On 8/6/21 6:46 PM, Robert Earl wrote:
OK Bacula Pros:
So I looked into the link provided about openssl and discovered that I
had reversed the order in my .pem file, putting the public CERT first
and the private KEY second. I noticed that another client fdhadnot
been victim to the same error. So I regenerated the PEM for the
offending fd.
My next step was to do a quick backup and restore of aten to prove it
was now decryptable. However, a funny thing happened on the way to the
forum.
First I tested matthew to prove it was also decryptable with no
configuration changes. The restore job went fine, until:
aten-sd JobId 3747: Elapsed time=00:00:03, Transfer rate=466 Bytes/second
matthew-fd JobId 3747: Warning: attribs.c:91 Cannot change owner
and/or group of /tmp/restore/etc/sysconfig: ERR=Operación no
permitida 133 -1
matthew-fd JobId 3747: Error: attribs.c:119 Unable to set file owner
/tmp/restore/etc/sysconfig/sshd: ERR=Operación no permitida
Which is logical, because my bacula processes run unprivileged, but
highly undesirable, because it seems to imply that any large-scale
restore will end up owned bybacula:baculaentirely, and I will need to
guess the owner/group of each file? Or for a proper restore do I need
to each time swap my configuration with a root-privileged fdservice?
I suppose it depends on what you want to backup, but most of the time
bacula-fd needs to run as root. If it does not, then it won't be able to
backup other user's or root-only files or directories.
Second unrelated snag: a "quick backup" of my server is not in the
cards, because since the last successful Full ran on 3 August and the
last successful Incremental ran on the 5th, I've been receiving this
warning:
aten-dir JobId 3750: No prior Full backup Job record found.
aten-dir JobId 3750: No prior or suitable Full backup found in
catalog. Doing FULL backup.
aten-dir JobId 3750: Start Backup JobId 3750,
Job=aten-Backup.2021-08-06_15.34.17_30
And the director goes on his merry way completely preventing me from
doing the incremental at all.
And there are plainly Full backup jobs listed in Baculum, so how can
the Director be disagreeing with my view of reality?
Sincerely,
Robert
On Fri, Aug 6, 2021 at 5:30 AM Heitor Faria <hei...@bacula.com.br
<mailto:hei...@bacula.com.br>> wrote:
Greetings, Bacula User Types! Long time no see!
Hello Robert!
Because I am in the throes of doing many dangerous maintenance
tasks on my server, I took the liberty of testing a few
restores of critical files. I was unsurprised to find that
they all failed.
aten-sd JobId 3746: Ready to read from volume "Vol0160" on
File device "FileStorage" (/backup).
aten-sd JobId 3746: Forward spacing Volume "Vol0160" to
addr=7999614780
aten-sd JobId 3746: Elapsed time=00:00:01, Transfer rate=2.608
K Bytes/second
aten-fd JobId 3746: Error: openssl.c:68 Encryption session
provided an invalid symmetric key: ERR=error:0407109F:rsa
routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error
aten-fd JobId 3746: Error: openssl.c:68 Encryption session
provided an invalid symmetric key: ERR=error:04065072:rsa
routines:rsa_ossl_private_decrypt:padding check failed
aten-fd JobId 3746: Error: openssl.c:68 Encryption session
provided an invalid symmetric key: ERR=error:0607A082:digital
envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length
aten-fd JobId 3746: Error: restore.c:764 Failed to initialize
decryption context for /tmp/restore/etc/bind/bind.keys
Now, the configuration docs say nothing about me needing to
modify config, as long as I have not lost keys, zorched the
whole system, etc.
This guy had the same error:
<https://stackoverflow.com/questions/39228128/cant-decrypt-rsa-data-with-open-ssl
<https://stackoverflow.com/questions/39228128/cant-decrypt-rsa-data-with-open-ssl>>
The troubleshooting docs, I must remark, are wafer-thin
compared to the complexity of this enterprise software
application. I did a simple Ctrl-F "crypt" and found no
mention at all, not even in this section
<https://www.bacula.org/9.6.x-manuals/en/problems/Testing_Your_Tape_Drive_Wit.html#SECTION00431000000000000000>...
I cranked up verbosity and debugging on bacula-dir
The encryption tasks are performed by the bacula-fd.
and ran it in the foreground as prescribed, but there is no
extra logging anywhere that I can find (since Bacula refuses
to conform to the FHS Filesystem Hierarchy Standard, and I had
old versions from Ubuntu's repos, Bacula and its disused
detritus is spreadeagled all over my filesystem like a drunken
octopus.)
I don't think Bacula directory setup is related to your problem.
So I must throw myself upon the mercy of the community to
debug this. Thanks.
We like you, but the openssl community might be more qualified to
answer your question.
Regards,
--
MSc Heitor Faria (Miami/USA)
Bacula LATAM CEO
mobile1: + 1 909 655-8971
mobile2: + 55 61 98268-4220
linkedin icon <https://www.linkedin.com/in/msc-heitor-faria-5ba51b3>
logo <Http://www.bacula.com.br>
América Latina
bacula.lat <http://bacula.lat> | bacula.com.br
<http://www.bacula.com.br>
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
