Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles

[Les Mikesell]

On Thu, Jan 14, 2016 at 8:43 AM, Andreas Piening
 wrote:
>
>> Isn't there a specific "Backup Operator" account on windows which has
>> "super" permissions for exactly this reason? I'm not sure if that
>> account will work over samba though?
>>
> At least not by that name, there is for example a „SYSTEM“ user which seems 
> to have access everywhere. It doesn’t have a password and does not show up in 
> the normal users list. Maybe it is possible to „enable“ this user so that the 
> account can be used with CIFS / SMB to get access.
> Does anyone use SMB to backup the whole system drive or the /Users dir? Or is 
> the only real option to install a rsyncd with cygwin or something like that?
> I’m trying to get backups with SMB working since I want to be as less 
> intrusive to the clients as I can. Means: No additional software installed, 
> no additional services. Just crating a share and that’s it.

Backup Operator (and Administrator) are groups you can add to the user
to give additional permissions.  If you are in an Active Directory
environment you would need to join the domain and have domain
credentials, though.   I'd recommend setting up rsync anyway because
it does a better job of tracking renames, changed files with old
timestamps, and deletions.

-- 
   Les Mikesell
 lesmikes...@gmail.com

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles

[Michael Stowe]

On 2016-01-14 15:06, Stefan Peter wrote:
> On 14.01.2016 00:13, Adam Goryachev wrote:
>> On 14/01/16 07:11, Andreas Piening wrote:
>>> I wonder what the easiest / best way is to create a „read everywhere“ 
>>> user on ms windows to create backups with via CIFS / SMBFS.
>>> 
>>> Ideally I would like to run a short .cmd script or do a couple of 
>>> clicks to give a local windows user (let’s assume ‚backuppc‘) full 
>>> read access to everything under c:\Users. Even better with write 
>>> access to be able to restore in place.
>>> I know that I can enable inheritance for permissions in c:\Users and 
>>> overwrite all permissions on subfolders with the current one. But 
>>> this would also enable read for everyone for every user on other 
>>> users profiles which I don’t like. And even this does not work 
>>> everywhere, even not with an administrative account. I need to take 
>>> ownership recursively in order to do that and I don’t want to own 
>>> other users files.
>>> 
>>> Is there a better way?
>> 
>> Isn't there a specific "Backup Operator" account on windows which has
>> "super" permissions for exactly this reason? I'm not sure if that
>> account will work over samba though?
> 
> Additionally, isn't there something like junction points on windows 
> that
> can not be read by an ordinary user? I seem to remember that there have
> been lists floating around on this mailing list with directories to
> exclude for the various windows versions.
> 
> A list of failure messages encountered by you may help, btw.
> 
> With kind regards
> 
> Stefan Peter

There may be some confusion in the difference between what NTFS/Windows 
supports and what is supported through CIFS/Samba and its protocols 
(which, I should note, differs from version to version.)

For example, NTFS supports hard links and soft links -- though hard 
links show up simply as additional copies of the files, and soft links 
only work when using SMB2 or later (you'll get a permission error on 
earlier versions.)

You're probably thinking of directory junctions, which are soft links, 
but newer versions of Windows also came with default directory junctions 
which by default are generally restricted to being opened only by the 
system account and local administrators.  Unlike *nix symbolic directory 
links, a directory junction in Windows can have its own security 
settings (and routinely do, in this case) though a better practice is 
probably to back up the link itself and back up the data from its actual 
location.  (The latter, at least, is possible via samba.)

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles

[Andreas Piening]

> Am 14.01.2016 um 16:44 schrieb Les Mikesell :
> 
> On Thu, Jan 14, 2016 at 8:43 AM, Andreas Piening
>  wrote:
>> 
>>> Isn't there a specific "Backup Operator" account on windows which has
>>> "super" permissions for exactly this reason? I'm not sure if that
>>> account will work over samba though?
>>> 
>> At least not by that name, there is for example a „SYSTEM“ user which seems 
>> to have access everywhere. It doesn’t have a password and does not show up 
>> in the normal users list. Maybe it is possible to „enable“ this user so that 
>> the account can be used with CIFS / SMB to get access.
>> Does anyone use SMB to backup the whole system drive or the /Users dir? Or 
>> is the only real option to install a rsyncd with cygwin or something like 
>> that?
>> I’m trying to get backups with SMB working since I want to be as less 
>> intrusive to the clients as I can. Means: No additional software installed, 
>> no additional services. Just crating a share and that’s it.
> 
> Backup Operator (and Administrator) are groups you can add to the user
> to give additional permissions.  If you are in an Active Directory
> environment you would need to join the domain and have domain
> credentials, though.   I'd recommend setting up rsync anyway because
> it does a better job of tracking renames, changed files with old
> timestamps, and deletions.
> 
> -- 
>   Les Mikesell
> lesmikes...@gmail.com

