Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles
On 14/01/16 07:11, Andreas Piening wrote: > I wonder what the easiest / best way is to create a „read everywhere“ user on > ms windows to create backups with via CIFS / SMBFS. > > Ideally I would like to run a short .cmd script or do a couple of clicks to > give a local windows user (let’s assume ‚backuppc‘) full read access to > everything under c:\Users. Even better with write access to be able to > restore in place. > I know that I can enable inheritance for permissions in c:\Users and > overwrite all permissions on subfolders with the current one. But this would > also enable read for everyone for every user on other users profiles which I > don’t like. And even this does not work everywhere, even not with an > administrative account. I need to take ownership recursively in order to do > that and I don’t want to own other users files. > > Is there a better way? Isn't there a specific "Backup Operator" account on windows which has "super" permissions for exactly this reason? I'm not sure if that account will work over samba though? Regards, Adam -- Adam Goryachev Website Managers www.websitemanagers.com.au -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles
> Am 14.01.2016 um 00:13 schrieb Adam Goryachev > : > > On 14/01/16 07:11, Andreas Piening wrote: >> I wonder what the easiest / best way is to create a „read everywhere“ user >> on ms windows to create backups with via CIFS / SMBFS. >> >> Ideally I would like to run a short .cmd script or do a couple of clicks to >> give a local windows user (let’s assume ‚backuppc‘) full read access to >> everything under c:\Users. Even better with write access to be able to >> restore in place. >> I know that I can enable inheritance for permissions in c:\Users and >> overwrite all permissions on subfolders with the current one. But this would >> also enable read for everyone for every user on other users profiles which I >> don’t like. And even this does not work everywhere, even not with an >> administrative account. I need to take ownership recursively in order to do >> that and I don’t want to own other users files. >> >> Is there a better way? > > Isn't there a specific "Backup Operator" account on windows which has > "super" permissions for exactly this reason? I'm not sure if that > account will work over samba though? > > Regards, > Adam At least not by that name, there is for example a „SYSTEM“ user which seems to have access everywhere. It doesn’t have a password and does not show up in the normal users list. Maybe it is possible to „enable“ this user so that the account can be used with CIFS / SMB to get access. Does anyone use SMB to backup the whole system drive or the /Users dir? Or is the only real option to install a rsyncd with cygwin or something like that? I’m trying to get backups with SMB working since I want to be as less intrusive to the clients as I can. Means: No additional software installed, no additional services. Just crating a share and that’s it. -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles
On Thu, Jan 14, 2016 at 8:43 AM, Andreas Piening wrote: > >> Isn't there a specific "Backup Operator" account on windows which has >> "super" permissions for exactly this reason? I'm not sure if that >> account will work over samba though? >> > At least not by that name, there is for example a „SYSTEM“ user which seems > to have access everywhere. It doesn’t have a password and does not show up in > the normal users list. Maybe it is possible to „enable“ this user so that the > account can be used with CIFS / SMB to get access. > Does anyone use SMB to backup the whole system drive or the /Users dir? Or is > the only real option to install a rsyncd with cygwin or something like that? > I’m trying to get backups with SMB working since I want to be as less > intrusive to the clients as I can. Means: No additional software installed, > no additional services. Just crating a share and that’s it. Backup Operator (and Administrator) are groups you can add to the user to give additional permissions. If you are in an Active Directory environment you would need to join the domain and have domain credentials, though. I'd recommend setting up rsync anyway because it does a better job of tracking renames, changed files with old timestamps, and deletions. -- Les Mikesell lesmikes...@gmail.com -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles
