Comprehensive data protection for all workloads
Post Reply
WingDog
Enthusiast
Posts: 57
Liked: 2 times
Joined: Mar 18, 2014 10:52 am
Full Name: Kirill
Contact:

Backup account permissions?

Post by WingDog »

Hello.
I'm using vbr8 for some time and was totally surpised to get error
"Failed to finalize guest processing. Details: Failed to process 'TruncateSQLLog' command. Failed to logon user [domain\user] Win32 error:Logon failure: the user has not been granted the requested logon type at this computer. Code: 1385".
while investigating this issue I've found new GPO with some restictions for this user:
- deny logon locally
- deny RDP logon
it's seems to be ok, but not.
Account using for AAP must have local logon permisson.
why? where is local logon while VM backup?

I've changed this GPO and now this user can logon locally and backups work fine.
can anyone explain this?
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: Backup account permissions?

Post by Shestakov »

Hello Kirill,
What version of VBR are you at? Thanks!
WingDog
Enthusiast
Posts: 57
Liked: 2 times
Joined: Mar 18, 2014 10:52 am
Full Name: Kirill
Contact:

Re: Backup account permissions?

Post by WingDog »

Shestakov wrote:Hello Kirill,
What version of VBR are you at? Thanks!
Hello, Nikita.
8.0.0.2021
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: Backup account permissions?

Post by Shestakov » 1 person likes this post

Truncation of SQL logs is done under user account specified in AAIP in Job settings, in a case of failure, GuestHelper tries to truncate transaction logs under LocalSystem account.

In order to understand why SQL logs truncation failed you need to open the GuestHelper log in Guest VM:
\\GUESTVM\c$\ProgramData\Veeam\Backup\VeeamGuestHelper_%date%.log (for Windows 2008 or higher) and search within the log using keyphrase "Truncate Statistics"
Thanks!
WingDog
Enthusiast
Posts: 57
Liked: 2 times
Joined: Mar 18, 2014 10:52 am
Full Name: Kirill
Contact:

Re: Backup account permissions?

Post by WingDog »

Shestakov wrote:Truncation of SQL logs is done under user account specified in AAIP in Job settings, in a case of failure, GuestHelper tries to truncate transaction logs under LocalSystem account.

In order to understand why SQL logs truncation failed you need to open the GuestHelper log in Guest VM:
\\GUESTVM\c$\ProgramData\Veeam\Backup\VeeamGuestHelper_%date%.log (for Windows 2008 or higher) and search within the log using keyphrase "Truncate Statistics"
Thanks!

Code: Select all

16.06.2015 22:12:14   5452  INFO        RPC: truncation SQL logs.
16.06.2015 22:12:14   5452                  Job UID: '{4265cb25-8a43-4d33-aeb2-fd46426e41ef}'.
16.06.2015 22:12:14   5452                  Login: DOMAIN\USER
16.06.2015 22:12:14   5452                      Truncating SQL logs
16.06.2015 22:12:14   5452                              Enumerating SQL instances
16.06.2015 22:12:14   5452                                  Opening registry path: [SOFTWARE\Microsoft\Microsoft SQL Server]
16.06.2015 22:12:14   5452                                  SQL instance found: [MICROSOFT##SSEE].
16.06.2015 22:12:14   5452                              Enumerating SQL instances. Ok.
16.06.2015 22:12:14   5452                              Enumerating SQL instances
16.06.2015 22:12:14   5452                                  Opening registry path: [SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Server]
16.06.2015 22:12:14   5452                                  SQL instance found: [ADK].
16.06.2015 22:12:14   5452                                  SQL instance found: [BKUPEXEC].
16.06.2015 22:12:14   5452                              Enumerating SQL instances. Ok.
16.06.2015 22:12:14   5452                      Truncating SQL logs. Failed.
16.06.2015 22:12:14   5452  INFO        RPC: truncation SQL logs.. Failed.
16.06.2015 22:12:14   5452  ERR     BlobCall() error.
16.06.2015 22:12:14   5452  ERR         Failed to process 'TruncateSQLLog' command.
16.06.2015 22:12:14   5452  ERR         Failed to logon user [DOMAIN\USER]
16.06.2015 22:12:14   5452  ERR         Win32 error:Вход в систему не произведен: выбранный режим входа для данного пользователя на этом компьютере не предусмотрен.
16.06.2015 22:12:14   5452  ERR          Code: 1385
16.06.2015 22:12:19   2964              Waiting while plugins finish its jobs.
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: Backup account permissions?

Post by Shestakov »

So yes, the problem is a lack of permissions for the user.
And the solution is to give DOMAIN\user permissions on SQL instance and add db_backupoperator role for all FULL and BULK databases, or give it a sysadmin role. Thanks!
WingDog
Enthusiast
Posts: 57
Liked: 2 times
Joined: Mar 18, 2014 10:52 am
Full Name: Kirill
Contact:

Re: Backup account permissions?

Post by WingDog »

Shestakov wrote:So yes, the problem is a lack of permissions for the user.
And the solution is to give DOMAIN\user permissions on SQL instance and add db_backupoperator role for all FULL and BULK databases, or give it a sysadmin role. Thanks!
Nikita,
There is no problem with SQL permissions because DOMAIN\USER is member of .\administrators and local logon right is totally away from SQL permissions.
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: Backup account permissions?

Post by Shestakov »

Ok, let`s go back to your initial questions.
WingDog wrote:Account using for AAP must have local logon permisson.
why? where is local logon while VM backup?
To backup and truncate newer SQL versions(where nt authority\system doesn`t have backup operator`s permissions) for the authentication purposes Veeam need to personate its components as backup user to the VM.
That`s why you need to have local or sysadmin permissions. Thanks!
WingDog
Enthusiast
Posts: 57
Liked: 2 times
Joined: Mar 18, 2014 10:52 am
Full Name: Kirill
Contact:

Re: Backup account permissions?

Post by WingDog »

Shestakov wrote:Ok, let`s go back to your initial questions. To backup and truncate newer SQL versions(where nt authority\system doesn`t have backup operator`s permissions) for the authentication purposes Veeam need to personate its components as backup user to the VM.
That`s why you need to have local or sysadmin permissions. Thanks!
Nikita,
ok, I got it - you can't understand me.

another question:
by security purposes I must deny local logon for backup operators.
How to configure VBR to work with such limitations?
PTide
Product Manager
Posts: 6408
Liked: 724 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Backup account permissions?

Post by PTide »

Hi,

Could you kindly try to logon with DOMAIN\user account into your SQL instance and perform log backup with truncation manually? I just what to make sure that DOMAIN/user has permissions.

Thank you.
Shestakov
Veteran
Posts: 7328
Liked: 781 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: Backup account permissions?

Post by Shestakov »

WingDog wrote:Nikita,
ok, I got it - you can't understand me.
Kirill, you can write me a private message in a native language to achieve better understanding.
WingDog wrote:by security purposes I must deny local logon for backup operators.
How to configure VBR to work with such limitations?
Usually users set "Simple recovery mode" on SQL DBs and "Don`t truncate logs" in that case.
Thanks!
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], Ivan239, sergiosergio and 266 guests