On Sat, May 25, 2019 at 17:43:15 -0400, Gene Heskett wrote:
> On Saturday 25 May 2019 03:25:22 pm Nathan Stratton Treadway wrote:
> > On Sat, May 25, 2019 at 06:38:28 -0400, Gene Heskett wrote:
>
> > > Amanda Backup Client Hosts Check
> > > --------------------------------
> > > ERROR: coyote: selfcheck request failed:
> > > file/dir '/usr/local/etc/amanda-security.conf'
> > > (/usr/local/etc/amanda-security.conf) is not owned by root
> > > ERROR: shop: selfcheck request failed:
> > > file/dir '/usr/local/etc/amanda-security.conf'
> > > (/usr/local/etc/amanda-security.conf) is not owned by root
> >
> > I'm not immediately finding the discussion in the archives, but If I
> > remember correctly from some earlier discussion on this topic, the
> > confusing thing about this message is that it's run once per client
> > machine, but it's actually checking the amanda-security.conf file on
> > the server.
> >
> I don't think so, as earlier today I was getting rid of some of the error
> messages by editing the client files. But 2 clients didn't even have it,
> so you could well be right. And there is 2 copies on this, the server.
> May. or may not be identical. So I just nuked the one not named.
>
>
> > In any case, what does
> > # ls -l /usr/local/etc/amanda-security.conf
> > (on your server) show?
> rw-r--r-- 1 gene staff 1986 Oct 31 2018 /usr/local/etc/amanda-security.conf
>
> And its 100% comments. What is it supposed to contain? If the comments
> are correct, I expect I can fix it.
On Sat, May 25, 2019 at 17:48:37 -0400, Gene Heskett wrote:
> On Saturday 25 May 2019 03:52:07 pm Nathan Stratton Treadway wrote:
> > Hmm... did you change the --with-security-file sectting in your gh.cf
> > script recently?
> >
> > (In the version you posted to the list on 5 Apr 2019, you had
> > "--with-security-file=/etc/amanda-security.conf", which doesn't match
> > the path in the error messages -- so if you did not change that line
> > since then, there's something wierd going on that will need to be
> > tracked down....)
> >
> >
> That line has been:
> --with-bsdtcp-security \
> --with-amandahosts \
> for a decade or more
> >
> > Nathan
> The whole thing:
> !/bin/sh
> # since I'm always forgetting to su amanda...
> if [ `whoami` != 'amanda' ]; then
> echo
> echo "!!!!!!!!!!!!!!!!!! Warning !!!!!!!!!!!!!!!!!!!"
> echo "Amanda needs to be configured and built by the"
> echo "user amanda, but must be installed by user root."
> echo
> exit 1
> fi
> make clean
> rm -f config.status config.cache
> ./configure --with-user=amanda \
> --with-group=disk \
> --with-owner=amanda \
> --with-gnu-ld \
> --prefix=/usr/local/ \
> --with-debugging=/tmp/amanda-dbg/ \
> --with-tape-server=coyote \
> --with-bsdtcp-security --with-amandahosts \
> --with-configdir=/usr/local/etc/amanda \
> --enable-manpage-build \
> --with-readline \
> --with-gnutar=/bin/tar
> echo "sleeping for reading configures warnings"
> echo "a make as amanda will continue after 75 seconds..."
> sleep 75
> make
Well... the version you posted on "Date: Fri, 5 Apr 2019 13:00:36 -0400"
actually has:
====
[...]
--with-readline \
--with-gnutar=/bin/tar
--with-security-file=/etc/amanda-security.conf
echo "sleeping for reading configures warnings"
[....]
====
(which is the line I was referring to)... but I see that the with-gnutar
line is missing the trailing "\" so the with-security-file line would
have been ignored anyway....
As I recall, you added the
--with-security-file=/etc/amanda-security.conf line (and with a correct
"\" before it) to your script sometime in the past couple of years
because Amanda 3.4-and-later require that each directory on the path to
that file is owned and writable only by root, and your existing
/usr/local/etc/ path did not meet that requirement.
You can see from the "ls" output that the current amanda-security.conf
file is not owned by root, but the permissions look okay, so I think if
you just do a "chown root /usr/local/etc/amanda-security.conf", you will
resolve the current error from amcheck.
(But you may well then get a new error, about a parent directory in that
path...)
The amanda-security.conf file is indeed mostly just comments. Whether
you need to add a line (e.g. tcp_port_range= or udp_port_range=) to the
file depends on what auth types your DLEs use... but the first step is
to get amcheck to accept the permissions on the file-and-parent-path....
Nathan
----------------------------------------------------------------------------
Nathan Stratton Treadway - [email protected] - Mid-Atlantic region
Ray Ontko & Co. - Software consulting services - http://www.ontko.com/
GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239
Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239
