On Wednesday 06 January 2010 13:01:37 Kevin Keane wrote: > Hi Kern, > > Thanks for looking at that! I may actually end up volunteering to do the > Windows IPv6 myself if I find the time and can set up the development > environment. Not a promise, though; paid work has to come first, of course! > Given that Microsoft is pushing IPv6 very heavily, I can't imagine that the > structures aren't there - but it is quite likely that the IPv6 socket code > is very different from the Unix code. > > Meanwhile, Dan and I discussed this offline and came up with a short-term > suggestion: make bacula's IPv6 behavior configurable, instead of always > automatically using an AAAA record. That is probably a lot faster and > easier to implement than porting the Windows FD to IPv6. The impact is just > too dramatic to leave this issue completely unaddressed.
I personally believe that the best way to proceed is for someone who is interested to either fund an IPv6 project for Windows or to submit the code. I don't particularly like the idea of a configurable option because we already have too many, and unless I am missing something, this seems to me to be somewhat of a special case where there are probably other workarounds. Best regards, Kern > > Regards, > > Kevin > > -----Original Message----- > From: Mantis Bug Tracker [mailto:[email protected]] > Sent: Wednesday, January 06, 2010 3:22 AM > To: Kevin Keane > Subject: [bacula 0001439]: IPv6 breaks WinBacula with Windows Advanced > Firewall > > > The following issue has been CLOSED > ====================================================================== > http://bugs.bacula.org/view.php?id=1439 > ====================================================================== > Reported By: kkeane > Assigned To: > ====================================================================== > Project: bacula > Issue ID: 1439 > Category: Director > Reproducibility: always > Severity: major > Priority: normal > Status: closed > Resolution: not fixable > Fixed in Version: > ====================================================================== > Date Submitted: 2009-12-22 10:07 UTC > Last Modified: 2010-01-06 11:22 UTC > ====================================================================== > Summary: IPv6 breaks WinBacula with Windows Advanced > Firewall Description: > Apparently, the various bacula components (dir, sd, fd) only listen on > IPv4, but the Dir-FD connection tries to use (and fails) IPv6 if an AAAA > record is present. The symptom is the error message: > > Fatal error: Authorization key rejected by Storage daemon. > Please see > http://www.bacula.org/en/rel-manual/Bacula_Freque_Asked_Questi.html#SECTION >003760000000000000000 for help. > Fatal error: Failed to authenticate Storage daemon. > Fatal error: Bad response to Storage command: wanted 2000 OK storage > , got 2902 Bad storage > > > Suggested short-term solution: do not look up DNS AAAA records, only A > records. Alternatively, check the type of address before using it (a > related feature request would be to fully support IPv6 to begin with). > > What apparently happens: > > When bacula-dir tries to perform a backup of client problemclient.mydomain, > the connection to the FD uses IPv6 (confirmed with Microsoft Network > Monitor) several times. > > Eventually, bacula seems to switch to IPv4, and then in turn finally tries > to establish the FD->SD connection also on IPv4. But this apparently takes > too long, and by the time this happens, a timeout has occurred and the SD > no longer accepts the connection. > > There are two workarounds (both often unacceptable in larger production > environments): > > - Turn off the Windows Advanced Firewall. The reason this works is unknown; > I suspect that the IPv6 connection fails faster. > > - Create an alternate DNS name for each client that has only an A record, > but no an AAAA record. > > ====================================================================== > > ---------------------------------------------------------------------- > (0004868) ebollengier (administrator) - 2009-12-23 12:35 > http://bugs.bacula.org/view.php?id=1439#c4868 > ---------------------------------------------------------------------- > I'm sorry, this is almost impossible to reproduce, the setup is too > complex. Is it possible that you miss some firewall rules? It works when > your firewall is disabled and not when it runs. > > ---------------------------------------------------------------------- > (0004875) Dan Langille (manager) - 2009-12-23 23:52 > http://bugs.bacula.org/view.php?id=1439#c4875 > ---------------------------------------------------------------------- > Eh? Your hostname has an AAAA record... why shouldn't Bacula try to use > that? If you want Bacula to use a specific IP address, hardcode it in the > conf file or create only an A record for a given hostname. > > I think you're trying to solve the 'problem' in the wrong way. > > ---------------------------------------------------------------------- > (0004876) kkeane (reporter) - 2009-12-24 03:23 > http://bugs.bacula.org/view.php?id=1439#c4876 > ---------------------------------------------------------------------- > Dan, to some extent you have a point. The proper solution would indeed be > to enable IPv6 in the FD. BTW, I have to apologize - when I first wrote the > bug report, I didn't realize that Linux bacula supported IPv6. > > However, there are still three separate issues that in my mind make this a > bug: > - The way bacula fails, and the error message, is extremely misleading. > - The Windows FD does not support IPv6 (I believe that has been reported > elsewhere; I know it has been discussed in the mailing list). > - The Linux bacula components do not by default listen on all interfaces. > Whether that is a bug or a feature request is admittedly arguable. At > least, it's