Oh you’re right, there is such a Group (the name is localized …). I added a 
local user to both groups: Administrator and Backup Operator but when I do a 
backup of a share for the folder c:\Users I still get NT_STATUS_ACCESS_DENIED 
for a lot of subfolders.
This was the case in my test with the Windows 7 Pro machine in a workgroup, and 
again with the same machine added to a AD domain. Same behavior.
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles

[Stefan Peter]

On 14.01.2016 00:13, Adam Goryachev wrote:
> On 14/01/16 07:11, Andreas Piening wrote:
>> I wonder what the easiest / best way is to create a „read everywhere“ user 
>> on ms windows to create backups with via CIFS / SMBFS.
>>
>> Ideally I would like to run a short .cmd script or do a couple of clicks to 
>> give a local windows user (let’s assume ‚backuppc‘) full read access to 
>> everything under c:\Users. Even better with write access to be able to 
>> restore in place.
>> I know that I can enable inheritance for permissions in c:\Users and 
>> overwrite all permissions on subfolders with the current one. But this would 
>> also enable read for everyone for every user on other users profiles which I 
>> don’t like. And even this does not work everywhere, even not with an 
>> administrative account. I need to take ownership recursively in order to do 
>> that and I don’t want to own other users files.
>>
>> Is there a better way?
> 
> Isn't there a specific "Backup Operator" account on windows which has 
> "super" permissions for exactly this reason? I'm not sure if that 
> account will work over samba though?

Additionally, isn't there something like junction points on windows that
can not be read by an ordinary user? I seem to remember that there have
been lists floating around on this mailing list with directories to
exclude for the various windows versions.

A list of failure messages encountered by you may help, btw.

With kind regards

Stefan Peter

-- 
Any technology that does not appear magical is insufficiently advanced.
~ Gregory Benford

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles

[Les Mikesell]

On Thu, Jan 14, 2016 at 12:55 PM, Andreas Piening
 wrote:
>
>>
>> Backup Operator (and Administrator) are groups you can add to the user
>> to give additional permissions.  If you are in an Active Directory
>> environment you would need to join the domain and have domain
>> credentials, though.   I'd recommend setting up rsync anyway because
>> it does a better job of tracking renames, changed files with old
>> timestamps, and deletions.
>>
>
> Oh you’re right, there is such a Group (the name is localized …). I added a 
> local user to both groups: Administrator and Backup Operator but when I do a 
> backup of a share for the folder c:\Users I still get NT_STATUS_ACCESS_DENIED 
> for a lot of subfolders.
> This was the case in my test with the Windows 7 Pro machine in a workgroup, 
> and again with the same machine added to a AD domain. Same behavior.

I don't know enough about windows to help more - and I've had trouble
with that too.   There is a difference between a local user and a
domain user and the corresponding group mappings and there may be a
setting that gives the local admin more access to shares.  Or for the
AD case you have to join the domain from the linux box.   One thing
that might not be obvious is that smbclient and smbtar used by
backuppc will read your /etc/samba/smb.conf file and will pull things
like the domain setting from there.  If you have settings there
intended for shares from the linux box they might not be what you need
as a client.

 In any case you can connect manually with smbclient to check what you
can access faster than waiting for a backup run to hit it.

-- 
   Les Mikesell
lesmikes...@gmail.com

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles

[Andreas Piening]

> Am 14.01.2016 um 00:13 schrieb Adam Goryachev 
> :
> 
> On 14/01/16 07:11, Andreas Piening wrote:
>> I wonder what the easiest / best way is to create a „read everywhere“ user 
>> on ms windows to create backups with via CIFS / SMBFS.
>> 
>> Ideally I would like to run a short .cmd script or do a couple of clicks to 
>> give a local windows user (let’s assume ‚backuppc‘) full read access to 
>> everything under c:\Users. Even better with write access to be able to 
>> restore in place.
>> I know that I can enable inheritance for permissions in c:\Users and 
>> overwrite all permissions on subfolders with the current one. But this would 
>> also enable read for everyone for every user on other users profiles which I 
>> don’t like. And even this does not work everywhere, even not with an 
>> administrative account. I need to take ownership recursively in order to do 
>> that and I don’t want to own other users files.
>> 
>> Is there a better way?
> 
> Isn't there a specific "Backup Operator" account on windows which has 
> "super" permissions for exactly this reason? I'm not sure if that 
> account will work over samba though?
> 
> Regards,
> Adam

