PDA

View Full Version : Redhat Server OSX Client - 'Connection Refused' problem



mattp52
March 15th, 2007, 04:26 PM
Hi,

I have an RPM install of Amanda 2.5.1p3 server successfully running on RedHat4. After some qualified domain woes reaching other hosts on the LAN I now have this resolved after installing and configuring dnsmasq. Now when I run amcheck DialySet1 I get this error output (otherwise the config appears normal):



WARNING: mac01: selfcheck request failed: Connection refused



I have compiled and configured a Mac OSX Amanda client following the directions here:

http://www.locnar.net/drupal/?q=node/16

but with the following differences:

I used the same source release for the client install as the server
I edited the shell script so the user created for amanda is called amandabackup not amanda (so same as server)
I edited the shell script so the server referenced is "morpheus". The resulting .amandahosts file contains this entry:


morpheus amandabackup amdump

The Amanda file for configuration of xinetd is as follows:


service amanda
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = amandabackup
group = operator
groups = yes
server = /usr/local/libexec/amandad
server_args = -auth=bsdtcp amdump
}


I used the following configure parameters when compiling the client:


./configure --with-user=amandabackup --with-group=operator --without-server --with-GNUTAR=/usr/local/xtar/xtar



The configuration of the RPM amanda server on RedHat is exactly as per the Quick Start Xmanda instructions here:
http://amanda.zmanda.com/quick-backup-setup.html

Any ideas where the mismatch is and what is causing this permissions issue? I wondered if the fact that the assigned group for the amanda user on the client is different from that on the server is significant? I'm not running a firewall on the client machine so I know that is not a factor.

The amcheck.debug log file contains the following output, indicating the server can't communicate with the client on these ports... any ideas?



amcheck-clients: time 10.036: connect_port: Try port 516: Available -
amcheck-clients: time 10.044: connect_portrange: connect from 0.0.0.0.516 failed: Connection refused
amcheck-clients: time 10.044: connect_portrange: connect to 192.168.2.11.10080 failed: Connection refused
amcheck-clients: stream_client: Could not bind to port in range 512-1023.
amcheck-clients: time 10.045: connect_port: Try port 1025: Available -
amcheck-clients: time 10.054: connect_portrange: connect from 0.0.0.0.1025 failed: Connection refused
amcheck-clients: time 10.054: connect_portrange: connect to 192.168.2.11.10080 failed: Connection refused
amcheck-clients: stream_client: Could not bind to any port: Connection refused
security_seterror(handle=0x9fe5e68, driver=0x4e6140 (BSDTCP) error=Connection refused)
security_close(handle=0x9fe5e68, driver=0x4e6140 (BSDTCP))
security_stream_close(0x9fe6698)
amcheck: pid 19536 finish time Fri Mar 16 13:55:10 2007


Hope someone can help and many thanks,
Matt

paddy
March 15th, 2007, 08:41 PM
1. Is the ip address of the client 192.168.2.11? amcheck is trying to
connect to this address?
2. Did you restart xinetd after changing xinetd configuration? Check if
xinetd configuration includes some other file that has "only_from" field
specified.

For more information on this error, see Amanda wiki (http://wiki.zmanda.com/index.php/Amcheck:_selfcheck_request_failed)

Hope this helps,
Paddy

dustin
March 16th, 2007, 07:06 AM
You may want to look at http://wiki.zmanda.com/index.php/Amanda_on_Mac_OS_X, which condenses documentation on Amanda for Mac OS X from a few sources, including locnar's. I have a few questions/suggestions.

Are you running Mac OS X Panther (10.3) or Tiger (10.4)? If Tiger, you'll need to add your service to launchd instead of xinetd (see the wiki page).

Once that's resolved, try running

netstat -ap | grep 10080
on the mac to see if it's listening on that port. You should see something like

udp4 0 0 *.10080 *.*

By default, the Mac firewall does not block any UDP packets, but this may be different in your configuration. Check the firewall settings (under 'Sharing' in System Settings). [EDITED TO ADD:] Note that the above netstat output will appear even if the firewall is blocking that port.

Unfortunately, with UDP, it's difficult to distinguish a failure to receive a packet from a successful receipt with a failure to reply. There are several reasons such a failure may occur. Check /tmp/amanda/amandad on the mac to see if amandad is creating any interesting logfiles.

Please post the results of the above, and we'll see where they point us.

mattp52
March 17th, 2007, 12:55 PM
Thanks for your replies guys - excellent information! I'm out of the office over the weekend so can't check server-client connectivity but have made changes to the OSX client. Basically, I've left my OSX amanda client users as "amandabackup" but made sure this user has group "wheel" access and appropriate permissions as per the wiki instructions. I then recompiled and installed from source using the basic configuration flags in the wiki instructions.