> Am 14.01.2016 um 16:44 schrieb Les Mikesell : > > On Thu, Jan 14, 2016 at 8:43 AM, Andreas Piening > wrote: >> >>> Isn't there a specific "Backup Operator" account on windows which has >>> "super" permissions for exactly this reason? I'm not sure if that >>> account will work over samba though? >>> >> At least not by that name, there is for example a „SYSTEM“ user which seems >> to have access everywhere. It doesn’t have a password and does not show up >> in the normal users list. Maybe it is possible to „enable“ this user so that >> the account can be used with CIFS / SMB to get access. >> Does anyone use SMB to backup the whole system drive or the /Users dir? Or >> is the only real option to install a rsyncd with cygwin or something like >> that? >> I’m trying to get backups with SMB working since I want to be as less >> intrusive to the clients as I can. Means: No additional software installed, >> no additional services. Just crating a share and that’s it. > > Backup Operator (and Administrator) are groups you can add to the user > to give additional permissions. If you are in an Active Directory > environment you would need to join the domain and have domain > credentials, though. I'd recommend setting up rsync anyway because > it does a better job of tracking renames, changed files with old > timestamps, and deletions. > > -- > Les Mikesell > lesmikes...@gmail.com Oh you’re right, there is such a Group (the name is localized …). I added a local user to both groups: Administrator and Backup Operator but when I do a backup of a share for the folder c:\Users I still get NT_STATUS_ACCESS_DENIED for a lot of subfolders. This was the case in my test with the Windows 7 Pro machine in a workgroup, and again with the same machine added to a AD domain. Same behavior. -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles
On Thu, Jan 14, 2016 at 12:55 PM, Andreas Piening wrote: > >> >> Backup Operator (and Administrator) are groups you can add to the user >> to give additional permissions. If you are in an Active Directory >> environment you would need to join the domain and have domain >> credentials, though. I'd recommend setting up rsync anyway because >> it does a better job of tracking renames, changed files with old >> timestamps, and deletions. >> > > Oh you’re right, there is such a Group (the name is localized …). I added a > local user to both groups: Administrator and Backup Operator but when I do a > backup of a share for the folder c:\Users I still get NT_STATUS_ACCESS_DENIED > for a lot of subfolders. > This was the case in my test with the Windows 7 Pro machine in a workgroup, > and again with the same machine added to a AD domain. Same behavior. I don't know enough about windows to help more - and I've had trouble with that too. There is a difference between a local user and a domain user and the corresponding group mappings and there may be a setting that gives the local admin more access to shares. Or for the AD case you have to join the domain from the linux box. One thing that might not be obvious is that smbclient and smbtar used by backuppc will read your /etc/samba/smb.conf file and will pull things like the domain setting from there. If you have settings there intended for shares from the linux box they might not be what you need as a client. In any case you can connect manually with smbclient to check what you can access faster than waiting for a backup run to hit it. -- Les Mikesell lesmikes...@gmail.com -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles
On 14.01.2016 00:13, Adam Goryachev wrote: > On 14/01/16 07:11, Andreas Piening wrote: >> I wonder what the easiest / best way is to create a „read everywhere“ user >> on ms windows to create backups with via CIFS / SMBFS. >> >> Ideally I would like to run a short .cmd script or do a couple of clicks to >> give a local windows user (let’s assume ‚backuppc‘) full read access to >> everything under c:\Users. Even better with write access to be able to >> restore in place. >> I know that I can enable inheritance for permissions in c:\Users and >> overwrite all permissions on subfolders with the current one. But this would >> also enable read for everyone for every user on other users profiles which I >> don’t like. And even this does not work everywhere, even not with an >> administrative account. I need to take ownership recursively in order to do >> that and I don’t want to own other users files. >> >> Is there a better way? > > Isn't there a specific "Backup Operator" account on windows which has > "super" permissions for exactly this reason? I'm not sure if that > account will work over samba though? Additionally, isn't there something like junction points on windows that can not be read by an ordinary user? I seem to remember that there have been lists floating around on this mailing list with directories to exclude for the various windows versions. A list of failure messages encountered by you may help, btw. With kind regards Stefan Peter -- Any technology that does not appear magical is insufficiently advanced. ~ Gregory Benford -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles
