I am trying to set up BackupPC 3.0 on RHEL4 with Samba 3.0.10 and a
smbpasswd backend. It all seems to work finally (and very nicely, thank
you) but only if I make the SmbShareUserName a domain administrator or a
local administrator on the WinXPSP2 PC being backed up. For the life of
me I cannot do it with a domain Backup Operator as recommended in the
BackupPC Documentation:
"All Windows NT based OS (NT, 2000, XP Pro), are configured by default
to share the entire C drive as C$. This is a special share used for
various administration functions, one of which is to grant access to
backup operators. All you need to do is create a new domain user,
specifically for backup. Then add the new backup user to the built in
``Backup Operators'' group. You now have backup capability for any
directory on any computer in the domain in one easy step. This avoids
using administrator accounts and only grants permission to do exactly
what you want for the given user, i.e.: backup. Also, for additional
security, you may wish to deny the ability for this user to logon to
computers in the default domain policy."
Even though using a domain admin works (as I found after much struggle
with the other, as described below) I would like to understand where I
went wrong in the steps below. Maybe the documentation could be expanded
to spell out the method?
Thanks In Advance!
Bob Troester
-------------------------------------------------------------
To set up the backup operator, I defined in /etc/passwd:
backuppc:x:4001:4001:daemon:/dev/null:/sbin/nologin
and /etc/groups:
backupop:x:4001:backuppc
(And also set an entry for Domain Admins, see below:
domadm:x:4000:root)
I used 'smbpasswd -a backuppc' to create the samba account.
Then I mapped the unix group
net groupmap modify ntgroup='Backup Operators'
unixgroup=backupop
And for good measure added the user to the group (though testing
indicated it was not necessary)
net rap groupmember add 'Backup Operators' backuppc
So when I run 'net groupmap list' I see
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> backupop
Domain Users (S-1-5-21-198012177-3693939546-3118393399-513) -> -1
Users (S-1-5-32-545) -> -1
Domain Admins (S-1-5-21-198012177-3693939546-3118393399-512) -> domadm
Domain Guests (S-1-5-21-198012177-3693939546-3118393399-514) -> -1
and "net rpc group members 'Backup Operators'" gives me
VTAGR\backuppc
(But "net rap groupmember list 'Backup Operators'" never shows
anything!)
I did find by experimentation that the 'net group' command does reflect
the entries in the /etc/group file without any need to do a 'net rap
groupmember add'. Also, the gid set in the /etc/passwd file seems to
have no influence on Windows group membership.
I temporarily allowed backuppc to login to its home directory, turned
off the PC firewall, and for good measure added VTAGR\backuppc as a
Backup Operator on the PC, vtagrpc34.
But when I try a test as backuppc and with SmbShareName='C$',
SmbShareUserName='backuppc', then 'bin/BackupPC_dump -v -f vtagrpc34'
fails with these messages (after successfully pinging):
CheckHostAlive: returning 0.301
Running: /usr/bin/smbclient \\\\vtagrpc34\\C\$ -U backuppc -E -N -d 1 -c
tarmode\ full -Tc - /Documents\ and\ Settings
full backup started for share C$
started full dump, share=C$
Xfer PIDs are now 1503,1502
xferPids 1503,1502
cmdExecOrEval: about to exec /usr/bin/smbclient \\\\vtagrpc34\\C\$ -U
backuppc -E -N -d 1 -c tarmode\ full -Tc - /Documents\ and\ Settings
session setup failed: NT_STATUS_UNSUCCESSFUL
session setup failed: NT_STATUS_UNSUCCESSFUL
tarExtract: Done: 0 errors, 0 filesExist, 0 sizeExist, 0 sizeExistComp,
0 filesTotal, 0 sizeTotal
Got fatal error during xfer (No files dumped for share C$)
And the /var/log/samba/vtagrpc34.log contains messages like:
[2007/08/16 11:06:44, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon(766)
_net_sam_logon: user VTAGR\backuppc has user sid
S-1-5-21-198012177-3693939546-3118393399-9002
but group sid S-1-5-32-551.
The conflicting domain portions are not supported for NETLOGON calls
So instead of groupmapping the builtin 'Computer Operators' group I
started over. First:
net groupmap delete ntgroup='Backup Operators'
And the association with unix group backupop is gone.
(However, even after the delete, VTAGR\backuppc still shows up as a
member in the same way as above!)
I continued by trying to create a domain group with the same RID:
net groupmap add ntgroup='Backup Operators' unixgroup=backupop
rid=551
net rap groupmember add 'Backup Operators' backuppc
So at this point we have the groupmapping (excluding the uninteresting
ones):
Backup Operators (S-1-5-21-198012177-3693939546-3118393399-551) ->
backupop
Backup Operators (S-1-5-32-551) -> -1
Domain Users (S-1-5-21-198012177-3693939546-3118393399-513) -> -1
Domain Admins (S-1-5-21-198012177-3693939546-3118393399-512) -> domadm
Domain Guests (S-1-5-21-198012177-3693939546-3118393399-514) -> -1
But when we re-test the output is:
session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
And there is nothing in the samba vtagrpc34.log.
When I remove the VTAGR\backuppc from the PC, I get
Domain=[VTAGR] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
tree connect failed: NT_STATUS_ACCESS_DENIED
When I add backuppc back in to vtagrpc34 as a local username I get the
same response.
After all the above, I tried making backuppc a member of the 'Domain
Admins' group in /etc/group - and BackupPC "just works," without any
local user entry in the client PC!
So I'm baffled, not knowing enough of the first principles to understand
what's going on. I've spent a lot of time on these 'Backup Operators'
since using that connection method seemed to be the easiest, least
invasive way to back up our 60+ PCs - but maybe rsync is better after
all, even if you have to install it on each PC!
Bob Troester
VT Agency of Agriculture, Food & Markets
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
BackupPC-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/
