[SOLVED] After syncing to a new datastore: backup owner check failed (pve-user@pbs != backup@pam)

[Cookiefamily]

Hi,

I wanted to switch to a new datastore (store02) (on different disks) so did the following:

1. Add a second datastore to the pbs server (store02)
2. Added a remote with localhost and the store02 datastore
3. Ran a sync from store01 to the "remote" localhost:store02
4. Removed store01
5. Modified the Permissions for the pve-user@pbs to allow access to store02
6. In PVE removed the store01 datastore
7. In PVE added a new datastore for store02
8. Modified Backup Task to point to the new datastore.

Now I no longer see any backups in PVE in the "Content" tab of the datastore. When I try to run backups, I recieve the following:
VM 100 qmp command 'backup' failed - backup connect failed: command error: backup owner check failed (pve-user@pbs != backup@pam)
I kept the user at the pbs-side the same, what exactly is happening here? Shouldn't the permissions be carried over?

 

[oversite]

Hi,

I wanted to switch to a new datastore (store02) (on different disks) so did the following:

1. Add a second datastore to the pbs server (store02)
2. Added a remote with localhost and the store02 datastore
3. Ran a sync from store01 to the "remote" localhost:store02
4. Removed store01
5. Modified the Permissions for the pve-user@pbs to allow access to store02
6. In PVE removed the store01 datastore
7. In PVE added a new datastore for store02
8. Modified Backup Task to point to the new datastore.

Now I no longer see any backups in PVE in the "Content" tab of the datastore. When I try to run backups, I recieve the following:
VM 100 qmp command 'backup' failed - backup connect failed: command error: backup owner check failed (pve-user@pbs != backup@pam)
I kept the user at the pbs-side the same, what exactly is happening here? Shouldn't the permissions be carried over?

perhaps a quick search on the forum? there are plenty of info about this problem:
https://forum.proxmox.com/threads/backups-multi-pbs-replications.76514/#post-340732

The problem is that sync does not use the same user as the backups.

 

[fabian]

you can use 'proxmox-backup-client change-owner' to change the owner, the option to set this on pull/sync jobs is in the works.

 

[Robstarusa]

you can use 'proxmox-backup-client change-owner' to change the owner, the option to set this on pull/sync jobs is in the works.

For those of you who are confused a bit on this as I was, here is an example:

root@pbs:/# proxmox-backup-client change-owner vm/104 <youruser>@pbs --repository <yourrepository>

the "group" can be seen in the gui under your datastore. My "backup groups" were "vm/104", "vm/105" etc...
My repository name was "002"

 

[Cookiefamily]

For those of you who are confused a bit on this as I was, here is an example:

root@pbs:/# proxmox-backup-client change-owner vm/104 <youruser>@pbs --repository <yourrepository>

the "group" can be seen in the gui under your datastore. My "backup groups" were "vm/104", "vm/105" etc...
My repository name was "002"

Thank you for that example, I‘ll stick to the „hacky“ way suggested by oversite as I can easily change owners for all Backups at once. But good to have nonetheless!

 

[djdonnerwolke]

For those of you who are confused a bit on this as I was, here is an example:

root@pbs:/# proxmox-backup-client change-owner vm/104 <youruser>@pbs --repository <yourrepository>

the "group" can be seen in the gui under your datastore. My "backup groups" were "vm/104", "vm/105" etc...
My repository name was "002"

How can I find out the repository? I entered the command on the pbs but only got back error. For me, the background is that I have switched to 2fa. Of course, I created an API token on the pbs and this one has retained the permissions. In the meantime, I deleted all backups because I believed that these backups were built on the old backups. However, I get the error described above. What can I do?

Thank you.

 

[fabian]

repository is the combination of user/token ID, PBS host and datastore:
USER@REALM@HOST:DATASTORE, e.g. root@pam!sv22-backup01@pbs.example.com:mydatastore. you should find all that information on the PVE side in your storage config entry

 

[djdonnerwolke]

repository is the combination of user/token ID, PBS host and datastore:
USER@REALM@HOST:DATASTORE, e.g. root@pam!sv22-backup01@pbs.example.com:mydatastore. you should find all that information on the PVE side in your storage config entry

Do you mean the entries in "/etc/pve/storage.cfg"?

Then by "mydatastore" you mean "backup1" in my case?
I will try it out.

 

[oversite]

Do you mean the entries in "/etc/pve/storage.cfg"?

Then by "mydatastore" you mean "backup1" in my case?
I will try it out.

The PBS entries in /etc/pve/storage.cfg yes, they are the same you see in the PVE GUI under datacenter/storage. Not the ones you show in the attachment as storage under one node.

