[SOLVED] proxmox-backup-client with user other than root

T

trigg3r

Well-Known Member
Aug 3, 2019
55
7
48
24
I'm running proxmox-backup-client directly on Proxmox Backup Server to back up a NAS share mounted via CIFS.

Everything works fine if I run proxmox-backup-client using root user (root@pam@localhost) but this forces me to have to store the root password in an environment variable (PBS_PASSWORD) and I don't like that.

So from the WebUI I created a new user myuser and tried to use it instead of root (myuser@pam@localhost), but I still get the error "Error: Permission check failed" even trying to grant him all the permissions.

Can anyone help me solve this problem? Maybe I need to create a system user with adduser or proxmox-backup-manager user create (the webUI only allows you to create users in the @pbs Realm)?


Thanks for your help.
 
Last edited:
Hi,
please note that you want to distinguish between the user the proxmox-backup-client binary runs as and the user the proxmox-backup-client uses to authenticate to the backup server api. I guess you are referring to issues with the latter, correct?

trigg3r said:
So from the WebUI I created a new user myuser and tried to use it instead of root (myuser@pam@localhost), but I still get the error "Error: Permission check failed" even trying to grant him all the permissions.

Can anyone help me solve this problem? Maybe I need to create a system user with adduser or proxmox-backup-manager user create (the webUI only allows you to create users in the @pbs Realm)?
Click to expand...
If you want to use a user in the pam realm, then yes, you will have to create the user with the linux user tooling. This is however not necessary, as stated above, you can perfectly fine create a user in the realm pbs, which then exists and is managed only in the PBS context. This user will than however be myuser@pbs@localhost, to follow your example. You can use this user to authenticate to the server and set/limit the users permissions on different datastores.
Furhter, it is best practice to use api tokens for such automated tasks, also allowing you to further protect accounts by two factor authentication, see https://pbs.proxmox.com/docs/user-management.html#api-tokens

Also, it is not required to store the password/token as environment variable. You can set the PBS_PASSWORD_FILE environment variable to specify a file to read the password/token from, and limit permissions to the user executing the binary itself.
 
Hi Chris. Following your suggestion I set PBS_PASSWORD_FILE and everything works if I insert the user password in the file. But it doesn't work if I insert a token instead of password (the token is associated with the user and has same role/path permissions).

What am I doing wrong?
 
  • Like
Reactions: sistemas_corporativos
I got it: if the datastore already exists, you need to set the token as owner of the datastore
 
  • Like
Reactions: Chris
trigg3r said:
Hi Chris. Following your suggestion I set PBS_PASSWORD_FILE and everything works if I insert the user password in the file. But it doesn't work if I insert a token instead of password (the token is associated with the user and has same role/path permissions).

What am I doing wrong?
Click to expand...
If you use a token, you will also have to adapt the repository by adding the token name using the format user@realm!tokenname, for examples see https://pbs.proxmox.com/docs/backup-client.html#backup-repository-locations
 
trigg3r said:
I got it: if the datastore already exists, you need to set the token as owner of the datastore
Click to expand...
you will have to set the correct permissions and roles for the token to operate on the datastore, yes
 
You must log in or register to reply here.
Top Bottom