[SOLVED] Cannot create Sync Job (several users need help with remote backups)

gothbert

Member
Apr 3, 2021
25
2
8
44
Dear all,

I am struggling with configuring an offsite backup from Local PBS to Offsite PBS. This is what I have done so far:

  • Local PBS has Datastore /datastore/nas-backup-1 with fully functional backups.
  • Created user sync-user@pbs and API token sync-user@pbs!token1 on Local PBS.
  • sync-user@pbs!token1 has RemoteSyncOperator role on /datastore/nas-backup-1 on Local PBS.

  • Offsite PBS has Datastore /datastore/nas-backup-1 where to sync to.
  • Created user pbs-user@pbs on Offsite PBS.
  • pbs-user@pbs has DatastoreBackup role on /datastore/nas-backup-1 on Offsite PBS.

  • Created a Remote on Offsite PBS with parameters
    • Remote= pbslocal,
    • Host= FQDN of Local PBS,
    • Auth ID= sync-user@pbs!token1,
    • Password= the secret for sync-user@pbs!token1,
    • Fingerprint= fingerprint of Local PBS.
  • Created a Sync Job on datastore/nas-backup-1 on Offsite PBS with parameters
    • Local Datatore= nas-backup-1,
    • Local Owner= pbs-user@pbs,
    • Source Remote= pbslocal
    • and...
... that is where I get lost. I cannot select a Source Datastore. During various trials with a user instead the API token for pbsremote, I managed to see a message like Internal Server Error 500 and permission check failed or something like that. The Local PBS is accessible from Remote PBS, though.

What do I need to do to select the Source Datastore and get access to the Local PBS?

Kind regards
Boris
 
Last edited:
I was trying to setup the same today. And I ran into the exact same issue.

Trying to pull a copy of the datastore on the primary pbs to the remote pbs for safe keeping, I can see the connection being established, but when trying to pull the list of datastores from the primary pbs, I only get failure.

After forcing the sync job in on the remote pbs from ssh shell with the 'proxmox-backup-manager sync-job create' command, I do get a sync job, but when manually running it, it fails with an error:
"TASK ERROR: Failed to retrieve backup groups from remote - permission check failed"

Even setting maximum permissions to the user on the primary pbs and connecting from root@pam on the remote pbs to the primary pbs as the user with max permissions still errors out with the same permissions failure.

Sorry Boris, no solution, but at least a confirmation of the situation...
 
Sorry Boris, no solution, but at least a confirmation of the situation...
Comforting that I am not the only one. Hopefully someone from the Proxmox team will pick this up and either enlighten us on how to do it right or confirm an issue in the current version. Or maybe a user who managed to implement the offsite backup can provide the right hint.
 
Same problem here.
I have a simmilar setup (users and assigned roles on the datastores) like the OP, but without the tokens.
I could add the remote without a problem, but when I want to add a sync job the list of source datastores stays empty. No error message what so ever.

After forcing the sync job in on the remote pbs from ssh shell with the 'proxmox-backup-manager sync-job create' command, I do get a sync job, but when manually running it, it fails with an error:
"TASK ERROR: Failed to retrieve backup groups from remote - permission check failed"
I tried exactly the same with the same result.


I am a bit curious if we maybe have a mistake (in thinking?) in our users and roles/permissions setup?
 
I was also thinking I might have made a mistake in setting up permissions. That's why I gave full permission to the remote user (on the primary pbs) and set up the sync job as the root user locally (on the secondairy pbs). I can't think of a way to give more extensive rights.
I was really hoping for an admin to take an interest in this issue, but not sofar...
 
Still holiday season.

Interestingly there is no one with a working remote backup who would like to help.

Changed the title of the thread to grab some attention.
 
sorry for the late answer but this stood out:

  • sync-user@pbs!token1 has RemoteSyncOperator role on /datastore/nas-backup-1 on Local PBS.
the sync user needs at least read permissions on the datastore, else the user is not allowed to even see the datastore (thus no dropdown for the source datastore selector)

'RemoteSyncOperator' is intended for allowing access to a 'remote' configuration (thus on the target pbs)
 
  • Like
Reactions: Tmanok and Neobin
the sync user needs at least read permissions on the datastore, else the user is not allowed to even see the datastore (thus no dropdown for the source datastore selector)

'RemoteSyncOperator' is intended for allowing access to a 'remote' configuration (thus on the target pbs)
Thank you for the reply!

With token permission:
1) I deleted the sync-user@pbs!token1 on the Local PBS and started from scratch, assigning sync-user@pbs!token1 the DatastorePowerUser role on datastore/nas-backup-1 (just to be sure, but DatastoreReader would be the appropriate role, I suppose).
2) On the Offsite PBS I recreated the remote with Auth ID= sync-user@pbs!token1.
3) Still no Source Datastore is listed in the combobox in the Add: SyncJob dialog.

With user permission:
4) I continued grating the user sync-user@pbs DatastoreReader permissions on datastore/nas-backup-1,
5) recreated the remote on the Offsite PBS with Auth ID= sync-user@pbs.
6) Adding a SyncJob with the user was possible, the Source Datastore combobox on the Offsite PBS showed the datastore/nas-backup-1 on the Local PBS.
Sync job is currently running.

So this worked finally with user permission but not with token permission.

I turned back to the Local PBS and added another token sync-user@pbs!token4711 and granted Admin role to the token. Interestingly the Show Permission dialog does not show any permissions for the token. This seems to be the root cause for the failed setup with token permission. Am i mistaken regarding the use of token permissions or is there a defect in the software or just PEBKAC?
 
did you give the underlying user also permissions? the token can only have the permissions which the user is given, never more...
 
did you give the underlying user also permissions? the token can only have the permissions what the user is given, never more...
Well, that it explains it all. The user did not have any permissions on the datastore because I did not understand the dependency. I now carefully reread the docs and it actually says "The resulting permission set on a given path is then intersected with that of the corresponding user." about API Token Permissions. That escaped me previously.

I mark this thread as SOLVED.

Thank you for your support!
 
  • Like
Reactions: Tmanok

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!