The support forum

Username/password for network shares

Aug 15, 2014

Release 70 adds an option of entering a network share username and password for shares that require them. This is done via a "key" icon in the location field - https://bvckup2.com/wip/r70-network-logon-2.png

The app always tries to access network location without the username/password first. It's only when it gets a No it will retry with specified credentials.

A couple of caveats -

(1) Windows starts producing all sorts of funny errors if you try to access different shares on the same server under different names. Apparently this is by design and it cannot be helped. The only option is to nuke everything with "net use * /delete" and start from scratch.

(2) Entered password is stored in the backup's .ini file. It is stored in obfuscated form, but as we all know this won't stop a determined attacker from uncovering its original version. So if you require strong password security, you will need to configure your setup so that shares are readily accessible to Bvckup without a password.

wtip :

Feb 05, 2015

I am having issues with this option. After I first run a backup with a network path destination I get a "Error: destination access denied" message. When I do a manual Run backup command a minute after it works fine and is able to login. Subsequent automatic periodic backups work fine until I reboot the system.

2015.02.05 13:24:09.188 (UTC-5) 2 0 Running the backup ...
2015.02.05 13:24:09.188 (UTC-5) 2 1     Preparing ...
2015.02.05 13:24:09.188 (UTC-5) 3 2         Run number: 17
2015.02.05 13:24:09.188 (UTC-5) 3 2         Source: C:\
2015.02.05 13:24:09.188 (UTC-5) 3 2         Destination: \\192.168.1.34\backup\bvckup-C-drive\
2015.02.05 13:24:09.188 (UTC-5) 3 2         Copying: contents, timestamps (modified and created), attributes
2015.02.05 13:24:09.188 (UTC-5) 3 3             Using delta copier
2015.02.05 13:24:09.188 (UTC-5) 2 2         Verifying configuration ...
2015.02.05 13:24:09.188 (UTC-5) 3 3             Normalized src path: \\?\C:\
2015.02.05 13:24:09.188 (UTC-5) 3 3             Normalized dst path: \\?\UNC\192.168.1.34\backup\bvckup-C-drive\
2015.02.05 13:24:09.189 (UTC-5) 2 2         Checking source location ...
2015.02.05 13:24:09.189 (UTC-5) 3 3             OK
2015.02.05 13:24:09.189 (UTC-5) 2 2         Checking destination location ...
2015.02.05 13:24:09.192 (UTC-5) 3 3             Logging in...
2015.02.05 13:24:29.318 (UTC-5) 0 3             Error: destination access denied
2015.02.05 13:24:29.318 (UTC-5) 2 1     Completed in 20 sec with 1 error

It almost seems like the login process is taking too long and the app doesn't wait to get a login success or something. the destination device is a plug computer running debian with samba and an external USB drive.

Alex Pankratov :

Feb 05, 2015

Just checked and there are no timeouts in the network logon code. It issues straight-forward WNetAddConnection2 [1] and then just sits there waiting for it to complete.

Can you see anything relevant in Samba logs on the receiving end?

[1] https://msdn.microsoft.com/en-us/library/windows/desktop/aa385413%28v=vs.85%29.aspx

wtip :

Feb 05, 2015

After I reboot my system and Bvckup starts running (not actually running a backup job) and in my samba logs there is a repeating message.

smbd/service.c:616(create_connection_session_info)
  guest user (from session setup) not permitted to access this share (win-backup)

[2015/02/05 18:14:07.443851,  1] smbd/service.c:805(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2015/02/05 18:14:07.444866,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED


So it looks like bvckup is continuously trying to login as guest and not trying the actual user in the config

wtip :

Feb 05, 2015

It's trying to login as guest while it is idling and shows "Waiting for the destination device". Is there a way to force it to use the login credentials and not try guest login?

wtip :

Feb 05, 2015

I think I have figured out a solution. In the Samba share config settings I changed the "public = no" to "public = yes". My first thought was that this would make my smb share publicly accessible to anyone without a password. However because I only have one  "valid users = myusername" specified, the actual share can only be accessed by the smb user "myusername".

This is the important block from the samba logs that helped me figure this out.

[2015/02/05 21:24:00.988664,  2] smbd/uid.c:256(change_to_user_internal)
  SMB user MyWindowsUser (unix user nobody) not permitted access to share win-backup.
[2015/02/05 21:24:00.989670,  0] smbd/service.c:995(make_connection_snum)
  Can't become connected user!
[2015/02/05 21:24:00.990651,  3] smbd/connection.c:35(yield_connection)
  Yielding connection to win-backup
[2015/02/05 21:24:00.991705,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE

So once the Samba server returns NT_STATUS_LOGON_FAILURE to the client (bvckup2) it knows to authenticate with the saved credentials.
However if you have "public = no" set the samba server will respond with NT_STATUS_ACCESS_DENIED and bvckup will just fail and not try to authenticate with the saved creds.

Alex Pankratov :

Feb 06, 2015

Oh, that's gold. Thanks a lot for the follow-up, I'll add an option to the app to treat "access denied" as "logon required".

chris4beta :

Mar 09, 2015

I'm very impressed with Bvackup, but I find it slightly lacking for my primary use case... backing up to a NAS.

I don't keep a persistent R/W connection to my network shares to help guard against cryptolocker types of malware. The NAS is mostly for archiving so I'm usually connected with read only permissions.

I've provided write credentials to Bvackup, but when it runs it sees there is already a connection (read-only) , and tries to proceed with the backup, which obviously results in a flurry of access denied errors.

