Availability for the Always-On Enterprise
Post Reply
IcyAero
Novice
Posts: 3
Liked: never
Joined: Dec 02, 2016 9:44 am
Full Name: Eero Mäensivu
Contact:

Bug with fetching permissions from Active Directory

Post by IcyAero » Dec 02, 2016 10:16 am

Hi,

We have Veeam Backup & Replication Enterprise Plus 9.0 in our environment and we are also planning to deploy Veeam Endpoint Backup to our Windows users.
Upon setting up a backup repository for Endpoint backups, we came across a "bug" or a feature that's misbehaving.

When assigning permissions to a backup repository to a single user (lets say Test User) via Active Directory, Veeam Backup & Replication formats the username to DOMAIN\test.user - although the actual account name is test.user@domain.com and pre-Windows 2000 account name is DOMAIN\tuser. Obviously this leads to an error message of "Account does not exist".

Although this may not be a real issue in the Backup & Replication as user permissions will be assigned through Security Groups, this is an issue with Endpoint Backup. When connecting Endpoint Backup to a Veeam Backup & Replication -environment, you can choose not to specify your personal credentials. I believe in this case the client fetches the Windows credentials (ideal situation), but fails to connect to the server with said credentials. I believe this is the same issue as with the server, as when I enter the credentials manually (in the format of DOMAIN\tuser, which are also the Windows login credentials) the connection is established successfully.

BR,
-IcyAero

foggy
Veeam Software
Posts: 16691
Liked: 1343 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Bug with fetching permissions from Active Directory

Post by foggy » Dec 02, 2016 1:49 pm

IcyAero wrote:When assigning permissions to a backup repository to a single user (lets say Test User) via Active Directory, Veeam Backup & Replication formats the username to DOMAIN\test.user - although the actual account name is test.user@domain.com and pre-Windows 2000 account name is DOMAIN\tuser. Obviously this leads to an error message of "Account does not exist".
Hi Eero, Veeam B&R requires account name in DOMAIN\USER format, it is mentioned in the wizard when you're adding Windows server to Veeam B&R console.
IcyAero wrote:I believe in this case the client fetches the Windows credentials (ideal situation), but fails to connect to the server with said credentials.
In this case it connects to Veeam B&R using computer account of the server where Veeam Endpoint is installed, so user credentials do not play any role here. If you give the group containing all accounts of Endpoint computers permissions to repository, you will be able to connect without specifying credentials.

IcyAero
Novice
Posts: 3
Liked: never
Joined: Dec 02, 2016 9:44 am
Full Name: Eero Mäensivu
Contact:

Re: Bug with fetching permissions from Active Directory

Post by IcyAero » Dec 02, 2016 2:25 pm

Hi, thank you for your quick reply.
foggy wrote: Hi Eero, Veeam B&R requires account name in DOMAIN\USER format, it is mentioned in the wizard when you're adding Windows server to Veeam B&R console.
My understanding is also that VBR requires the format to be DOMAIN\username. This works like intended when adding Security Groups or Computer objects to the list but not for individual Users. With individual users, VBR formats the name into DOMAIN\firstname.surname instead of DOMAIN\user with mail enabled user accounts. This does not happen when adding a service-kind user account.
foggy wrote:In this case it connects to Veeam B&R using computer account of the server where Veeam Endpoint is installed, so user credentials do not play any role here. If you give the group containing all accounts of Endpoint computers permissions to repository, you will be able to connect without specifying credentials.
Ah, thank you for this information. As said in the documentation, permissions can be assigned to individual users, computers or security groups. In terms of deployment for a large group of users (including deploying configurations, but that's a subject for another time), it would be easiest to assign a security group containing users a permission to access a repository and allow them to establish a connection automatically with Windows credentials. As most often a computer usually has a single user, but a single user can have multiple computers. Also when changing account passwords, users most often forget to change them to other applications unless prompted for it - which at this time the Endpoint Backup does not do.

foggy
Veeam Software
Posts: 16691
Liked: 1343 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Bug with fetching permissions from Active Directory

Post by foggy » Dec 02, 2016 10:29 pm

IcyAero wrote:My understanding is also that VBR requires the format to be DOMAIN\username. This works like intended when adding Security Groups or Computer objects to the list but not for individual Users. With individual users, VBR formats the name into DOMAIN\firstname.surname instead of DOMAIN\user with mail enabled user accounts. This does not happen when adding a service-kind user account.
Actually the required format is DOMAIN\<samAccountname>, while some of the accounts can have samAccountname = firstname.surname and others samAccountname = fsurname (or anything else).
IcyAero wrote:Also when changing account passwords, users most often forget to change them to other applications unless prompted for it - which at this time the Endpoint Backup does not do.
Using computer accounts to assign permissions will allow to prevent such issues.

IcyAero
Novice
Posts: 3
Liked: never
Joined: Dec 02, 2016 9:44 am
Full Name: Eero Mäensivu
Contact:

Re: Bug with fetching permissions from Active Directory

Post by IcyAero » Dec 05, 2016 6:21 am

foggy wrote:Actually the required format is DOMAIN\<samAccountname>, while some of the accounts can have samAccountname = firstname.surname and others samAccountname = fsurname (or anything else).
In this case my SamAccountName is fuser, not firstname.surname.
foggy wrote:Using computer accounts to assign permissions will allow to prevent such issues.
Anyway, if this is how Veeam has intended it to be then that's it ought to be done. However as with all things, there are two sides to a sword.
- Using computer accounts would ease the deployment to users as they do not need to fill in credentials, but it does add up in extra administration with the computer accounts.
- If having to fill credentials, end-users might miss scheduled backups if they forget to update their passwords (as said there no Windows notifications from the client). However it eases administration when closing user account -> backups stop automatically as well.

I thank you foggy for answering my questions and ought to be out of your way soon enough :)

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 20 guests