Koozali.org: home of the SME Server

[ANNOUNCEMENT] Turn SME7 into a dedicated backup server

Offline m

  • ****
  • 276
  • +0/-0
  • Peet
[ANNOUNCEMENT] Turn SME7 into a dedicated backup server
« Reply #30 on: May 16, 2007, 04:06:09 PM »
Quote from: "Brenno"


1.) I have two jobs configured, "prodbox" and "myprodsrv".  I think this is because I followed both the Quick Start Example and the Configuration sections in the wiki, which apparently results in building two separate jobs!  How do I safely remove one of those jobs?


You are right, using different job names  in the examples is confusing. I have fixed that.
To delete a job run:
Code: [Select]
# affa --delete-job JOB
(see: http://wiki.contribs.org/Affa#Usage_and_command_line_options)

Quote from: "Brenno"

2.) I received a notice mail from the source server saying "serviceControl: Couldn't system(/etc/rc.d/rc7.d/S85httpd-e-smith, restart):
Couldn't restart httpd-e-smith at /etc/e-smith/events/actions/restart-httpd-full line 45." and now I can't get into the server-manager.  Is this coincidental?


I don't think, that this was caused by Affa. Affa does not start/stop httpd services on the source.
Your source server is a SME6 and on SME6 the httpd-admin often crashes. Try (if needed serveral times)
Code: [Select]
# /etc/rc.d/init.d/httpd-admin restart
# /etc/rc.d/init.d/httpd-e-smith restart

markseymour

keys sent successfully to prod box, but affa can't connect
« Reply #31 on: May 17, 2007, 03:21:03 AM »
Michael,

Any ideas on this?  (I assume it really has nothing to do with Affa, but with ssh config)

Thanks,

Mark
------------------------------------------
snips from /var/log/affa:

Wed May 16 20:28:13[START.4459]: Running /sbin/e-smith/affa --send-keys --job=mail3prod
Wed May 16 20:28:13[send keys.4459]: Generating DSA keys...
Wed May 16 20:28:18[send keys.4459]: Successfully created DSA key pair.
Wed May 16 20:28:26[send keys.4459]: DSA keys sent to 192.168.111.1
Wed May 16 20:28:26[send keys.4459]: Done.

Wed May 16 21:05:37[mail3prod.4511]: Starting job (192.168.111.1,scheduled)
Wed May 16 21:05:37[mail3prod.4511]: Description: Primary mailserver backup
Wed May 16 21:05:37[mail3prod.4511]: Shifting backup archives...
Wed May 16 21:05:37[mail3prod.4511]: Nothing to be done.
Wed May 16 21:05:37[mail3prod.4511]: Checking connection to 192.168.111.1
Wed May 16 21:05:37[mail3prod.4511]: Exec Cmd: /usr/bin/ssh -p 22 -o ConnectTime
out=120 -o PasswordAuthentication=no -q 192.168.111.1 true
Wed May 16 21:05:37[mail3prod.4511]: Exec Out: exitstatus=255
Wed May 16 21:05:37[mail3prod.4511]: Error: No response from host 192.168.111.1.
 Did you send the public key?

-------------------------------------------------

[root@sme2 ~]# db affa show mail3prod
mail3prod=job
    ConnectionCheckTimeout=120
    Debug=yes
    Description=Primary mailserver backup
    DiskSpaceWarn=strict
    EmailAddresses=admin,admin@192.168.111.1
    Include[0]=/opt/roundcube/config/main.inc.php
    Include[1]=/opt/roundcube/config/db.inc.php
    RPMCheck=yes
    RootDir=/var/affa
    SMEServer=yes
    TimeSchedule=0030,0730,1130,1330,1730,2030
    Watchdog=yes
    dailyKeep=7
    doneDaily=2007136
    doneMonthly=200705
    doneWeekly=200719
    doneYearly=2007
    localNice=0
    monthlyKeep=12
    remoteHostName=192.168.111.1
    remoteNice=0
    rsync--inplace=yes
    rsyncCompress=yes
    rsyncTimeout=900
    scheduledKeep=2
    status=enabled
    weeklyKeep=4
    yearlyKeep=2
[root@sme2 ~]#

markseymour

Re: keys sent successfully to prod box, but affa can't conne
« Reply #32 on: May 17, 2007, 03:25:04 AM »
Quote from: "markseymour"
Michael,

Any ideas on this? <snip...>

I should have mentioned, both servers are recent installs updated to 7.1.3.