It would be nice if there were more control over the network connections, ideally two extra check boxes in the credentials popup:

1. Reconnect if existing connection
Maybe this should be default behavior and not even an option, but basically says use the credentials I provide no matter what existing connection already exists. As a work around I've tried adding "net use * /DELETE /Y" to pre-backup command, but still uses read connection anyway.

2. Disconnect after job finishes
This way I don't have to worry about a lingering connection with elevated permissions after the jobs have run. Work-around: adding post-backup command "net use * /DELETE /Y", but would be useful as an option IMO.

McBride :

Sep 28, 2016

Hello
I have a similar issue as wtip. But my issue goes further, as this is a QNAP with an SMB share. Hard to change anything in the smb.conf file (well you can but it's sort of a hack).

Details are:
Two users, one share, two folders. After a user has been loged in and was backed up, the second user will not be able to log in. Reason, I guess, is the lingering "guest" connection to the QNAP from the previous user. As this is a valid login (according to the connection log of the QNAP), Bvckup2 doesn't force the second backup to use their stored credentials. On the other hand, access to the folder for the "guest" is denied. For some time, the (stupid) Windows machine makes this connection, although "net use" does not show any entries.

Can I force Bvckup2 to make the connection with the gives credentials and drop the previous token?

McBride :

Sep 28, 2016

@ Alex Pankratov
Was the option according to your post from Feb 06, 2015 implemented?

Alex Pankratov :

Sep 28, 2016



It is indeed supported - https://bvckup2.com/wip/05042016-2

In the Network Credentials dialog, click on More and then set top two options accordingly. This is with Release 75 or newer. With older versions it was still possible to set it up, but it needed an INI edit.

McBride :

Sep 28, 2016

Of course I did not see the "More" in the dialogue. Will try the moment I am back home at the machine tonight.

Killer!

McBride :

Sep 28, 2016

Sorry but this is not working. After the first session, the workstation is still hitting the NAS with "guest" logins never the less.

Alex Pankratov :

Sep 28, 2016

Re: https://bvckup2.com/support/forum/topic/625/4517 - so where are you at with this?

McBride :

Sep 29, 2016

At the moment the problem is persistent. Using a workaround at the moment. One user with admin rights backs up both of the folders. Way not ideal. The registry hack is in place, but it did not solve the issue. When I run Bvckup2 in application mode, at least the second user comes on to the NAS. But I think (from what I see) that Bvckup2 is to impatient and does not give the QNAP time to log in the user.

Thing is, that one user is the same on the workstation and NAS (which is the admin) and the other is different, because it's a user that was created on the NAS only. Now what I will try in the evening is, using both users in a similar way. Either NAS local and/or workstation with exact same setup on the NAS. Let's see how that goes.

Will keep you posted.

McBride :

Sep 29, 2016

It really seems that Bvckup2 is too impatient. When I start the job with a user which was created on the NAS, I get logon failure for one and destination access denied for the next. But i can see them moments afterwards hitting the connection log of the NAS.

Is there a way to give Bvckup2 a little time to ponder before a reject, when trying to connect?

Alex Pankratov :

Sep 30, 2016

Not at the moment. There's a fairly straight-forward way for an app to ask Windows to establish a share connection and if it fails, the app doesn't retry (because there's generally no point in retrying in either of your cases).

What you can do is to add "net use ..." as a pre-backup command. This will be execute before the built-in login attempt and it may help prodding the NAS into a more cooperating mode.

Also, if you need a delay after the first prod, you can stick "net use" into a batch file and add a delay there. Oddly enough, Windows doesn't have a `sleep` command, but there's "ping -n 1 -w 1000 1.0.0.0" contraption.

McBride :

Sep 30, 2016

How about "timeout" (from Windows 7 onwards)?
https://technet.microsoft.com/de-de/library/cc754891(v=ws.10).aspx

Alex Pankratov :

Oct 03, 2016

Ha, OK, good to know.

Do you know Windows version of the backtick operator? It's this beaut:

    for /f "usebackq tokens=*" %%x in (`...`) do set x=%%x

instead of

    x=`...`

James_Parker :

Nov 07, 2017

My scenario is:

running with full administrative privileges (so I can use VSS)
backing up to a network share
start automatically on logon

If I run in 'desktop' mode it seems that the program does not start automatically (presumably because it needs an administrator password to start it?)
If I run in 'service' mode access to the network share is denied by the server (presumably because the program is trying to access it as a user without the relevant privileges possessed by both the administrator and the logged on user)

Does anyone know what combination of settings is required to run automatically with full administrative privileges and access a network share.  I do not want to store an 'obfuscated' password for my administrative user in the ini file!

Alex Pankratov :

Nov 07, 2017

presumably because it needs an administrator password to start it?


When running with full admin rights, the program is auto-launched via an at-start Task Scheduler item. If it doesn't auto-start, the first thing to do is to check your antivirus/antimalware/etc. software. It is likely blocked by it. If this doesn't apply, you can uncheck the option, OK the changes, check it back, OK the changes and then see if you have "Bvckup 2" item in Task Scheduler.

what combination of settings


1. You can configure network logon credentials in the app itself. See the very first post in this thread for details.

2. Alternatively, in service mode the Bvckup 2 service runs under "Bvckup 2 Service" user account with randomized password. If you sync these credentials with what you have on remote end, then the engine will be able to access the share.

New topic

Create
Made by Pipemetrics in Switzerland
Support


Follow
Twitter
Dev blog
Miscellanea Press resources
Testimonials
On robocopy
Company
Imprint

Legal Terms
Privacy