing bootstrap command.
> sme-fd: job.c:1106 filed<dird: bootstrap file Volume="Vol0098"
>
> sme-fd: job.c:1106 filed<dird: bootstrap file MediaType="File"
>
> sme-fd: job.c:1106 filed<dird: bootstrap file Device="FileStorage"
>
> sme-fd: job.c:1106 filed<dird: bootstrap file VolSessionId=27
>
> sme-fd: job.c:1106 filed<dird: bootstrap file
> VolSessionTime=1178874819
>
> sme-fd: job.c:1106 filed<dird: bootstrap file VolFile=0
>
> sme-fd: job.c:1106 filed<dird: bootstrap file VolBlock=185-45743481
>
> sme-fd: job.c:1106 filed<dird: bootstrap file FileIndex=1-2853
>
> sme-fd: job.c:1106 filed<dird: bootstrap file Count=2853
>
> sme-fd: job.c:232 <dird: restore replace=a prelinks=0
> where=/tmp/bacula-restoressme-fd: job.c:248 Executing restore command.
> sme-fd: job.c:1578 restore command
> sme-fd: job.c:1596 Got replace a, where=/tmp/bacula-restores
> sme-fd: job.c:1604 bfiled>dird: 2000 OK restore
> sme-fd: job.c:1669 VolSessId=28 VolsessT=1178874819 SF=0 EF=0
> sme-fd: job.c:1670 JobId=401 vol=DummyVolume
> sme-fd: job.c:1677 >stored: read open session = DummyVolume 28
> 1178874819 0 0 0 0
> sme-fd: job.c:1683 bfiled<stored: 3000 OK open ticket = 28
> sme-fd: job.c:1688 bfiled: got Ticket=28
> sme-fd: job.c:1745 3000 OK bootstrap
> sme-fd: job.c:1702 >stored: read data 28
> sme-fd: job.c:1745 3000 OK data
> sme-fd: restore.c:248 Got hdr: Files=0 FilInx=1 Stream=1, File
> attributes.
> sme-fd: restore.c:260 Got stream: File attributes len=96 extract=0
> sme-fd: restore.c:343 File /home/httpd/html/horde/index.php
> attrib=P0A FHYC IGk B A A A 59 BAA I BGRImB BEy5GP BGRD8F A A U
> attribsEx=
> sme-fd: restore.c:361
> Outfile=/tmp/bacula-restores/home/httpd/html/horde/index.php
> sme-fd: create_file.c:88 type=3 newmode=81a4
> file=/tmp/bacula-restores/home/httpd/html/horde/index.php
> sme-fd: create_file.c:186 Make
> path /tmp/bacula-restores/home/httpd/html/horde
> sme-fd: create_file.c:205 Create
> file /tmp/bacula-restores/home/httpd/html/horde/index.php
> sme-fd: create_file.c:210 Create
> file: /tmp/bacula-restores/home/httpd/html/horde/index.php
> (no debugging symbols found)
> sme-fd: attr.c:243 -rw-r--r-- 1 root root 3709
> 2007-05-11
> 12:01:41 /tmp/bacula-restores/home/httpd/html/horde/index.php
> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=22, 22.
> sme-fd: restore.c:260 Got stream: 22 len=640 extract=1
> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=20, Encrypted
> File data.
> sme-fd: restore.c:260 Got stream: Encrypted File data len=3712
> extract=1
> sme-fd: restore.c:975 decrypted len=3696 encrypted len=3712
> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=20, Encrypted
> File data.
> sme-fd: restore.c:260 Got stream: Encrypted File data len=16 extract=1
> sme-fd: restore.c:975 decrypted len=16 encrypted len=16
> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=1 Stream=19, Signed
> digest.
> sme-fd: restore.c:260 Got stream: Signed digest len=318 extract=1
> sme-fd: restore.c:248 Got hdr: Files=1 FilInx=2 Stream=1, File
> attributes.
> sme-fd: restore.c:260 Got stream: File attributes len=108 extract=1
> sme-fd: restore.c:1059 Flush decrypt len=1 buf_len=3712
> sme-fd: restore.c:1072 Encryption writing full block, 3709 bytes,
> remaining 0 bytes in buffer
> sme-fd: restore.c:1096 Call store_data
> sme-fd: restore.c:1101 Flush write 3709 bytes, JobBytes=3709
> sme-fd: restore.c:839 Could not find a valid public key for signature
> on /tmp/bacula-restores/home/httpd/html/horde/index.php
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1211208784 (LWP 4619)]
> 0x001d748e in EVP_MD_CTX_cleanup () from /lib/libcrypto.so.4
> (gdb)
>
>
>
> Hope that can help...
> why does it say it could not find a valid public key ? The job I am
> trying to restore was backed up with this master key (maybe the master
> key was not taken ?)
>
>
>
>
> Le vendredi 11 mai 2007 à 15:59 +0200, massano jerome a écrit :
>> Last info about my problem : after a failed restore (with the master
>> keypair), the File Daemon is shut down.
>>
>> Le vendredi 11 mai 2007 à 15:34 +0200, massano jerome a écrit :
>>> Just more info that could help : Bacula 2.0.3 compiled form
>>> sources on a
>>> SMEserver (linux distribution based on CentOS) with Mysql.
>>>
>>> Le vendredi 11 mai 2007 à 15:26 +0200, massano jerome a écrit :
>>>> Hello. Thank you for your answer.