 

[djdonnerwolke]

The PBS entries in /etc/pve/storage.cfg yes, they are the same you see in the PVE GUI under datacenter/storage. Not the ones you show in the attachment as storage under one node.

Thank you!

 

[breakaway9000]

Probably going to get smacked with a stick for posting this, but I browsed to my proxmox backup server repository (which is a CIFS share on my synology). I drilled down into `vm` folder, then found a file in there called `owner`. I edited this with the name that my PBS is expecting (per the error log) and reloaded the repo. All OK now, backups and restores are working.

I only resorted to this because I thought deleting all the backups from within proxmox would allow me to run my backups again, however what I found was that the VM ID dissappeared from the UI in proxmox backup server, and the CLI command failed with an error.

I didn't care too much about historical data, so I tried the above hack-fix.

# proxmox-backup-client change-owner vm/112 svc-proxmoxbackup@pbs --repository ProxmoxBackup
Error: permission check failed.

 

[Darkk]

Wish I can mass change the entire datastor to the new owner in the PBS's WebGUI. Especially if I can do this via namespace.

I can't imagine someone changing hundreds of backup groups one at a time. I'd figured a for loop script may do the trick.

Get a list of your vms and cts

root@pbs:/# proxmox-backup-client list -repository BackupStorage1

Somehow have it parse it so it can use the variable

proxmox-backup-client change-owner %%ct-vm%% pbsbackup@pbs --repository BackupStorage1

Then you're done.

 

[Xeata_James]

Wish I can mass change the entire datastor to the new owner in the PBS's WebGUI. Especially if I can do this via namespace.

I can't imagine someone changing hundreds of backup groups one at a time. I'd figured a for loop script may do the trick.

Get a list of your vms and cts

root@pbs:/# proxmox-backup-client list -repository BackupStorage1

Somehow have it parse it so it can use the variable

proxmox-backup-client change-owner %%ct-vm%% pbsbackup@pbs --repository BackupStorage1

Then you're done.

Lol, yeah. ChatBot thinks so too; he even lies and invents the seeming obvious command. Gotta give it credit for trying, I suppose. ;-)

root@pbs3:~# proxmox-backup-manager datastore change-owner --datastore main_store --new-owner user@pam
Error: no such command 'change-owner'

Usage:

proxmox-backup-manager datastore create <name> <path> [OPTIONS]
proxmox-backup-manager datastore list [OPTIONS]
proxmox-backup-manager datastore remove <name> [OPTIONS]
proxmox-backup-manager datastore show <name> [OPTIONS]
proxmox-backup-manager datastore update <name> [OPTIONS]

 

[Darkk]

Lol, yeah. ChatBot thinks so too; he even lies and invents the seeming obvious command. Gotta give it credit for trying, I suppose. ;-)

root@pbs3:~# proxmox-backup-manager datastore change-owner --datastore main_store --new-owner user@pam
Error: no such command 'change-owner'

Usage:

proxmox-backup-manager datastore create <name> <path> [OPTIONS]
proxmox-backup-manager datastore list [OPTIONS]
proxmox-backup-manager datastore remove <name> [OPTIONS]
proxmox-backup-manager datastore show <name> [OPTIONS]
proxmox-backup-manager datastore update <name> [OPTIONS]

Maybe future update they add this in. Even it's CLI.

 

[Xeata_James]

OK, it's pretty easy to script. I had chatbot write up a quick BASH loop that iterates over a 'machines.txt' (could easily be automated too) and runs the proxmox-backup-client change-owner command.
Might be a nice thing to have in the GUI unless devs know better.

 

[bofh]

let me necro this with a little script

change path of directory to your datastore
change datastorename and mynamespacename in the path and in the execution line
change newowner

%
#!/bin/bash

# Define the directory (current directory by default)
directory="/mnt/datastore/Datastorename/ns/mynamespacename/vm/"


# Loop through each item in the directory
for item in "$directory"/*; do
  # Check if it's a directory (not a file)
  if [ -d "$item" ]; then
    dir_name="$(basename "$item")"
    proxmox-backup-client change-owner "vm/$dir_name" newowner@pbs --ns "mynamespacename" --repository Datastorename
  fi
done

 

[ikidd]

Also necrobumping because this is the thread I found when I had this problem: if you sync from a datastore that you've completely deleted a guest dataset from, there will be an orphaned folder with nothing in it that will cause the backup of a similiarly named ct/vm. ie: ct/109 folder from a long-gone backup set in /mnt/datastore/datastore-name/ct/109 will cause a new ct/109 backup to fail. You have to go in and manually `rm -rf` those folders to get a new guest to be able to back up.