Offline m

  • ****
  • 276
  • +0/-0
  • Peet
Re: keys sent successfully to prod box, but affa can't conne
« Reply #33 on: May 17, 2007, 04:54:10 PM »
Quote from: "markseymour"
Michael,

Any ideas on this?  (I assume it really has nothing to do with Affa, but with ssh config)


What  happens, when you run
Code: [Select]
ssh 192.168.111.1 true; echo $?
on the Affa server?

markseymour

Re: keys sent successfully to prod box, but affa can't conne
« Reply #34 on: May 17, 2007, 10:27:59 PM »
Quote from: "mweinber"


What  happens, when you run
Code: [Select]
ssh 192.168.111.1 true; echo $?
on the Affa server?

Here's what happens:
Code: [Select]
[root@sme2 ~]# ssh 192.168.111.1 true; echo $?
root@192.168.111.1's password:
0
[root@sme2 ~]#

The '0' is returned after I enter the root password.
I don't know what the above tells you, but just out of
curiosity I also did the following:
Code: [Select]
[root@sme2 ~]# ssh 192.168.111.1 false; echo $?
root@192.168.111.1's password:
1
[root@sme2 ~]#

Offline m

  • ****
  • 276
  • +0/-0
  • Peet
Re: keys sent successfully to prod box, but affa can't conne
« Reply #35 on: May 17, 2007, 11:02:47 PM »
Quote from: "markseymour"

The '0' is returned after I enter the root password.


This indicates, that the public key was not sent properly for some reason. Do it again:
Code: [Select]
affa --send-keys 192.168.111.1
then run again
Code: [Select]
ssh 192.168.111.1 true; echo $?
You now should not be asked for a password.

Quote from: "markseymour"

just out of curiosity I also did the following:

Well, you've got to know two new unix commands ;-), see 'man true' and 'man false'

markseymour

[ANNOUNCEMENT] Turn SME7 into a dedicated backup server
« Reply #36 on: May 18, 2007, 12:25:59 AM »
Michael,

Thanks for your replies, and for your terrific work in making Affa.  Obviously, I don't understand much detail of the problem, but I'm trying to learn, and below are some possible clues (if I'm looking in some of the right places).

So, I did as you said:
Code: [Select]
[root@sme2 ~]# affa --send-keys 192.168.111.1
root@192.168.111.1's password:
DSA keys sent to 192.168.111.1
[root@sme2 ~]# ssh 192.168.111.1 true; echo $?
root@192.168.111.1's password:
0
[root@sme2 ~]#

So it seems that my affa box sees a successful sending of keys, but my prod box is silently not accepting a DSA key login?

In Server Manager on the prod box under Security | Remote Access | Secure Shell Settings, I have all along had the following settings:
__Secure shell access:  Allow access only from local networks
__Allow admin. CL access over secure shell:  Yes
__Allow secure shell access using standard passwords:  Yes

Just now, hoping to thunk some new behaviour out of the system, I changed the last one (std. pw) to:  No
and then tried again:
Code: [Select]

[root@sme2 ~]# ssh 192.168.111.1 true; echo $?
Permission denied (publickey).
255


Is that saying that a key-based login has been denied?

In /root/.ssh/known_hosts on my prod box, I see an entry for my affa box:
Code: [Select]
192.168.111.2 ssh-rsa AAAAB3NzaC1y....etc
but nothing about ssh-dsa.  Should I?  
And in /root/.ssh/authorized_keys2 (there is no file called 'authorized_keys'), I see 3 copies of:
Code: [Select]
ssh-dss AAAAB3NzaC1kc3M....etc   root@sme2

Does any of this help?  What else can I provide? Of course you are welcome to tell me to resolve my ssh problems elsewhere, and come back if I need any help with Affa :?

