[SOLVED] proxmox-backup-client with user other than root

[trigg3r]

I'm running proxmox-backup-client directly on Proxmox Backup Server to back up a NAS share mounted via CIFS.

Everything works fine if I run proxmox-backup-client using root user (root@pam@localhost) but this forces me to have to store the root password in an environment variable (PBS_PASSWORD) and I don't like that.

So from the WebUI I created a new user myuser and tried to use it instead of root (myuser@pam@localhost), but I still get the error "Error: Permission check failed" even trying to grant him all the permissions.

Can anyone help me solve this problem? Maybe I need to create a system user with adduser or proxmox-backup-manager user create (the webUI only allows you to create users in the @pbs Realm)?


Thanks for your help.

 

[Chris]

Hi,
please note that you want to distinguish between the user the proxmox-backup-client binary runs as and the user the proxmox-backup-client uses to authenticate to the backup server api. I guess you are referring to issues with the latter, correct?

So from the WebUI I created a new user myuser and tried to use it instead of root (myuser@pam@localhost), but I still get the error "Error: Permission check failed" even trying to grant him all the permissions.

Can anyone help me solve this problem? Maybe I need to create a system user with adduser or proxmox-backup-manager user create (the webUI only allows you to create users in the @pbs Realm)?

If you want to use a user in the pam realm, then yes, you will have to create the user with the linux user tooling. This is however not necessary, as stated above, you can perfectly fine create a user in the realm pbs, which then exists and is managed only in the PBS context. This user will than however be myuser@pbs@localhost, to follow your example. You can use this user to authenticate to the server and set/limit the users permissions on different datastores.
Furhter, it is best practice to use api tokens for such automated tasks, also allowing you to further protect accounts by two factor authentication, see https://pbs.proxmox.com/docs/user-management.html#api-tokens

Also, it is not required to store the password/token as environment variable. You can set the PBS_PASSWORD_FILE environment variable to specify a file to read the password/token from, and limit permissions to the user executing the binary itself.

 

[trigg3r]

Hi Chris. Following your suggestion I set PBS_PASSWORD_FILE and everything works if I insert the user password in the file. But it doesn't work if I insert a token instead of password (the token is associated with the user and has same role/path permissions).

What am I doing wrong?

 

[trigg3r]

I got it: if the datastore already exists, you need to set the token as owner of the datastore

 

[Chris]

Hi Chris. Following your suggestion I set PBS_PASSWORD_FILE and everything works if I insert the user password in the file. But it doesn't work if I insert a token instead of password (the token is associated with the user and has same role/path permissions).

What am I doing wrong?

If you use a token, you will also have to adapt the repository by adding the token name using the format user@realm!tokenname, for examples see https://pbs.proxmox.com/docs/backup-client.html#backup-repository-locations

 

[Chris]

I got it: if the datastore already exists, you need to set the token as owner of the datastore

you will have to set the correct permissions and roles for the token to operate on the datastore, yes

 

[trigg3r]

Thank you very much Chris!