Hi,
When I was moving clients to 7.1.2 I had a problem with the same error
message and stumbled upon a solution in the networker knowledgebase,
which is probably quite an achievement in itself.
Normally in your client records you leave the 'Backup command:' property
blank, however if your client record's main name is called
imap1.fred.edu then put in 'save -s imap1.fred.edu'.
It's a bit of a pain because you have to train your whole team to do
this right all the time, but I dealt with this by writing a small script
to check client resources each day to catch any new records which were
not set up correctly, and it's done the trick.
-----Original Message-----
From: Legato NetWorker discussion [mailto:NETWORKER AT listserv.temple DOT edu]
On Behalf Of Tim Mooney
Sent: Monday, 22 August 2005 11:47 AM
To: NETWORKER AT listserv.temple DOT edu
Subject: Re: [Networker] 7.1.3 client DNS checks and multihomed clients
In regard to: Re: [Networker] 7.1.3 client DNS checks and multihomed...:
> Contact Legato about this "feature". They claim it is by design, and
> for "security". All clients after 7.1.1 (7.1.2+) do their own
> hostname mangling after a gethostname() call is returned. They take
> the short name of the machine, and attempt to use that as the
> authentication name for finding which client the server is associated
with.
Wow, so it's even worse that I suspected. It has nothing to do with the
fact that we're using a secondary network for backups or that we use
mixed case in our DNS domain name.
Thank you so much for your reply! Although I'm furious with Legato
right now, it's at least nice to know that someone else has seen the
same thing.
I'm appalled at the thinking that went into this misfeature, and I'll be
communicating that to Legato this week.
> I had proposed our own workaround wich will work 100% of the time and
> with any version of the client. It would use a custom library to
> override the gethostname() function to return a custom value when
> starting NetWorker with the library in the LD_PRELOAD environmental
> variable. This allowed us to create a file in /etc and change the
> name that NetWorker sees on the fly.
That's borderline brilliant! I may go that route while I'm (almost
certainly) fighting with Legato for the next two weeks to a month.
Thanks for the great suggestion -- I hadn't thought of that. If there's
a cheap way to hash the fully qualified hostname (which I could get from
uname(2)), I might be able to get away without even needing a file in
/etc, e.g. taking the unique hostname like
imap1.ndsu.NoDak.edu
and running it through an md5sum or something similar, to generate a
hash, which would be what would need to be in the "Aliases" list for the
client.
We have openssl installed on the vast majority of our boxes, maybe I'll
take a look at how easy it is to hash a string using some of the
routines in libssl.
> Legato however was unreceptive to this workaround and refused to
> support our environments if this was used, and is now coding modified
> versions of save and probly savefs for us to revert back to the old
> authentication ritual.
Which is great, but I'm sure that the binaries they give you won't have
the security fixes in them.
> Have fun banging your head against the wall while communicating the
> problem to them, it took us about 2 weeks for them to figure out the
> workaround I proposed, and I still don't think they fully get it.
> Having to code custom client binaries for every version we want to
> run, and then to have to test/qa/and support them just doesn't make
> sense to me.
>
> My reccomendation would be to run 7.1.1 on your clients, if you can,
> and pray to the gods of backup that they get everything fixed by the
> time 8.x comes out and the 7.x series gets EOL'd.
If there were a 7.1.1 version that had the security fix in it, I would
consider it, but since there isn't I could just as well go back to 6.1.4
(which is what I'm going to have to do in the interim, and look at some
host-based firewalls to ward against the security issues.)
> Have fun!
>
> Jason
>
> PS. Let me know if you want the code to override the gethostname()
> function anyway. Its extrealy simple, and probly ridden with bugs,
> but it gets the job done.
I do want the code, bugs and all! It will probably save me a whole
bunch of time down the road.
Thanks again for your response, it was extremely helpful!
Tim
--
Tim Mooney mooney AT dogbert.cc.ndsu.NoDak DOT edu
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems wit this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or via RSS at
http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
NOTICE
This e-mail and any attachments are confidential and may contain copyright
material of Macquarie Bank or third parties. If you are not the intended
recipient of this email you should not read, print, re-transmit, store or act
in reliance on this e-mail or any attachments, and should destroy all copies of
them. Macquarie Bank does not guarantee the integrity of any emails or any
attached files. The views or opinions expressed are the author's own and may
not reflect the views or opinions of Macquarie Bank.
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