On 15/01/16 06:12, Les Mikesell wrote: > On Thu, Jan 14, 2016 at 12:55 PM, Andreas Piening > wrote: >>> Backup Operator (and Administrator) are groups you can add to the user >>> to give additional permissions. If you are in an Active Directory >>> environment you would need to join the domain and have domain >>> credentials, though. I'd recommend setting up rsync anyway because >>> it does a better job of tracking renames, changed files with old >>> timestamps, and deletions. >>> >> Oh you’re right, there is such a Group (the name is localized …). I added a >> local user to both groups: Administrator and Backup Operator but when I do a >> backup of a share for the folder c:\Users I still get >> NT_STATUS_ACCESS_DENIED for a lot of subfolders. >> This was the case in my test with the Windows 7 Pro machine in a workgroup, >> and again with the same machine added to a AD domain. Same behavior. > I don't know enough about windows to help more - and I've had trouble > with that too. There is a difference between a local user and a > domain user and the corresponding group mappings and there may be a > setting that gives the local admin more access to shares. Or for the > AD case you have to join the domain from the linux box. One thing > that might not be obvious is that smbclient and smbtar used by > backuppc will read your /etc/samba/smb.conf file and will pull things > like the domain setting from there. If you have settings there > intended for shares from the linux box they might not be what you need > as a client. > > In any case you can connect manually with smbclient to check what you > can access faster than waiting for a backup run to hit it. > Isn't there also the "hidden" shares by default which are supposed to provide more access? I think it is C$ by default, which is the full c drive Again, I don't use smb for backups, but I'm hoping this does help you. Ultimately, you still won't be able to backup open files, so you might still want to consider an alternate backup solution which will provide better capability to backup all files (eg rsync + vshadow). Regards, Adam -- Adam Goryachev Website Managers www.websitemanagers.com.au -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles
On 2016-01-14 15:06, Stefan Peter wrote: > On 14.01.2016 00:13, Adam Goryachev wrote: >> On 14/01/16 07:11, Andreas Piening wrote: >>> I wonder what the easiest / best way is to create a „read everywhere“ >>> user on ms windows to create backups with via CIFS / SMBFS. >>> >>> Ideally I would like to run a short .cmd script or do a couple of >>> clicks to give a local windows user (let’s assume ‚backuppc‘) full >>> read access to everything under c:\Users. Even better with write >>> access to be able to restore in place. >>> I know that I can enable inheritance for permissions in c:\Users and >>> overwrite all permissions on subfolders with the current one. But >>> this would also enable read for everyone for every user on other >>> users profiles which I don’t like. And even this does not work >>> everywhere, even not with an administrative account. I need to take >>> ownership recursively in order to do that and I don’t want to own >>> other users files. >>> >>> Is there a better way? >> >> Isn't there a specific "Backup Operator" account on windows which has >> "super" permissions for exactly this reason? I'm not sure if that >> account will work over samba though? > > Additionally, isn't there something like junction points on windows > that > can not be read by an ordinary user? I seem to remember that there have > been lists floating around on this mailing list with directories to > exclude for the various windows versions. > > A list of failure messages encountered by you may help, btw. > > With kind regards > > Stefan Peter There may be some confusion in the difference between what NTFS/Windows supports and what is supported through CIFS/Samba and its protocols (which, I should note, differs from version to version.) For example, NTFS supports hard links and soft links -- though hard links show up simply as additional copies of the files, and soft links only work when using SMB2 or later (you'll get a permission error on earlier versions.) You're probably thinking of directory junctions, which are soft links, but newer versions of Windows also came with default directory junctions which by default are generally restricted to being opened only by the system account and local administrators. Unlike *nix symbolic directory links, a directory junction in Windows can have its own security settings (and routinely do, in this case) though a better practice is probably to back up the link itself and back up the data from its actual location. (The latter, at least, is possible via samba.) -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 ___ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List:https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki:http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/