>>>>
>>>> Ok. I did what you told me, but it doesn't work : here is the
>>>> output :
>>>> The message of the console are in french, I have made a
>>>> translation of
>>>> them (between brackets).
>>>>
>>>> ----
>>>> *messages
>>>> 11-mai 15:09 nec-dir: Start Restore Job RestoreFiles.
>>>> 2007-05-11_15.09.00
>>>> *messages
>>>> 11-mai 15:09 nec-sd: Ready to read from volume "Vol0093" on device
>>>> "FileStorage" (/tmp).
>>>> 11-mai 15:09 nec-sd: Forward spacing Volume "Vol0093" to file:block
>>>> 0:185.
>>>> 11-mai 15:09 nec-dir: RestoreFiles.2007-05-11_15.09.00 Fatal error:
>>>> Network error with FD during Restore: ERR=Aucune donnée
>>>> disponible (No
>>>> data available)
>>>> 11-mai 15:09 nec-sd: RestoreFiles.2007-05-11_15.09.00 Fatal error:
>>>> read.c:139 Error sending to File daemon. ERR=Connexion ré-
>>>> initialisée
>>>> par le correspondant (Connection reset by peer)
>>>> 11-mai 15:09 nec-sd: RestoreFiles.2007-05-11_15.09.00 Error:
>>>> bnet.c:439
>>>> Write error sending 14384 bytes to client:192.168.0.4:36643:
>>>> ERR=Connexion ré-initialisée par le correspondant (Connection
>>>> reset by
>>>> peer)
>>>> 11-mai 15:09 nec-dir: RestoreFiles.2007-05-11_15.09.00 Fatal
>>>> error: No
>>>> Job status returned from FD.
>>>> 11-mai 15:09 nec-dir: RestoreFiles.2007-05-11_15.09.00 Error:
>>>> Bacula
>>>> 2.0.3 (06Mar07): 11-mai-2007 15:09:03
>>>> JobId: 388
>>>> Job: RestoreFiles.2007-05-11_15.09.00
>>>> Client: sme-fd
>>>> Start time: 11-mai-2007 15:09:02
>>>> End time: 11-mai-2007 15:09:03
>>>> Files Expected: 50,388
>>>> Files Restored: 0
>>>> Bytes Restored: 0
>>>> Rate: 0.0 KB/s
>>>> FD Errors: 0
>>>> FD termination status: Error
>>>> SD termination status: Error
>>>> Termination: *** Restore Error ***
>>>>
>>>> 11-mai 15:09 nec-dir: Begin pruning Jobs.
>>>> 11-mai 15:09 nec-dir: No Jobs found to prune.
>>>> 11-mai 15:09 nec-dir: Begin pruning Files.
>>>> 11-mai 15:09 nec-dir: No Files found to prune.
>>>> 11-mai 15:09 nec-dir: End auto prune.
>>>>
>>>> ----
>>>>
>>>> It works perfectly when I use the original keypair.
>>>> Can anyone see where the problem comes from ?
>>>>
>>>>
>>>>
>>>> Le jeudi 10 mai 2007 à 21:34 -0700, Landon Fuller a écrit :
>>>>> On May 10, 2007, at 4:51 AM, massano jerome wrote:
>>>>>
>>>>>> Le jeudi 10 mai 2007 à 12:01 +0200, Kern Sibbald a écrit :
>>>>>>> On Thursday 10 May 2007 11:14, massano jerome wrote:
>>>>>>>> Hello.
>>>>>>>> I know this kind of mail is supposed to be sent on the user
>>>>>>>> list,
>>>>>>>> but
>>>>>>>> i've asked for it 3 times, and nobody could answer me. Maybe
>>>>>>>> somebody in
>>>>>>>> the dev list can help me ?
>>>>>>>
>>>>>>> Maybe you didn't get an answer because it is rather obvious. If
>>>>>>> you encrypt
>>>>>>> something with an encryption key, you must make a secure non-
>>>>>>> encrypted copy
>>>>>>> of the encryption key, or use the master key, which is to the
>>>>>>> best
>>>>>>> of my
>>>>>>> knowledge documented (at least a number of users are using it).
>>>>>>>
>>>>>>> When you figure out how to do it, please let us know.
>>>>>>>
>>>>>> This is what I understood. I have made a copy of my master
>>>>>> key, but in
>>>>>> the documentation it is not said how I can use the master key to
>>>>>> recover
>>>>>> my files. It is only documented how I can create it and use it to
>>>>>> encrypt, but not how to restore encrypted data. This is why I
>>>>>> sent
>>>>>> it to
>>>>>> the list (I read the documentation BEFORE sending ^^). So if
>>>>>> somebody
>>>>>> can tell me how to use my Master Key to restore previously
>>>>>> encrypted
>>>>>> backups...
>>>>>
>>>>> It is preferable to retain a secure, non-encrypted copy of the
>>>>> client's own encryption keypair. However, should you lose the
>>>>> client's keypair, recovery with the master keypair is possible.
>>>>>
>>>>> You must:
>>>>> 1) Concatenate the master private and public key into a single
>>>>> keypair file, ie:
>>>>> cat master.key master.cert >master.keypair
>>>>>
>>>>> 2) Set the PKI Keypair statement in your bacula configuration
>>>>> file:
>>>>> PKI Keypair = master.keypair
>>>>>
>>>>> 3) Start the restore. The master keypair will be used to
>>>>> decrypt the
>>>>> file data.
>>>>>
>>>>> -landonf
>>>>
>>>>
>>>> -------------------------------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users