backup@pbs != root@pam

[arteck]

install the proxmox-backup-client ..here ok...

then i make a backup with the root@pam user... backup was done .. here ok

i have deleted this back and i have created a user backup

with this user i cant craute a new backup

any idea ??

Starting backup: host/slave01/2020-09-20T19:50:34Z
Client name: slave01
Starting protocol: 2020-09-20T21:50:34+02:00
Error: backup owner check failed (backup@pbs != root@pam)

 

[fabian]

https://bugzilla.proxmox.com/show_bug.cgi?id=2847

you can change the owner manually for now, in the 'owner' file inside the backup group directory

 

[arteck]

works ..fine..THX

 

[Ali-istif]

hi,
we have same problem.What is the command ?please can you give info for the below ?
you can change the owner manually for now, in the 'owner' file inside the backup group directory

 

[fabian]

proxmox-backup-manager change-owner

 

[Ali-istif]

Do we write in proxmox backup server. ?
please can you write all command.

 

[fabian]

Do we write in proxmox backup server. ?
please can you write all command.

sorry, it's in proxmox-backup-client:

$ man proxmox-backup-client
       proxmox-backup-client change-owner <group> <new-owner> [OPTIONS]

       Change owner of a backup group

       <group> <string>
              Backup group.

       <new-owner> <string>
              User ID

       Optional parameters:

       --repository <string>
              Repository URL.

 

[j.io]

@fabian Shame on me, I still don't get it. Got the same problem, some of my CTs / VMs backup straight, others fail with

root@pam != root@pam!pool (pool is my backup storage on the PBS).

I backup from my PVE ===> PBS!pool (encrypted).

I am not using proxmox-backup-client so far (though I did a few days ago to test file level backup, did this break something?).

Maybe you can elaborate on what the error actually is and where it is ... on PVE, on PBS, on the storage pool, the VM / CT configuration ... I am a bit lost.

 

[fabian]

you can see which user/token owns a backup group when you view the datastore content on the PBS side. from the error my guess is that some of those where initially made by the user root@pam, and are thus owned by it as well. you now access the datastore using a token (root@pam!pool), and that can't backup into a group that is owned by the user (the other way round works, if the user is the "owner" of the token). so you need to change the owner of those "failing" (== your client lacks permissions) backup groups to the token with which you want to make the backups, and it should work again.

if you post a full backup log and the storage.cfg entry for your backup storage, it should be clear.

 

[j.io]

On PBS side, there is no log since the job does not fail. It is simply not "there".

On PVE side, the log from the failed backup contains this:

INFO: Starting Backup of VM 108 (qemu)
INFO: Backup started at 2021-04-26 09:09:21
INFO: status = stopped
INFO: backup mode: stop
INFO: ionice priority: 7
INFO: VM Name: XXX
INFO: include disk 'scsi0' 'local-lvm:vm-108-disk-0' 32G
INFO: creating Proxmox Backup Server archive 'vm/108/2021-04-26T07:09:21Z'
INFO: starting kvm to execute backup task
INFO: enabling encryption
ERROR: VM 108 qmp command 'backup' failed - backup connect failed: command error: backup owner check failed (root@pam!pool != root@pam)
INFO: aborting backup job
INFO: stopping kvm after backup task
trying to acquire lock...
 OK
ERROR: Backup of VM 108 failed - VM 108 qmp command 'backup' failed - backup connect failed: command error: backup owner check failed (root@pam!pool != root@pam)
INFO: Failed at 2021-04-26 09:09:23

 

[fabian]

the storage.cfg entry that I requested would also help but as I said - you likely just need to change the owner to match how you are accessing the datastore from the PBS side..

 

[j.io]

the storage.cfg entry that I requested would also help but as I said - you likely just need to change the owner to match how you are accessing the datastore from the PBS side..

Sorry, I overread that. What is the path to the storage.cfg?

Yes, I got the concept but would I have to change the owner of the storage pool on PBS side or the owner of the backup on PVE side, or ...?

 

[fabian]

Sorry, I overread that. What is the path to the storage.cfg?

/etc/pve/storage.cfg

Yes, I got the concept but would I have to change the owner of the storage pool on PBS side or the owner of the backup on PVE side, or ...?

each backup group inside a datastore has an owner - either a user, or a token. like I said - you can see (and also change ) it when you browse a datastore's content in the PBS web GUI. you can also use the CLI client: https://pbs.proxmox.com/docs/backup-client.html#changing-the-owner-of-a-backup-group

 

[j.io]

/etc/pve/storage.cfg

$ cat /etc/pve/storage.cfg

pbs: pbs
        datastore pool
        server 10.1.X.X
        content backup
        encryption-key <XXX>
        fingerprint <XXX>
        prune-backups keep-all=1
        username root@pam!pool

each backup group inside a datastore has an owner - either a user, or a token. like I said - you can see (and also change ) it when you browse a datastore's content in the PBS web GUI. you can also use the CLI client: https://pbs.proxmox.com/docs/backup-client.html#changing-the-owner-of-a-backup-group

On PBS, I can click on the user icon and are able to change the owner. I did not know this earlier, so far so good.


