4.9 C
United States of America
Friday, December 27, 2024

community – Is it attainable to backup by way of Time Machine to SMB behind NAT on non-standard ports?


I’ve a Linux server with an uncovered SMB share Backup. It is bodily related to a LAN by way of a router. MacBook Professional bodily related to the identical LAN by way of the identical router can join, arrange Time Machine and make a backup to this SMB share utilizing Linux server LAN IP (e. g. 192.168.X.X).

The router additionally has a WAN deal with. ISP blocks 139 and 445 incoming connections on the WAN facet so I NATed WAN:tcp:446 to Linux server:tcp:445.

One other MacBook Professional on the web needs to backup to the identical share. It is ready to hook up with the share as smb://consumer@WANIP:446 by way of Finder, then a system immediate seems with consumer prepopulated, a discipline for password and a checkbox to avoid wasting the password to Keychain. After offering the password it efficiently connects to the Linux server and exposes Backup share and I can see, learn, edit, delete, create, rename and so on the information and directories on it by way of Finder.

Then I am going to Time Machine setup, Select Disk, it efficiently sees the related share and permits to decide on it, asks for consumer and password and each are prepopulated. Then it efficiently schedules a backup in 120 seconds.

When 120 seconds go or if I order guide backup proper now it says authorization failed and can’t backup.

After that, I nonetheless can do the whole lot with the share in Finder i. e. it is absolutely functioning.

tmutil reveals the whole lot is alright.

$ tmutil destinationinfo
====================================================
Identify          : Backup
Type          : Community
URL           : smb://consumer@WANIP:446/Backup
Mount Level   : /Volumes/Backup
ID            : {***GUID***}

logs present these particular errors

$ log present --style syslog  --predicate 'senderImagePath incorporates[cd] "TimeMachine"' --info
...
2020-05-14 14:46:10.150565+0100  localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Trying to mount 'smb://consumer@WANIP:446/Backup'
2020-05-14 14:46:10.427385+0100  localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] NAConnectToServerSync failed with error: 80 (Authentication error) for url: smb://consumer@WANIP:446/Backup
2020-05-14 14:46:10.427395+0100  localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Authentication error (80) - the proper consumer or password information might not exist within the System.keychain or the server might now not enable entry for this consumer.
2020-05-14 14:46:10.427414+0100  localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Trying to mount alternate URL 'smb://consumer@WANIP:446/Backup'
2020-05-14 14:46:10.706242+0100  localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] NAConnectToServerSync failed with error: 80 (Authentication error) for alternate url: smb://consumer@WANIP:446/Backup
2020-05-14 14:46:10.706249+0100  localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Authentication error (80) - the proper consumer or password information might not exist within the System.keychain or the server might now not enable entry for this consumer.
2020-05-14 14:46:10.706328+0100  localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Authentication error (80) - the proper consumer or password information might not exist within the System.keychain or the server might now not enable entry for this consumer.
2020-05-14 14:46:10.706771+0100  localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Backup failed with error 29: There was an issue authenticating with the vacation spot.
2020-05-14 14:46:10.708332+0100  localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Pending cancel request cleared.

smb.conf is kind of easy

[global]
   use sendfile = sure
   retailer dos attributes = no
   server companies = smb
   mangled names = no
   dos filetimes = no
   workgroup = MYGROUP
   server string = Samba Server
   server position = standalone server
   log file = /dev/stdout
   max log dimension = 50
   dns proxy = no 
   pam password change = sure
   map to visitor = dangerous consumer
   usershare enable friends = sure
   create masks = 0660
   drive create mode = 0000
   listing masks = 0770
   drive listing mode = 0110
   drive consumer = smbuser
   drive group = smb
   comply with symlinks = sure
   load printers = no
   printing = bsd
   printcap title = /dev/null
   disable spoolss = sure
   strict locking = no
   aio learn dimension = 0
   aio write dimension = 0
   vfs objects = catia fruit streams_xattr
   consumer ipc max protocol = SMB3
   consumer ipc min protocol = SMB3_02
   consumer max protocol = SMB3
   consumer min protocol = SMB3_02
   server max protocol = SMB3
   server min protocol = SMB3_02
   fruit:delete_empty_adfiles = sure
   fruit:time machine = sure
   fruit:veto_appledouble = no
   fruit:wipe_intentionally_left_blank_rfork = sure

[Backup]
   path = /residence/backup
   browsable = sure
   learn solely = no
   visitor okay = no
   veto information = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Community Trash Folder/Short-term Objects/Thumbs.db/
   delete veto information = sure

If I solely change visitor okay = no to sure with no different modifications and hook up with smb://visitor@WANIP:446 as a substitute – backup works (clearly visitor rw entry by way of the web is a foul concept).

If I create routable (L3, not L2, so SMB broadcasts are usually not seen) VPN between the MacBook Professional on the web and the router, depart visitor okay = no and hook up with smb://consumer@LANIP:445 with password – backup works (it’s a lot slower over the VPN, sadly, that is why I am making an attempt to set it up with out).

I am misplaced – it is not an auth situation as I can join and do the whole lot by way of Finder by way of WANIP with visitor okay = no. It isn’t a privileges situation as I could make a backup by way of LANIP over VPN with visitor okay = no. It appears to not be a NAT situation as I could make a backup by way of WANIP with visitor okay = sure.

I’ve tried to decrease SMB3 necessities to SMB2 – identical behaviour. I’ve tried to take away all of the passwords from Keychain and reconnect, change the title of the share, change WANIP (in order that there could possibly be no saved settings on the MacBook Professional associated to this share) – identical behaviour.

What do I miss? Does non-guest entry require NATing one other port? (I can’t NAT 137-139 as they’re blocked by the ISP.)

I’d tremendously admire if you happen to may assist me! Thanks upfront.

macOS Catalina 10.15.4 on MacBook Professional 13″ 2018.
Linux kernel 5.1.18.
Samba 4.11.5.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles