[OpenAFS] Re: amanda-afs, authentication, and permissions

Andrew Deason adeason@sinenomine.net
Tue, 2 Nov 2010 16:27:24 -0500

On Tue, 2 Nov 2010 17:07:20 -0400
"Lewis, Dave" <LEWIS@NKI.RFMH.ORG> wrote:

> Hi,
> We would like to back up our OpenAFS cell using the latest version of
> AMANDA. I got amanda-afs from the amanda wiki and a patch for compiling
> it from 
> http://www.mail-archive.com/openafs-info@openafs.org/msg17714.html 
> I'm not sure how to handle authentication and permissions. Since we're
> using Kerberos 5 for OpenAFS authentication, I figured that I should use
> the "krb5" authentication type in amanda. I can't get that working.
> Before I ask an amanda user group I wanted to double-check and ask you
> guys: 
> 1. Do I really need the "krb5" authentication for AFS backups with
> amanda?
> 2. How would the amanda backup user (amandabackup) have permissions to
> read all of the files to back them up?

It's been around 5 years since I looked at amanda-afs[1], so my
information may be old, but it looks like it hasn't really changed since
then. From what I recall, it runs "vos dump -localauth" to get AFS data,
so you need to run it as root on a machine with a KeyFile.

I'm not sure if that means you need to run all of Amanda itself as root,
since IIRC amanda-afs runs as a GNU tar wrapper, so just the 'tar'
command needs to be run as root; I don't remember what capabilities
amanda has for such privilege separation.

Amanda actually has some kind of plugin architecture these days,
though... I'd expect if you ask the Amanda people about this, they'd
suggest writing a real plugin to interface to AFS.

[1] I also remember I only looked at amanda-afs long enough to realize I
didn't want to use it, and used the native AFS backup system instead.
The fact that the native AFS backup system was my alternative should
show that I really didn't like amanda-afs as implemented at the time :)

Andrew Deason