But all backups that fail (e.g. vm/109) do not pop up in the GUI ... so the GUI approach on PBS does not help. Changing the owner on PVE also does not work for me, as can be seen below:

root@pve:/etc/pve# proxmox-backup-client change-owner vm/109 root@pam --repository 10.1.X.X
Password for "root@pam": ************************************************************************
Error: error trying to connect: error connecting to https://localhost:8007/ - tcp connect error: Connection refused (os error 111)
root@pve:/etc/pve# proxmox-backup-client change-owner vm/109 root@pam!pool --repository 10.1.X.X
-bash: !pool: event not found
root@pve:/etc/pve#

For password I tried both, the user password as well as the API token.

Wow, I feel so stupid.

 

[fabian]

the following should work:

$ proxmox-backup-client change-owner vm/109 'root@pam!pool' --repository 'root@pam@10.1.X.X:pool'

- '!' is a special character in most shells, so it needs quoting
- the full repository includes a username and a datastore

(the command logs in as 'root@pam' USER, since that is allowed to change the user. the token is lacking permissions, so it also cannot change the owner )

 

[j.io]

the following should work:

$ proxmox-backup-client change-owner vm/109 'root@pam!pool' --repository 'root@pam@10.1.X.X:pool'

- '!' is a special character in most shells, so it needs quoting
- the full repository includes a username and a datastore

(the command logs in as 'root@pam' USER, since that is allowed to change the user. the token is lacking permissions, so it also cannot change the owner )

Okay, so we're getting closer. Thanks so far @fabian!

Still something's wrong.

root@pve:~# proxmox-backup-client change-owner vm/109 'root@pam!pool' --repository 'root@pam@10.1.X.X:pool'
Error: permission check failed.

Same output by the way using:

proxmox-backup-client list <...>

After reboot of PVE:

root@pve:~# proxmox-backup-client change-owner vm/109 'root@pam!pool' --repository 'root@pam@10.1.X.X:pool'
Password for "root@pam": ************************************************************
Error: authentication failed - ticket with bad timestamp: invalid digit found in string

I am using 2FA (authenticator app) ... the CLI does not ask for the 2FA code. Do I have to append it somehow?

Re-running the command let's PVE enter the dead loop (cache?) until reboot:

root@pve:~# proxmox-backup-client change-owner vm/109 'root@pam!pool' --repository 'root@pam@10.1.X.X:pool'
Error: permission check failed.

So it seems to be an authentication error now within PVE ==> PBS with the root@pam user from PBS.

The backups that work have the proper owner, the backups that do not work are not present.


Maybe this is also helpful: I would like to have two different backup jobs:

a) Backup within the PVE on another drive (works)
b) Backup to PBS

The owner for a) would be root@pam on PVE while the owner for b) would be root@pam!pool on PBS. Would they negatively interfere?

 

[fabian]

wrong password?

 

[j.io]

wrong password?

No, see below. I rebooted. In the first try I entered a wrong password ("test"). In the second try my current password for the root@pam user on PBS.

The outputs differ.

root@pve:~# proxmox-backup-client change-owner vm/109 'root@pam!pool' --repository 'root@pam@10.1.X.X:pool'
Password for "root@pam": ****
Error: permission check failed.
root@pve:~# proxmox-backup-client change-owner vm/109 'root@pam!pool' --repository 'root@pam@10.1.X.X:pool'
Password for "root@pam": **********************************************************************************
Error: authentication failed - ticket with bad timestamp: invalid digit found in string

Are you sure it does not expect the TOTP token somehow?

 

[fabian]

your last edit and my reply crossed. yes, the CLI client does not support TFA atm, so you need to change the owner manually on the server side (it's in a file called "owner" inside the backup group directory)

 

[j.io]

your last edit and my reply crossed. yes, the CLI client does not support TFA atm, so you need to change the owner manually on the server side (it's in a file called "owner" inside the backup group directory)

OK, thanks. That worked.

So for everyone else, within the backup directory, there are folder as /vm /ct or /host, depending on the backup type. Within these there are the IDs as /100 /101 etc. and there you find the file "owner" which contains a string of just the owner.

Changing this from root@pam to root@pam!pool did the trick.

@fabian Maybe an empty folder which just contains an owner file and no backup files could be presented in the PBS GUI anyhow. This way, the GUI functionality of changing the owner can be used an the error is more obvious to discover. Just an idea!

Going for a host backup, how do I provide the API key then? (BTW, escaping helps! )

root@pve:~# proxmox-backup-client backup test.pxar:/tank/test/smb/ --repository 'root@pam!pool@10.1.X.X:pool'
Error: error building client for repository root@pam!pool@10.1.X.X:8007:pool - API token secret must be provided!