Unable to backup to pbs with separate backup user

P

p-user

Member
Jan 26, 2024
66
4
8
I'm using pbs 3.4.5 and have created a datastore PBSStorage including the namespace MailboxBackup

When I start a backup on a vm with the following script it works fine, and the backup ends up in the correct namespace:
#!/bin/sh
export PBS_REPOSITORY=pbs: PBSStorage
export PBS_PASSWORD=MyRootPassword
export PBS_FINGERPRINT=MyServerFingerprint
proxmox-backup-client backup root.pxar:/storage/Mailboxes/MyMailbox/ --ns MailboxBackup

However, since it contains the root password I'm not happy with this, so I created a new user, backup@pbs, which is enabled the in the Configuration/Access Control

I created an API token for this user, called BackupToken, and saved the token value.
For the datastore /datastore/PBSStorage/MailBoxBackup I set the permissions to DatastoreBackup for user backup@pbs!BackupToken
Now the script becomes:
#!/bin/sh
export PBS_REPOSITORY=backup@pbs!BackupToken@pbs: PBSStorage
export PBS_PASSWORD=<token value>
export PBS_FINGERPRINT=<Server fingerprint>
proxmox-backup-client backup root.pxar:/storage/Mailboxes/MyMailbox/ --ns MailboxBackup

But the result of the script is now an error:
Error: missing permissions 'Datastore.Backup' on '/datastore/PBSStorage/MailboxBackup'

So, clearly, I am missing something. Any help is appreciated.

Kind regards,
Albert
Note: The space between pbs: PBSStorage should not be there, but it is automatically replaced by :P
 
Last edited:
Hello!

The error you are receiving is telling you that you are missing a permission. Both the backup user and the API token require the same permission. Have you set up the DatastoreBackup permission for both the backup user and the API token in your Proxmox Backup Server?
 
Thanks, I added the DatastoreBackup permission to the backup@pbs user as well, now I get the followin error:

root@imaps:~# backup.sh
Starting backup: [MailboxBackup]:host/imaps/2025-08-13T06:39:45Z
Client name: imaps
Starting backup protocol: Wed Aug 13 08:39:45 2025
Error: backup owner check failed (backup@pbs!BackupToken != root@pam)
1755067437976.png

Still missing something here.

Regards,
Albert
 
they don't necessarily require the same permissions, but the token effectively will only have the subset of permissions that both the token and the users have.

regarding the owner - if you first made a backup as root, the backup group is owned by root. you can change the owner using the client (as root) or over the UI (as root).
 
  • Like
Reactions: p-user
Maybe a stupid question, but the backups are made under the id hosts/imaps (the last being the hostname), is there a way to give it a self defined id?
 
yes, pass "--backup-id whatever" to the client invocation
 
  • Like
Reactions: p-user
You must log in or register to reply here.
Top Bottom