
Amanda 2.4.0 - KERBEROS v4 SUPPORT NOTES

Note that kerberos 5 isn't supported.  [yet]

NOTE:  encrypted dumps are rumored not to work in the 2.4.0b4 beta 
	release of amanda.  Hopefully they'll be fixed by the 2.4.0 
	full release.

0. GETTING THE SOURCE FILES

The Kerberos-related Amanda source code is available in a separate,
export restricted, package.  US sites can follow the instructions in
KERBEROS.HOW-TO-GET on ftp.amanda.org in the /pub/amanda directory.

1. CONFIGURATION

The configure script defaults to:

#  define SERVER_HOST_PRINCIPLE "amanda"
#  define SERVER_HOST_INSTANCE  ""
#  define SERVER_HOST_KEY_FILE  "/.amanda"

#  define CLIENT_HOST_PRINCIPLE "rcmd"
#  define CLIENT_HOST_INSTANCE  HOSTNAME_INSTANCE
#  define CLIENT_HOST_KEY_FILE  KEYFILE

#  define TICKET_LIFETIME       128

you can override these with configure options if you so desire, with:

    --with-server-principal=ARG    server host principal  [amanda]
     --with-server-instance=ARG     server host instance   []
     --with-server-keyfile=ARG      server host key file   [/.amanda]
     --with-client-principal=ARG    client host principal  [rcmd]
     --with-client-instance=ARG     client host instance   [HOSTNAME_INSTANCE]
     --with-client-keyfile=ARG      client host key file   [KEYFILE]
     --with-ticket-lifetime=ARG     ticket lifetime        [128]

The configure script will automatically include kerberos if you
followed the directions in step 0.  It'll search under /usr/kerberos/lib,
/usr/cygnus/lib, /usr/lib, and /opt/kerberos/lib for libkrb.a.
(in that order) for the kerberos bits.  If it finds them, kerberos
support will be added in, if it doesn't, it won't.  If the kerberos
bits are found under some other hierarchy, you can specify this
via the --with-krb4=DIR, where DIR is where the kerberos bits live.
It'll look under the 'lib' directory under this hierarchy for
libkrb.a.

2. INSTALLATION

The kerberized Amanda service uses a different port on the client hosts.
The /etc/services line is:

    kamanda      10081/udp

And the /etc/inetd.conf line is:

    kamanda dgram udp wait root /usr/local/libexec/amanda/amandad amandad -krb4

Note that you're running this as root, rather than as your dump user.
Amanda will set it's uid down to the dump user at times it doesn't need
to read the srvtab file, and give up root permissions entirely before
it goes off and runs dump.  Alternately you can change your srvtab files
to be readable by user amanda.

3. CONF FILE

With KRB4_SECURITY defined, there are two new dumptype options:

	krb4-auth	use krb4 auth for this host 
			(you can mingle krb hosts & bsd .rhosts in one conf)
	kencrypt	encrypt this filesystem over the net using the krb4
			session key.  About 2x slower.  Good for those root
			partitions containing your keyfiles.  Don't want to
			give away the keys to an ethernet sniffer!