highly unusual behavior for an IPv6-capable application. > > > The Windows machine has an AAAA record because it really is a full IPv6 > server. Hardcoding the IP is not an option because all the client resources > are autogenerated by a script, based on the DNS name. > > > As you saw in the original report, one of the workarounds I suggested was > to create an alternate DNS name with just an A record, but that is really > just a kludge. > > > ebollengier - sorry about the convoluted description. It's actually very > simple. > > Create an IPv4/IPv6 network with a Windows 2008 server FD. Make sure you > have DNS set up correctly with AAAA and A records. Make sure that your > Linux box also has IPv6 turned on. All this is fairly straightforward > standard; I'm sure your lab network has this setup already, since you guys > developed the IPv6 code for bacula. > > In the bacula configuration, make sure you only use DNS names, not IP > addresses. > > Turn OFF the Windows Advanced Firewall. > > Run a backup. This should succeed. > > Turn ON the firewall. Make sure all the firewall rules are set up correctly > (inbound: allow port 9102. outbound: allow all connections). > > Run a backup. This will fail as described. > > BTW, I am positive the firewall rules are correct. I actually worked with > Microsoft support to verify that, and the firewall log file confirms that > both the connections on 9102 and 9103 are allowed. > > Hint: you may want to download/install Windows Network Monitor (a Microsoft > tool). That confirmed that the inbound connection uses IPv6 initially, and > that the connection on 9103 does not occur until right when the backup > collapses. > > ---------------------------------------------------------------------- > (0004878) Dan Langille (manager) - 2009-12-24 12:24 > http://bugs.bacula.org/view.php?id=1439#c4878 > ---------------------------------------------------------------------- > You suggest that if both AAAA and A exist, use the A. Well, that's good, > but then if someone wants us to use AAAA not A, we're in the same situation > as you describe, but reversed. > > IRRC, we decided to use the AAAA if it exists. > > ---------------------------------------------------------------------- > (0004879) kkeane (reporter) - 2009-12-24 14:58 > http://bugs.bacula.org/view.php?id=1439#c4879 > ---------------------------------------------------------------------- > Dan, I see your point. Long term, I completely agree with you that the AAAA > record should have priority. In the short term, the reversed situation you > are concerned about isn't actually realistic. My situation caused a major > failure. The reverse situation would merely cause a "geez, I wish it used > IPv6, but at least bacula still works over IPv4". > > Fundamentally, the problem is that bacula has contradictory default values > for machines with dual stacks: > > For listen: > bacula uses IPv4 only. On Linux, you can explicitly enable IPv6. On > Windows, IPv6 cannot be enabled at all. > > For connect: > bacula uses IPv6 over IPv4 (as long as there is an AAAA record, at least). > > That's the mismatch that should be resolved. > > > I looked at the source code to find out why IPv6 is disabled in Windows. I > think one, possibly the only, reason is that relevant include files and > structures in Windows have different names: instead of socket.h and in.h, > Windows uses WinSock2.h. Windows also doesn't have a sockaddr_in6 structure > as far as I can tell. > > Bacula's configure.in tries to determine if the platform supports IPv6 (and > sets the macro HAS_IPV6) by looking only for the Unix files. I'm not sure > if configure.in is used on Windows, but if it is, that may explain why IPv6 > is disabled. > > Of course there could be additional issues. > > ---------------------------------------------------------------------- > (0004894) kern (administrator) - 2010-01-06 11:22 > http://bugs.bacula.org/view.php?id=1439#c4894 > ---------------------------------------------------------------------- > IPv6 is turned off in Windows because the structures we need to make it > work are not defined. Therefore IPv6 is not supported by our FD. As a > consequence, if you are running with IPv6, you are likely to have problems. > > > To the best of my knowledge by default Bacula listens on all interfaces > contrary to what you say. However, I admit that may be different on > Windows. > > It is possible that the IPv6 structures we need to make Bacula use IPv6 on > Windows exist, but this would be a development project. None of the Bacula > developers currently have IPv6 installed and working, so we count on > contributed code to make it work. > > We will over the next 6 months to a year be significantly improving our > support for Windows and will keep this project in mind, but it is not > currently planned or funded. Patches or funding would be appreciated. > > Please note: I close this with "not fixable" only because bugs database is > still broken. The real status of this is "Added to TODO list". > > > > > > Issue History > Date Modified Username Field Change > ====================================================================== > 2009-12-22 10:07 kkeane New Issue > 2009-12-23 12:35 ebollengier Note Added: 0004868 > 2009-12-23 12:35 ebollengier Status new => feedback > 2009-12-23 23:52 Dan Langille Note Added: 0004875 > 2009-12-24 03:23 kkeane Note Added: 0004876 > 2009-12-24 12:24 Dan Langille Note Added: 0004878 > 2009-12-24 14:58 kkeane Note Added: 0004879 > 2010-01-06 11:22 kern Note Added: 0004894 > 2010-01-06 11:22 kern Status feedback => closed > 2010-01-06 11:22 kern Resolution open => not > fixable > ====================================================================== ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Bacula-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/bacula-devel
