Bug with fetching permissions from Active Directory

Availability for the Always-On Enterprise

Bug with fetching permissions from Active Directory

Veeam Logoby IcyAero » Fri Dec 02, 2016 10:16 am

Hi,

We have Veeam Backup & Replication Enterprise Plus 9.0 in our environment and we are also planning to deploy Veeam Endpoint Backup to our Windows users.
Upon setting up a backup repository for Endpoint backups, we came across a "bug" or a feature that's misbehaving.

When assigning permissions to a backup repository to a single user (lets say Test User) via Active Directory, Veeam Backup & Replication formats the username to DOMAIN\test.user - although the actual account name is test.user@domain.com and pre-Windows 2000 account name is DOMAIN\tuser. Obviously this leads to an error message of "Account does not exist".

Although this may not be a real issue in the Backup & Replication as user permissions will be assigned through Security Groups, this is an issue with Endpoint Backup. When connecting Endpoint Backup to a Veeam Backup & Replication -environment, you can choose not to specify your personal credentials. I believe in this case the client fetches the Windows credentials (ideal situation), but fails to connect to the server with said credentials. I believe this is the same issue as with the server, as when I enter the credentials manually (in the format of DOMAIN\tuser, which are also the Windows login credentials) the connection is established successfully.

BR,
-IcyAero
IcyAero
Novice
 
Posts: 3
Liked: never
Joined: Fri Dec 02, 2016 9:44 am
Full Name: Eero Mäensivu

Re: Bug with fetching permissions from Active Directory

Veeam Logoby foggy » Fri Dec 02, 2016 1:49 pm

IcyAero wrote:When assigning permissions to a backup repository to a single user (lets say Test User) via Active Directory, Veeam Backup & Replication formats the username to DOMAIN\test.user - although the actual account name is test.user@domain.com and pre-Windows 2000 account name is DOMAIN\tuser. Obviously this leads to an error message of "Account does not exist".

Hi Eero, Veeam B&R requires account name in DOMAIN\USER format, it is mentioned in the wizard when you're adding Windows server to Veeam B&R console.

IcyAero wrote:I believe in this case the client fetches the Windows credentials (ideal situation), but fails to connect to the server with said credentials.

In this case it connects to Veeam B&R using computer account of the server where Veeam Endpoint is installed, so user credentials do not play any role here. If you give the group containing all accounts of Endpoint computers permissions to repository, you will be able to connect without specifying credentials.
foggy
Veeam Software
 
Posts: 14742
Liked: 1079 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Bug with fetching permissions from Active Directory

Veeam Logoby IcyAero » Fri Dec 02, 2016 2:25 pm

Hi, thank you for your quick reply.
foggy wrote:Hi Eero, Veeam B&R requires account name in DOMAIN\USER format, it is mentioned in the wizard when you're adding Windows server to Veeam B&R console.

My understanding is also that VBR requires the format to be DOMAIN\username. This works like intended when adding Security Groups or Computer objects to the list but not for individual Users. With individual users, VBR formats the name into DOMAIN\firstname.surname instead of DOMAIN\user with mail enabled user accounts. This does not happen when adding a service-kind user account.

foggy wrote:In this case it connects to Veeam B&R using computer account of the server where Veeam Endpoint is installed, so user credentials do not play any role here. If you give the group containing all accounts of Endpoint computers permissions to repository, you will be able to connect without specifying credentials.

Ah, thank you for this information. As said in the documentation, permissions can be assigned to individual users, computers or security groups. In terms of deployment for a large group of users (including deploying configurations, but that's a subject for another time), it would be easiest to assign a security group containing users a permission to access a repository and allow them to establish a connection automatically with Windows credentials. As most often a computer usually has a single user, but a single user can have multiple computers. Also when changing account passwords, users most often forget to change them to other applications unless prompted for it - which at this time the Endpoint Backup does not do.
IcyAero
Novice
 
Posts: 3
Liked: never
Joined: Fri Dec 02, 2016 9:44 am
Full Name: Eero Mäensivu

Re: Bug with fetching permissions from Active Directory

Veeam Logoby foggy » Fri Dec 02, 2016 10:29 pm

IcyAero wrote:My understanding is also that VBR requires the format to be DOMAIN\username. This works like intended when adding Security Groups or Computer objects to the list but not for individual Users. With individual users, VBR formats the name into DOMAIN\firstname.surname instead of DOMAIN\user with mail enabled user accounts. This does not happen when adding a service-kind user account.

Actually the required format is DOMAIN\<samAccountname>, while some of the accounts can have samAccountname = firstname.surname and others samAccountname = fsurname (or anything else).

IcyAero wrote:Also when changing account passwords, users most often forget to change them to other applications unless prompted for it - which at this time the Endpoint Backup does not do.

Using computer accounts to assign permissions will allow to prevent such issues.
foggy
Veeam Software
 
Posts: 14742
Liked: 1079 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Bug with fetching permissions from Active Directory

Veeam Logoby IcyAero » Mon Dec 05, 2016 6:21 am

foggy wrote:Actually the required format is DOMAIN\<samAccountname>, while some of the accounts can have samAccountname = firstname.surname and others samAccountname = fsurname (or anything else).

In this case my SamAccountName is fuser, not firstname.surname.

foggy wrote:Using computer accounts to assign permissions will allow to prevent such issues.

Anyway, if this is how Veeam has intended it to be then that's it ought to be done. However as with all things, there are two sides to a sword.
- Using computer accounts would ease the deployment to users as they do not need to fill in credentials, but it does add up in extra administration with the computer accounts.
- If having to fill credentials, end-users might miss scheduled backups if they forget to update their passwords (as said there no Windows notifications from the client). However it eases administration when closing user account -> backups stop automatically as well.

I thank you foggy for answering my questions and ought to be out of your way soon enough :)
IcyAero
Novice
 
Posts: 3
Liked: never
Joined: Fri Dec 02, 2016 9:44 am
Full Name: Eero Mäensivu


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 15 guests