BR-NASBackup4NutanixFilesSMB.ps1 run commands with domain user

Question

BR-NASBackup4NutanixFilesSMB.ps1 run commands with domain user

Closed this issue 3 years ago · 6 comments

Is your feature request related to a problem? Please describe.
Our VBR server is for security reasons in a workgroup, our Nutanix Files share is in our Active Directory Domain, the Get-ChildItem commands fails because the VBR service is running with local user privileges.

Describe the solution you'd like
Add parameter for username, the script will lookup the "Windows Credential Manager" for the stored account and uses it to run the commands as different user

Describe alternatives you've considered
Using "Get-VBRCredentials" but the problem is that get-childitem needs PSCredential data type and "Get-VBRCredentials" return CCredential data type.

Additional context
Maybe something like this:

$Cred = Get-StoredCredential -Target "contoso.com\veeam_backup_agent"
Invoke-Command -Session $Cred -Scriptblock { 
	Get-ChildItem....
}

Answer 1 · 2021-09-23T12:07:38.000Z

The SMB file server is added correctly with domain user privileges, I think the problem is only the Get-ChildItem command that should be run with the correct domain user.

Answer 2 · 2021-09-23T12:41:13.000Z

Hi @Verde93,

This issue is called out in the project notes for this script.

As you mentioned, to run the script, Veeam Backup & Replication uses the Service Account under which the Veeam Backup Service is running. The current recommended path would be to allow the service account access to the file share. Note that this will not be possible using the Local System Account. A local user account would need to be used.

Thanks for your suggestion on using the Windows Credential Manager. Please note that, while this is possible, it would add another level of complexity when setting up this script. If you attempt to write this code yourself, please see this stackoverflow post with more information.

Answer 3 · 2021-09-23T12:41:35.000Z

FYI @ronnm-veeam

Answer 4 · 2021-09-23T12:58:31.000Z

Ok, so I need to check if I can saftly store the credentials, the correct code for get-childitem would be something like this

Start-Process Powershell.exe -Credential $cred -ArgumentList '-noprofile -command &{Get-ChildItem ....}'

Thanks for your reply

Answer 5 · 2021-09-23T14:01:03.000Z

I will also check with nutanix, if is possible to get the last snapshot name with an api call...other methods would be to get the last snapshot name and write it in a text file that the powershell script reads...but only makes it more and more complicated

Answer 6 · 2021-09-23T14:28:14.000Z

While it's not any immediate help I can tell you that we're working on a VBR-native solution for Files backup with our upcoming v12 release that will not require any scripting of this nature.