I edited the Username and ProgramArgument strings in the plist file to "amandabackup" and "/usr/local/libexec/amandad" and copied as per instructions.

launchtl gave the following message after running: "nothing found to load"

netstat -na | grep 10080 provided this output:
udp4 0 0 *.10080 *.*

So, no udp6 entry... is all this looking good to go so far or is something missing? BTW, I installed the client overtop of the old instal without deleting any part of the old iinstall (if this might make a difference).

Thanks again, for your help,
Matt

mattp52
March 18th, 2007, 01:53 PM
OK back at work and unfortunately no luck. I built the OSX client from source as per Wiki with configure directives:

./configure --with-user=amandabackup --with-group=wheel

Then restarted the machine. Found no .debug file in /tmp/amanda so ran:

sudo launchctl load /Library/LaunchDaemons/org.amanda.amandad.plist

Reponse: "Nothing found to run".

Still no .debug file in /tmp/amanda. Also no output from "netstat -na | grep 10080".

Ran service xinetd restart then netstat command again and got:

udp4 0 0 *.10080 *.*

I guess this is picking up the original xinetd configuration I used before trying the OSX wiki notes used xinetd.

So, ran make uninstall and am deleting the "amandabackup" user on the client. Will try a clean reinstall on the OSX client as per the Wiki notes.

Couple of questions:
Does it matter that the amanda user on the client and server have different usernames(s:amandabackup, c:amanda)?
Does it matter that the amanda user on the client and server belong to different groups(s:disk, c:wheel)?
If I follow the RedHat QuickStart configuration here (http://wiki.zmanda.com/index.php/Quick_start) and the Wiki OSX client configuration for Tiger, shouldthese configurations play together nicely?

mattp52
March 18th, 2007, 03:59 PM
OK, the clean install went well. I had to use a "-w" switch with launchctl load to get the amanda client to load successfully. Now the netstat grep shows correct results:

udp4 0 0 *.10080 *.*
udp6 0 0 *.10080 *.*

I'm still getting the same results when I run amcheck on the server though ("Connection refused"). No amandad.debug files are being generated on the client.

Installed a port scanner on the server machine and tried scanning a few ports to check status. :80 and others are working ok but with :10080 I get:

10080/tcp closed unknown

The client machine firewall is definately disabled and I'm definately hitting the IP address of the client.

As the server is running SELinux I also used "setenforce 0" to switch it into permissive mode just in case but made no difference.

Also tried substituting IP addresses in the client and server .amandahosts files (my LAN dns creates domains of the form hostname.domain - are these considered fully qualified/should they work with Amanda?).

I know the server is reaching the client because if I enable the client's firewall, amcheck hangs when trying to contact it and the client's firewall logs show:

ipfw: 12190 Deny TCP 192.168.2.5:516 192.168.2.11:10080 in via en1

Here is a full debug report from amcheck.debug



amcheck: debug 1 pid 3131 ruid 504 euid 0: start at Mon Mar 19 11:53:55 2007
amcheck: debug 1 pid 3131 ruid 504 euid 504: rename at Mon Mar 19 11:53:55 2007
security_getdriver(name=bsdtcp) returns 0x13e140
security_handleinit(handle=0x954fe68, driver=0x13e140 (BSDTCP))
security_streaminit(stream=0x95506b8, driver=0x13e140 (BSDTCP))
amcheck-clients: time 0.043: connect_port: Skip port 512: Owned by exec.
amcheck-clients: time 0.043: connect_port: Skip port 513: Owned by login.
amcheck-clients: time 0.043: connect_port: Skip port 514: Owned by shell.
amcheck-clients: time 0.044: connect_port: Skip port 515: Owned by printer.
amcheck-clients: time 0.044: connect_port: Try port 516: Available -
amcheck-clients: time 0.046: connect_portrange: connect from 0.0.0.0.516 failed: Connection refused
amcheck-clients: time 0.046: connect_portrange: connect to 192.168.2.11.10080 failed: Connection refused
amcheck-clients: stream_client: Could not bind to port in range 512-1023.
amcheck-clients: time 0.046: connect_port: Try port 1025: Available -
amcheck-clients: time 0.049: connect_portrange: connect from 0.0.0.0.1025 failed: Connection refused
amcheck-clients: time 0.049: connect_portrange: connect to 192.168.2.11.10080 failed: Connection refused
amcheck-clients: stream_client: Could not bind to any port: Connection refused
security_seterror(handle=0x954fe68, driver=0x13e140 (BSDTCP) error=Connection refused)
security_close(handle=0x954fe68, driver=0x13e140 (BSDTCP))
security_stream_close(0x95506b8)
changer_query: changer return was 25 1
changer_query: searchable = 0
changer_find: looking for NULL changer is searchable = 0
security_handleinit(handle=0x954fe68, driver=0x13e140 (BSDTCP))
security_streaminit(stream=0x95506b8, driver=0x13e140 (BSDTCP))
amcheck-clients: time 5.051: connect_port: Skip port 512: Owned by exec.
amcheck-clients: time 5.051: connect_port: Skip port 513: Owned by login.
amcheck-clients: time 5.051: connect_port: Skip port 514: Owned by shell.
amcheck-clients: time 5.051: connect_port: Skip port 515: Owned by printer.
amcheck-clients: time 5.052: connect_port: Try port 516: Available -
amcheck-clients: time 5.053: connect_portrange: connect from 0.0.0.0.516 failed: Connection refused
amcheck-clients: time 5.054: connect_portrange: connect to 192.168.2.11.10080 failed: Connection refused
amcheck-clients: stream_client: Could not bind to port in range 512-1023.
amcheck-clients: time 5.054: connect_port: Try port 1025: Available -
amcheck-clients: time 5.057: connect_portrange: connect from 0.0.0.0.1025 failed: Connection refused
amcheck-clients: time 5.057: connect_portrange: connect to 192.168.2.11.10080 failed: Connection refused
amcheck-clients: stream_client: Could not bind to any port: Connection refused
security_seterror(handle=0x954fe68, driver=0x13e140 (BSDTCP) error=Connection refused)
security_close(handle=0x954fe68, driver=0x13e140 (BSDTCP))
security_stream_close(0x95506b8)
security_handleinit(handle=0x954fe68, driver=0x13e140 (BSDTCP))
security_streaminit(stream=0x95506b8, driver=0x13e140 (BSDTCP))
amcheck-clients: time 10.058: connect_port: Skip port 512: Owned by exec.
amcheck-clients: time 10.058: connect_port: Skip port 513: Owned by login.
amcheck-clients: time 10.058: connect_port: Skip port 514: Owned by shell.
amcheck-clients: time 10.058: connect_port: Skip port 515: Owned by printer.
amcheck-clients: time 10.059: connect_port: Try port 516: Available -
amcheck-clients: time 10.061: connect_portrange: connect from 0.0.0.0.516 failed: Connection refused
amcheck-clients: time 10.061: connect_portrange: connect to 192.168.2.11.10080 failed: Connection refused
amcheck-clients: stream_client: Could not bind to port in range 512-1023.
amcheck-clients: time 10.062: connect_port: Try port 1025: Available -
amcheck-clients: time 10.064: connect_portrange: connect from 0.0.0.0.1025 failed: Connection refused
amcheck-clients: time 10.064: connect_portrange: connect to 192.168.2.11.10080 failed: Connection refused
amcheck-clients: stream_client: Could not bind to any port: Connection refused
security_seterror(handle=0x954fe68, driver=0x13e140 (BSDTCP) error=Connection refused)
security_close(handle=0x954fe68, driver=0x13e140 (BSDTCP))
security_stream_close(0x95506b8)
amcheck: pid 3131 finish time Mon Mar 19 11:54:05 2007

dustin
March 19th, 2007, 07:26 AM
Re: launchctl load -w -- this basically edits the .plist file in place to remove "disabled". It's a strange feature on Apple's part, but we might as well play along. I just edited the wiki to add it.

Re: mismatched usernames/groups: that should be fine, although it takes some thinking about which username should appear where. The .amandahosts should have the username from the *server* in it.

Re: compatibility of Linux and Mac OS X configurations -- that shouldn't cause any trouble at all.

Finally, it looks like you're using BSDTCP authentication, but the launchd script sets up for UDP/BSDUDP communication (specifically, it listens on UDP port 10080, not TCP port 10080). I suspect that just changing the dumptype to specify 'auth bsd' will get things working for you. I haven't gotten BSDTCP working with my mac just yet, but I haven't tried too hard, either.

mattp52
March 19th, 2007, 12:52 PM
Interesting. Well my client .amandahosts file reads:



192.168.2.5 amandabackup amdump


And the disklist entry for the client reads:


192.168.2.11 /testamanda/another_dir comp-user-tar


No auth scheme was defined for this dumptype but the config notes suggest auth bsd is the default. After explicitly entering auth "bsd" for comp-user-tar I now get this when running amcheck:


ERROR: NAK 192.168.2.11: user amandabackup from morpheus is not allowed to execute the service noop: /Users/amanda/.amandahosts: incorrect permissions; file must be accessible only by its owner.


So chmod'ed .amandahosts to 600 - check completes successfully!

Many thanks to all of the above for their assistance.

dustin
March 19th, 2007, 01:20 PM
Indeed! As that error suggests, check the ownership on /Users/amanda/.amandahosts; it should be amanda:wheel, and perms should be rw-------- (600).

mattieboh
August 4th, 2008, 07:16 AM
I'm trying to install Amanda on two Ubuntu 8.04 machines - one a server and the other a client. This is the tip that got me running, but I had a symbolic link from /var/backups/.amandahosts and once I did a chmod to 600 on the link, it works!