Offline m

  • ****
  • 276
  • +0/-0
  • Peet
[ANNOUNCEMENT] Turn SME7 into a dedicated backup server
« Reply #37 on: May 18, 2007, 09:58:30 AM »
Quote from: "markseymour"

So it seems that my affa box sees a successful sending of keys, but my prod box is silently not accepting a DSA key login?


yes, looks like, that something is messed up. Best thing to do is to start from the scratch:

 - on the source server set Secure Shell Settings to  Allow access only from local networks, Yes, Yes
 - on the source server delete the file /root/authorized_keys2
 - on the Affa server delete the files /root/id_dsa and /root/id_dsa.pub
 - on the Affa server: affa --send-keys --job=mail3prod

Now compare the files /root/id_dsa.pub on the Affa server with the file /root/authorized_keys2 on the source server. They must be identical and you  should ssh log in the source server from the Affa server without being asked for a password.

markseymour

[ANNOUNCEMENT] Turn SME7 into a dedicated backup server
« Reply #38 on: May 18, 2007, 04:41:32 PM »
Quote from: "mweinber"


yes, looks like, that something is messed up. Best thing to do is to start from the scratch:

 - on the source server set Secure Shell Settings to  Allow access only from local networks, Yes, Yes
 - on the source server delete the file /root/authorized_keys2
 - on the Affa server delete the files /root/id_dsa and /root/id_dsa.pub
 - on the Affa server: affa --send-keys --job=mail3prod

Now compare the files /root/id_dsa.pub on the Affa server with the file /root/authorized_keys2 on the source server. They must be identical and you  should ssh log in the source server from the Affa server without being asked for a password.


Ok, I have done exactly as you said, but I still get the same result.

On the source server, I verified Allow access was back to only from local networks, Yes, Yes, then:
Code: [Select]
[root@mail3 ~]# rm .ssh/authorized_keys2
rm: remove regular file `.ssh/authorized_keys2'? y
[root@mail3 ~]# ls .ssh
config  known_hosts

On the Affa server:
Code: [Select]
[root@sme2 ~]# ls .ssh
config  id_dsa  id_dsa.pub  known_hosts
[root@sme2 ~]# rm .ssh/id_dsa*
rm: remove regular file `.ssh/id_dsa'? y
rm: remove regular file `.ssh/id_dsa.pub'? y
[root@sme2 ~]# affa --send-keys --job=mail3prod
Generating DSA keys...
Successfully created DSA key pair.
root@mail3.guildassociates.com's password:
DSA keys sent to mail3.guildassociates.com
[root@sme2 ~]#

I compared the files with diff after copying with scp.

but, then on the Affa server I still get:
Code: [Select]
[root@sme2 ~]# ssh 192.168.111.1 true; echo $?
root@192.168.111.1's password:
0
[root@sme2 ~]#

I'll try it going the other direction now.....  

To do that I copied and munged the two 'Exec Cmd:' command strings from end of /var/log/affa on the affa server, (the ssh-keygen, and the cat id_dsa.pub piped to ssh) to the source server (from one Putty screen to the other).  The result is that a key-based login works fine going from source server to Affa server; no password requested:
Code: [Select]
[root@mail3 ~]# ssh 192.168.111.2 true; echo $?
0
[root@mail3 ~]#
[root@mail3 ~]# ssh sme2.guildassociates.com true; echo $?
0
[root@mail3 ~]#

ok, now this is getting deep for me.... :x

markseymour

[ANNOUNCEMENT] Turn SME7 into a dedicated backup server
« Reply #39 on: May 18, 2007, 07:15:44 PM »
Michael,

I think I've unintentionally hijacked your thread with my ssh difficulties.  I see there are some public key type threads in the old 'Experienced Users' forum which is closed to new posts (although if I understand correctly, I could reply to an existing thread).  Also, I see one called 'public key ssh' in the current 'SME Server 7.x' forum.  

Unless you say otherwise, I think I should search the fora a bit more, and if I don't see this addressed, then I should post this issue as a reply in 'public key ssh' in the current 'SME Server 7.x' forum, and ask an admin to move most of our exchange thus far over there.

Just trying to not be a pain in the @$$  :wink:

markseymour

[ANNOUNCEMENT] Turn SME7 into a dedicated backup server
« Reply #40 on: May 18, 2007, 10:39:03 PM »
But, before I leave....

I just thought to check whether sshd on the source server has anything to say about why it is not authenticating the session.
Code: [Select]
From /var/log/sshd/current on the source server:
@40000000464ceabb21dec4cc Authentication refused: bad ownership or modes for directory /root
@40000000464ceabb21e0b8cc Failed publickey for root from 192.168.111.2 port 33059 ssh2
@40000000464ceac236c775dc Accepted password for root from 192.168.111.2 port 33059 ssh2

So I will try to learn about ownership and modes as they relate to authentication of a key-based ssh login to a remote host.  Any further feedback would be appreciated.

