Hello Erich,
first, thanks for your answer.
To your suggestion: There is no user called bacula and the files, which should be backed up, sometimes have permissions set to only one user. All of them are in the group Domain Users.
The service is running as Local System Account, and SYSTEM has the "Backup files and directories" privilege in the Domain Controller Security Policy. But things don't even change if I run the service with Administrator, which is member of the Backup Operators group. This should be the same thing as you suggested with a user called bacula, shouldn't it?
One thing I discovered in the meantime is, that SeBackupPrivilige is listed for the running process (monitored with ProcessExplorer from Sysinternals), which, as far as I know, has to be requested by a process if the backup-API is going to be used. It is disabled from the start of the service until the first backup has been started. I haven't been succesfull creating a configuration, with wich bacula failed to obtain this privilige, as every user, who is able to start a service on a domain controller, seems to be able to get the privilege. So I don't know if this is really the right place to look at, but MSDN-library is telling this:
"In most cases, the ability to read and write the security settings of a file or directory object is restricted to kernel-mode processes. Clearly, you would not want any user process to be able to change the ownership or access restriction on your private file or directory. However, a backup application would not be able to complete its job of backing up your file if the access restrictions you have placed on your file or directory does not allow the application's user-mode process to read it. Backup applications must be able to override the security settings of file and directory objects to ensure a complete backup. Similarly, if a backup application attempts to write a backup copy of your file over the disk-resident copy, and you explicitly deny write privileges to the backup application process, the restore operation cannot complete. In this case also, the backup application must be able to override the access control settings of your file.
The SE_BACKUP_NAME and SE_RESTORE_NAME access privileges
were specifically created to provide this ability to backup applications.
If these privileges have been granted and enabled in the access token of
the backup application process, it can then call CreateFile to open
your file or directory for backup, specifying the standard READ_CONTROL
access right as the value of the dwDesiredAccess parameter. However,
to identify the calling process as a backup process, the call to CreateFile
must include the FILE_FLAG_BACKUP_SEMANTICS flag in the dwFlagsAndAttributes
parameter."
Platform SDK tells me that SE_BACKUP_NAME
maps to the string SeBackupPrivilege. So I dont't think there is a configuration
error with security settings, but who knows.
Regards
Christoph
| Erich Prinz <[EMAIL PROTECTED]>
21.03.2006 02:35 |
|
Chris,
Your comment:
I always get 'ERR=Access is denied' if I want to backup files which can't be accessed with the user account, the backup service is running with. This should normaly work using the windows backup-API.
I want to make sure I'm understanding this correctly. The local service account (bacula) doesn't have permission to the files.
By default, the fd install isn't going to plop itself into the Backup Security Group on a domain controller. Consider adding that user explicitly into the Backup Security Group and test again.
Let everyone know if that works for you,
Erich
--Apple-Mail-3--758494089--
