PBS User with 2FA and token for access from PVE

[f.sennj]

Hello all,

can someone please clarify when I have a PBS root user with 2FA and a make another user with 2FA for whom I create an API Token with role of Datastore Admin will this then work to connect from a PVE? or is the base user for whom the token gets created never allowed to be 2FA enabled?

 

[dcsapak]

not exactly sure about the question, but AFAIU you want to know if the user of a token can have 2FA and still use the token to connect via pve

in short, yes. It does not matter for the token at all if the underlying user has 2FA or not. Just know that the token cannot have more privileges than the underlying user

 

[f.sennj]

thank you - working now as per your explanation. Do you Know how to solve that right problem?
the api user has datastore admin rights.

NFO: starting new backup job: vzdump 101 --notes-template '{{guestname}}' --notification-mode auto --node pve1 --storage PBS --mode snapshot --remove 0
INFO: Starting Backup of VM 101 (lxc)
INFO: Backup started at 2024-02-08 15:29:12
INFO: status = running
INFO: CT Name: monitoring
INFO: including mount point rootfs ('/') in backup
INFO: mode failure - some volumes do not support snapshots
INFO: trying 'suspend' mode instead
INFO: backup mode: suspend
INFO: ionice priority: 7
INFO: CT Name: monitoring
INFO: including mount point rootfs ('/') in backup
INFO: starting first sync /proc/361361/root/ to /var/tmp/vzdumptmp1034101_101
INFO: first sync finished - transferred 2.24G bytes in 8s
INFO: suspending guest
INFO: starting final sync /proc/361361/root/ to /var/tmp/vzdumptmp1034101_101
INFO: final sync finished - transferred 0 bytes in 1s
INFO: resuming guest
INFO: guest is online again after 1 seconds
INFO: creating Proxmox Backup Server archive 'ct/101/2024-02-08T14:29:12Z'
INFO: run: lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /usr/bin/proxmox-backup-client backup --crypt-mode=none pct.conf:/var/tmp/vzdumptmp1034101_101/etc/vzdump/pct.conf root.pxar:/var/tmp/vzdumptmp1034101_101 --include-dev /var/tmp/vzdumptmp1034101_101/. --skip-lost-and-found --exclude=/tmp/?* --exclude=/var/tmp/?* --exclude=/var/run/?*.pid --backup-type ct --backup-id 101 --backup-time 1707402552 --repository pvebackup@pbs!PVE@192.168.201.74:ZFS-Backup
INFO: Starting backup: ct/101/2024-02-08T14:29:12Z
INFO: Client name: pve1
INFO: Starting backup protocol: Thu Feb 8 15:29:21 2024
INFO: Error: backup owner check failed (pvebackup@pbs!PVE != root@pam)
ERROR: Backup of VM 101 failed - command 'lxc-usernsexec -m u:0:100000:65536 -m g:0:100000:65536 -- /usr/bin/proxmox-backup-client backup '--crypt-mode=none' pct.conf:/var/tmp/vzdumptmp1034101_101/etc/vzdump/pct.conf root.pxar:/var/tmp/vzdumptmp1034101_101 --include-dev /var/tmp/vzdumptmp1034101_101/. --skip-lost-and-found '--exclude=/tmp/?*' '--exclude=/var/tmp/?*' '--exclude=/var/run/?*.pid' --backup-type ct --backup-id 101 --backup-time 1707402552 --repository pvebackup@pbs!PVE@192.168.201.74:ZFS-Backup' failed: exit code 255
INFO: Failed at 2024-02-08 15:29:22
INFO: Backup job finished with errors
INFO: skipping disabled target 'mail-to-root'
TASK ERROR: job errors

 

[dcsapak]

INFO: Error: backup owner check failed (pvebackup@pbs!PVE != root@pam)

the backup is already owned by 'root@pam' to fix that you have to go to the pbs web ui and change the owner of the backpu (or via cli)

 

[f.sennj]

thank you found the command then, needed to do multiple times then it worked out..