At least not by that name, there is for example a „SYSTEM“ user which seems to 
have access everywhere. It doesn’t have a password and does not show up in the 
normal users list. Maybe it is possible to „enable“ this user so that the 
account can be used with CIFS / SMB to get access.
Does anyone use SMB to backup the whole system drive or the /Users dir? Or is 
the only real option to install a rsyncd with cygwin or something like that?
I’m trying to get backups with SMB working since I want to be as less intrusive 
to the clients as I can. Means: No additional software installed, no additional 
services. Just crating a share and that’s it.
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles

[Adam Goryachev]

On 15/01/16 06:12, Les Mikesell wrote:
> On Thu, Jan 14, 2016 at 12:55 PM, Andreas Piening
>  wrote:
>>> Backup Operator (and Administrator) are groups you can add to the user
>>> to give additional permissions.  If you are in an Active Directory
>>> environment you would need to join the domain and have domain
>>> credentials, though.   I'd recommend setting up rsync anyway because
>>> it does a better job of tracking renames, changed files with old
>>> timestamps, and deletions.
>>>
>> Oh you’re right, there is such a Group (the name is localized …). I added a 
>> local user to both groups: Administrator and Backup Operator but when I do a 
>> backup of a share for the folder c:\Users I still get 
>> NT_STATUS_ACCESS_DENIED for a lot of subfolders.
>> This was the case in my test with the Windows 7 Pro machine in a workgroup, 
>> and again with the same machine added to a AD domain. Same behavior.
> I don't know enough about windows to help more - and I've had trouble
> with that too.   There is a difference between a local user and a
> domain user and the corresponding group mappings and there may be a
> setting that gives the local admin more access to shares.  Or for the
> AD case you have to join the domain from the linux box.   One thing
> that might not be obvious is that smbclient and smbtar used by
> backuppc will read your /etc/samba/smb.conf file and will pull things
> like the domain setting from there.  If you have settings there
> intended for shares from the linux box they might not be what you need
> as a client.
>
>   In any case you can connect manually with smbclient to check what you
> can access faster than waiting for a backup run to hit it.
>

Isn't there also the "hidden" shares by default which are supposed to 
provide more access? I think it is C$ by default, which is the full c 
drive

Again, I don't use smb for backups, but I'm hoping this does help you.

Ultimately, you still won't be able to backup open files, so you might 
still want to consider an alternate backup solution which will provide 
better capability to backup all files (eg rsync + vshadow).

Regards,
Adam

-- 
Adam Goryachev Website Managers www.websitemanagers.com.au

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

[BackupPC-users] Creating a "read everywhere" user to backup Windows profiles

[Andreas Piening]

I wonder what the easiest / best way is to create a „read everywhere“ user on 
ms windows to create backups with via CIFS / SMBFS.

Ideally I would like to run a short .cmd script or do a couple of clicks to 
give a local windows user (let’s assume ‚backuppc‘) full read access to 
everything under c:\Users. Even better with write access to be able to restore 
in place.
I know that I can enable inheritance for permissions in c:\Users and overwrite 
all permissions on subfolders with the current one. But this would also enable 
read for everyone for every user on other users profiles which I don’t like. 
And even this does not work everywhere, even not with an administrative 
account. I need to take ownership recursively in order to do that and I don’t 
want to own other users files.

Is there a better way? 
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/

Re: [BackupPC-users] Creating a "read everywhere" user to backup Windows profiles

[Adam Goryachev]

On 14/01/16 07:11, Andreas Piening wrote:
> I wonder what the easiest / best way is to create a „read everywhere“ user on 
> ms windows to create backups with via CIFS / SMBFS.
>
> Ideally I would like to run a short .cmd script or do a couple of clicks to 
> give a local windows user (let’s assume ‚backuppc‘) full read access to 
> everything under c:\Users. Even better with write access to be able to 
> restore in place.
> I know that I can enable inheritance for permissions in c:\Users and 
> overwrite all permissions on subfolders with the current one. But this would 
> also enable read for everyone for every user on other users profiles which I 
> don’t like. And even this does not work everywhere, even not with an 
> administrative account. I need to take ownership recursively in order to do 
> that and I don’t want to own other users files.
>
> Is there a better way?

Isn't there a specific "Backup Operator" account on windows which has 
"super" permissions for exactly this reason? I'm not sure if that 
account will work over samba though?

Regards,
Adam

-- 
Adam Goryachev Website Managers www.websitemanagers.com.au

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
List:https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki:http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/