PBS Server has access to datastore, cluster VMs canNOT.permissions denied

S

ScottZ.

Well-Known Member
Nov 5, 2018
41
2
48
In the PBS server, I have the datastore pointing to a mounted NFS share and it's working correctly. (meaning the backup:backup is owner and it's able read/write).
1730151438042.png
However, after I add the PBS storage to the PVE Cluster, when I go to manually backup, I receive OS13 Permissions error.
1730151624576.png
1730151854376.png

I found this helpful article, but it wasn't enough get over the hurdle.

And before you ask, the .chunks file is chown backup:backup and the user can created/delete files from there.
1730151989720.png
It's almost like the PVE servers don't pass the backup@pbs to the datastore when trying to backup.

Any help appreciated
 
Check the user/apikeys permissions in pbs. They need to be set for the user, the used apikey based on the user and the datastore.
 
Should I be setting up root@pam or backup@pbs token api keys on the PBS?

Meaning am I creating a API key for the PVE hosts to connect to the PBS?
 
I would setup a custom User ( e.g. pvebackup@pbs) who has only the minimal needed permissions for every task you want do under it. Afterwards I would create one or more apikeys for these user for the pve Hosts. Again these apikeys would just get the most possible minimal permissions so in case of a hack the damage is limited. See the chaper on ransomware protection in the pbs manual for more Informationen
 
Thank you for the reply.

I have read the permissions and I am still having the same problem. When I backup on PVE, I continue to get access denied. This is after I went to users, created an API key per PVE Host (example - "HOST-1-PVE', 'HOST-2-PVE'). I then went to the the access permissions and listed and added the API keys for /datastore/<datastoreid>. Still access denied.

My questions are:
  • Is the PVE Cluster and PBS sharing any credentials or API keys?
    • I ask because when I go to add a user in PVE or PBS, they are completely independent of each other. There is no shared realm between them.
    • PBS only knows of root@pam and backup@pbs
    • PVE only knows of root@pam, but apparently it's not allowed to move across to the root@pam!pbs (for whatever reason)
  • If i am in the cluster, backing up a VM, what username is being used? I see root@pam as the job ID, but it gets access denied.
    • If I go to the PBS server, add root@pam (it's own local realm) I receive the same error message.
      1730174208048.png
 
It also appears that I can't import any of those API Keys from 1 host or pbs server, so what good does it do me? Some privileges have to be shared, without being dependent on on LDAP/AD solution. But again, backup@pbs only exists on PBS so PVE can't use it and I can't import any token on PVE FROM PBS. So frustrating.
1730175277381.png
 
Last edited:
ScottZ. said:
Thank you for the reply.

I have read the permissions and I am still having the same problem. When I backup on PVE, I continue to get access denied. This is after I went to users, created an API key per PVE Host (example - "HOST-1-PVE', 'HOST-2-PVE'). I then went to the the access permissions and listed and added the API keys for /datastore/<datastoreid>. Still access denied.

My questions are:
  • Is the PVE Cluster and PBS sharing any credentials or API keys?
Click to expand...

No. PBS credentials are fully independent from PVE ( expect you use domething like LDAP ).
ScottZ. said:
  • If i am in the cluster, backing up a VM, what username is being used? I see root@pam as the job ID, but it gets access denied.
Click to expand...

The username/apikey you used when adding the pbs storage to PVE. I havn't access zo my pbs at the Moment ( will look today evening) but if I recall correctly I used DatastoreBackup and DatastoreAudit permissions for Backups. Try whether setting both or only DatastoreBackup makes any difference.
Please provide a Screenshot of your pbs permissions tab on the used user/apikey and datastore.

Have you already tried to setup another local datastore on the pbs just for testing?
You could setup a minimal vm or Container for this so you don't keed much space for this test.
 
Thank you again for the reply. At our company, we use a local storage on our PBS without any issue (not shared storage). This is our first attempt where the client WANTS to back up using NFS mount point (which is the datastore). I have included the ACCESS CONTROL shots of PBS and the PVE cluster.

EDIT: I am worry about locking down access AFTER we get it working. So that is why I just using root for now. For reference, the chunks file shows backup:backup as owner and the datastore is mounted using the backup account.

1730245097967.png
1730245326083.png1730245449620.png
 
Last edited:
I was able to finally get this to work. I followed the URL I originally attached but downloaded the package and ran through the installer. The key step (assuming you are using a synology) is the part where you dismount the share, Map all users as admin (in synology, as pictured) and delete the .lock file (from the synology file browser) then remount on PBS.

The big concern I have is what package I downloaded and installed. I am not 100% sure and that doesn't feel safe for production use :/
1730425234102.png
 
  • Like
Reactions: Johannes S
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back