Thanks,

Mark

Offline soprom

  • *
  • 589
  • +0/-0
    • www.logiciel-libre.org
[ANNOUNCEMENT] Turn SME7 into a dedicated backup server
« Reply #41 on: May 18, 2007, 10:39:53 PM »
I've tested this contrib on a few systems and it is just great!
If you read this post wondering which backup software to use on SME7, this is the one. If you're not familiar with WinSCP, it's now or never, it's worth it!

Although SME7 implies to manage the system from the GUI and this contrib has no GUI, it is simple and straightforward to use.

The main features in my perspective are the possibility to setup a backup machine ready to take over, and to very easily recover full or part of the system.

Many thanks for this excellent piece of software and for you ingenuity!
Sophie from Montréal

markseymour

[ANNOUNCEMENT] Turn SME7 into a dedicated backup server
« Reply #42 on: May 19, 2007, 03:25:41 AM »
Michael,

Key-based ssh login works now.
Quote from: "markseymour"

Code: [Select]
From /var/log/sshd/current on the source server:
@40000000464ceabb21dec4cc Authentication refused: bad ownership or modes for directory /root



A friend suggested the next logical question -- 'so what are the permissions of the /root directory?'

The answer seems pretty troubling to me:
Code: [Select]
[root@mail3 ~]# ls -ld /root
dr-x------  7 alias qmail 4096 May 18 10:23
[root@mail3 ~]#

Although I have referred in this thread to my 'production server' it is actually a test server which I had intended to bring online as a replacement for my current Windows mail server after I established a backup configuration.  I have tested various contribs on this server, and I have to wonder if one of them changed the permissions of the /root directory.  I doubt that is the case, but I certainly am not aware of how I could have changed them to alias:qmail myself.  In any case, setting them like this:
Code: [Select]

[root@mail3 ~]# chown root:root /root
[root@mail3 ~]# ls -ld /root
dr-x------  7 root root 4096 May 18 10:23 /root
[root@mail3 ~]#

fixed the key-based ssh login problem.  

I will probably start clean with my source server and not do any testing of contribs on it once it is a production server.

My Affa server has now completed a test backup of my source server.  

Next message:  A quick report of my initial Affa use.

markseymour

[ANNOUNCEMENT] Turn SME7 into a dedicated backup server
« Reply #43 on: May 19, 2007, 03:56:57 AM »
Brief initial 'casual test' of Affa (i.e. not a thorough test)

Source server is offline, Affa server is up as the test replacement of the source server after performing an
Code: [Select]
[root@sme2 ~]# affa --rise mail3prod
I've tested IMAP email access to the 'risen' server, as well as root ssh login, and server-manager access including the contributed panels User Panel and Email WBL.  

User Panel access appeared not to work correctly.  I logged into https://mail3.guildassociates.com/user-manager on the 'risen' Affa-mail3 server and no user options were shown.  In server-manager under User Panel Access I see that the correct delegated access item checkboxes are 'checked', so I selected the 'Modify' button, and refreshed the browser pointed at user-manager.  Now the options are shown.

Now a problem... seems I can't undo the rise.  On the 'risen' Affa server, now self identified as mail3:
Code: [Select]
[root@mail3 ~]# affa --undo-rise
Error log:
Fri May 18 21:01:01[START.5267]: Running /sbin/e-smith/affa --undo-rise
Fri May 18 21:01:01[undo-rise.5267]: Error: No server base backup found.
Fri May 18 21:01:01[undo-rise.5267]: Exiting. <<<
Affa exited with errors.

Offline m

  • ****
  • 276
  • +0/-0
  • Peet
[ANNOUNCEMENT] Turn SME7 into a dedicated backup server
« Reply #44 on: May 19, 2007, 06:38:10 PM »
Quote from: "markseymour"

So I will try to learn about ownership and modes as they relate to authentication of a key-based ssh login to a remote host.  Any further feedback would be appreciated.


Mark, although this is not an Affa issue, you are welcome to add a note to the Affa wiki page. This may point other users to right direction, if they are running into the same problem.