Hi Christoph,
Keep in mind that Bacula is a Unix application. The FD is ported to
Windows - I haven't dug through the source code to see if the flags
are listed or not (and a question better asked in the Dev list
although most on that list monitor this list) and since I don't
develop haven't any clue where to start.
With that said, the local system account you've put in charge of
running the file daemon should be run as administrator. If you have
such stringent security that only one user has access to certain
files, then you're pretty much sunk. Unless you run a process with
the credentials of that specific user for those specific files,
there's not much that can be done with Bacula. I'd want to test and
validate the admin can also gain access to those files. That should
give it unfettered access to all files minus those running processes
with file locks. I believe VSS came about in the 2003 products. This
leads me to another thought.
If you have processes that lock files requiring backup, there are two
directives to employ: RunBeforeJob and RunAfterJob (from memory, so
check the docs to be sure.) This will get around any access issues
that are due to file locks.
I'm really interested to learn how you resolve this one. Hope the
info gets you at least a step closer!
Erich
On Mar 21, 2006, at 5:54 AM, [EMAIL PROTECTED] wrote:
Hello Erich,
first, thanks for your answer.
To your suggestion: There is no user called bacula and the files,
which should be backed up, sometimes have permissions set to only
one user. All of them are in the group Domain Users.
The service is running as Local System Account, and SYSTEM has the
"Backup files and directories" privilege in the Domain Controller
Security Policy. But things don't even change if I run the service
with Administrator, which is member of the Backup Operators group.
This should be the same thing as you suggested with a user called
bacula, shouldn't it?
One thing I discovered in the meantime is, that SeBackupPrivilige
is listed for the running process (monitored with ProcessExplorer
from Sysinternals), which, as far as I know, has to be requested by
a process if the backup-API is going to be used. It is disabled
from the start of the service until the first backup has been
started. I haven't been succesfull creating a configuration, with
wich bacula failed to obtain this privilige, as every user, who is
able to start a service on a domain controller, seems to be able to
get the privilege. So I don't know if this is really the right
place to look at, but MSDN-library is telling this:
"In most cases, the ability to read and write the security settings
of a file or directory object is restricted to kernel-mode
processes. Clearly, you would not want any user process to be able
to change the ownership or access restriction on your private file
or directory. However, a backup application would not be able to
complete its job of backing up your file if the access restrictions
you have placed on your file or directory does not allow the
application's user-mode process to read it. Backup applications
must be able to override the security settings of file and
directory objects to ensure a complete backup. Similarly, if a
backup application attempts to write a backup copy of your file
over the disk-resident copy, and you explicitly deny write
privileges to the backup application process, the restore operation
cannot complete. In this case also, the backup application must be
able to override the access control settings of your file.
The SE_BACKUP_NAME and SE_RESTORE_NAME access privileges were
specifically created to provide this ability to backup
applications. If these privileges have been granted and enabled in
the access token of the backup application process, it can then
call CreateFile to open your file or directory for backup,
specifying the standard READ_CONTROL access right as the value of
the dwDesiredAccess parameter. However, to identify the calling
process as a backup process, the call to CreateFile must include
the FILE_FLAG_BACKUP_SEMANTICS flag in the dwFlagsAndAttributes
parameter."
Platform SDK tells me that SE_BACKUP_NAME maps to the string
SeBackupPrivilege. So I dont't think there is a configuration error
with security settings, but who knows.
Regards
Christoph
Erich Prinz <[EMAIL PROTECTED]>
21.03.2006 02:35
To
[EMAIL PROTECTED]
cc
Bacula-users@lists.sourceforge.net
Subject
Re: [Bacula-users] Windows FD on Win2k Domain Controller
Chris,
Your comment:
I always get 'ERR=Access is denied' if I want to backup files which
can't be accessed with the user account, the backup service is
running with. This should normaly work using the windows backup-API.
I want to make sure I'm understanding this correctly. The local
service account (bacula) doesn't have permission to the files.
By default, the fd install isn't going to plop itself into the
Backup Security Group on a domain controller. Consider adding that
user explicitly into the Backup Security Group and test again.
Let everyone know if that works for you,
Erich
--Apple-Mail-3--758494089--
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
